Check the firewall settings on all servers if all needed ports are open to all other IPA servers. I had similar problems with broken replication due to lost firewall configs. In any case I'd start with searching for errors in /var/log (dirsrv, krb5kdc.log, kadmind.log, pki, sssd, tomcat, httpd, messages...)
On Wed, 17 Jul 2019 00:35:09 -0000 Raul Gomez via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hello list,
After much testing I've found that this issue is not related to the IPA client machine, but to the IPA server the IPA client is using, and that's because I can log in into some of my IPA Servers (via Web Panel), but not to others, and that coincides with the server the clients can/can't login are using. So it seems there is a synchronization problem between my 3 IPA servers that I can't pinpoint yet.
So far, any change that I apply to any user via the Web Panel o command line is replicated to the other servers, but I've failed to see what parameter could be set in the servers where I'm unable to login.
I've tested with a user created with no locking policies at all, but this user can only login successfully to some IPA servers too.
Time is synchronized correctly between my three servers, ntpstat show that time is correct within 75 ms as much, so it doesn't seem to be the issue here.
Does this ring a bell to anyone? Any pointer in where to look further will be much appreciated.
Thanks in advance, regards...
Raul _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...