Hi,
The problem started with a user that could not connect with his initial password from the GUI: Username or password incorrect.
I reset it myself, and tried with the new temp password: idem.
I retried many many times. Same. I tried creating a new user, same.
In the meantime I realized the admin password had expired. I could not update it successfully via the command-line, but I could using the GUI.
I tried many things, but now "ipa user-status" fails for a lot of accounts: pa: ERROR: xxxxx: user not found
I tried creating a new account from command-line with ipa user-add, then asks for the status using "ipa user-status", it failed the same way.
What's happening ? What should I try ?
Thanks.
Karl
Karl Forner via FreeIPA-users wrote:
Hi,
The problem started with a user that could not connect with his initial password from the GUI: Username or password incorrect.
I reset it myself, and tried with the new temp password: idem.
I retried many many times. Same. I tried creating a new user, same.
In the meantime I realized the admin password had expired. I could not update it successfully via the command-line, but I could using the GUI.
I tried many things, but now "ipa user-status" fails for a lot of accounts: pa: ERROR: xxxxx: user not found
I tried creating a new account from command-line with ipa user-add, then asks for the status using "ipa user-status", it failed the same way.
What's happening ? What should I try ?
It sounds like there could be multiple issues. Start with passwords on the cli.
kinit someuser
If it fails look in /var/log/krb5kdc.log
To get more client-side debug info you can also try KRB5_TRACE=/dev/stderr kinit <someuser>
I think you'll need to be more specific with what is working and what isn't.
Are all users affected? It doesn't sound like it.
Are all users affected the same way? (e.g. some can log into GUI, some cli, some both)
What other password behavior do you see?
If you have multiple masters are you having replication issues?
rob
Thanks.
Karl
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Thanks a lot for these useful advices.
I managed to apparently solve it : the replicas were not syncing, and the new accounts were not really created, and some accounts were actually locked (they had been unlocked but not synced).
After forcing the synchronization (ipa-replica-manage re-initialize --from) suddenly everything seems to work fine, at my great relief.
freeipa-users@lists.fedorahosted.org