FreeIPA-users December 2025

freeipa-users@lists.fedorahosted.org

6 participants
3 discussions

FreeIPA 4.13.0
by Antonio Torres 05 Dec '25

05 Dec '25

The FreeIPA team would like to announce the FreeIPA 4.13.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. Full release notes are available at: https://www.freeipa.org/release-notes/4-13-0.html

1 0

dns response policy - something IPA can do?
by lejeczek 01 Dec '25

01 Dec '25

Hi guys. As per the subject - ideally with IPA's toolkit, within IPA, as opposed to tinkering with *bind* directly. thanks, L.

3 3

dirsrv failure to startup
by Peter Larsen 01 Dec '25

01 Dec '25

After having seen a lot of SERVFAIL for named-pkcs11 resolutions (resulting in a very slow name resolution) I choose to restart all services to start debugging from a clean state. Well, careful what you wish for. Dirsrv no longer starts, and the errors I see begin with: INFO - bdb_start - Resizing db cache size: 161433681 -> 161433517 ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. ERR - memberof-plugin - memberof_config - Error 53: The ipaOwner configuration attribute must be set to an attribute defined to use either the Distinguished Name or Name and Optional UID syntax. (illegal value: memberOfGroupAttr) ERR - memberof-plugin - memberof_postop_start - Configuration failed (Server is unwilling to perform) ERR - plugin_dependency_startall - Failed to start betxnpostoperation plugin MemberOf Plugin ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! ====== The last update was to enable dnssec on the server. That seems to have worked fine, ods have been creating/updating keys as expected. I then see a lot of WARN about key dn's missing: WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=domain,dc=tld So reading/consistency of the opened files is definitely not working. This is followed by ERR - NSACLPlugin - __aclp__init_targetattr - targetattr "ipapwddictcheck" does not exist in schema. Please add attributeTypes "ipapwddictcheck" to schema if necessary. I feel like the best way forward is to grab a copy of a replica and start from there, Before I do that, I would love to understand what may be missing, because of it cannot "decrypt" the ldap, I'm not sure what a new copy requiring the same encryption would do? This is the version running. Name : ipa-server Version : 4.9.13 Release : 18.module+el8.10.0+23403+cc1f9b40 // Peter

2 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users December 2025