- FreeIPA-users - Fedora mailing-lists

Unable to complete cleanup and conversion...
by Eric Ashley 15 Dec '25

15 Dec '25

This is a follow-on to the thread titled: "Re: [Freeipa-users] FreeIP 4.12.5-2-fc42 missing dse.ldif" After dsctl was updated to guard against the double close of the bdb source database, I now get the following error when trying to start IPA. ``` # ipactl start IPA version error: data needs to be upgraded (expected version '4.12.5-3.fc43', current version '4.12.5-3.fc42') Automatically running upgrade, for details see /var/log/ipaupgrade.log Be patient, this may take a few minutes. Automatic upgrade failed: DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven't been updated Upgrade failed with '' DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven't been updated IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ('IPA upgrade failed.', 1) The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information See the upgrade log for more details and/or run /usr/sbin/ipa-server-upgrade again Aborting ipactl ``` I had to manually touch empty files in /var/lib/dirsrv/slapd-IPA-EXAMPLE-COM/ldif/ to get dsctl to complete correctly(ish): __dblib-changelog.ldif, __dblib-ipaca.ldif and __dblib-userroot.ldif. Nothing was actually written into any of these file, but with them extant it did complete without error. I'm still receiving this error now, with the latest versions of all F43 updates code: ``` 2025-12-15T20:30:35Z ERROR Upgrade failed with '' 2025-12-15T20:30:35Z ERROR DN: cn=Schema Compatibility,cn=plugins,cn=config does not exists or haven't been updated 2025-12-15T20:30:35Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. ```Of course, the only reference I can see to this error was a fix 7 years ago. How do I get my IPA back online? Best regards, Eric

1 0

dns question for migration from centos7
by Kevin Vasko 13 Dec '25

13 Dec '25

We have an old 3-way replica on CentOS7 that we need to upgrade. The servers are running DNS ipa1.tx.example.com - 192.168.10.10 ipa2.tx.example.com - 192.168.10.11 ipa3.tx.example.com - 192.168. 10.12 Since these are old and outdated OS I get the general idea of the “migration”. Install Rocky8, enroll into domain, decommission old machine, rinse repeat for the other 2. The part i’m unsure on is how do you deal with changing to DNS server ips. Our clients are all using 192.168.10.10, 192.168.10.11 for DNS. If I add another replica, it’s going to have to be on a different IP. So how do I deal with this migration moving the IP to the new server? Is it just as easy as decommissioning old server, and changing the new Rocky8 replica to the old 192.168.10.10 IP? I figure this will break everything…so how do you deal with this? What is the long term solution for this because I’m going to constantly have this same stupid problem for every major release since RHEL doesn’t support in place major release upgrades? (i’m planning to upgrade to Rocky9 at least as well in this process to get caught up, but not explaining it all for succinctness. -Kevin

1 0

last login info
by Dmitry Krasov 12 Dec '25

12 Dec '25

Hello. How to get last freeipa user's login info? There is no this info in web ui or from user-find command

4 12

FreeIPA 4.13.0
by Antonio Torres 05 Dec '25

05 Dec '25

The FreeIPA team would like to announce the FreeIPA 4.13.0 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon. Full release notes are available at: https://www.freeipa.org/release-notes/4-13-0.html

1 0

dns response policy - something IPA can do?
by lejeczek 01 Dec '25

01 Dec '25

Hi guys. As per the subject - ideally with IPA's toolkit, within IPA, as opposed to tinkering with *bind* directly. thanks, L.

3 3

dirsrv failure to startup
by Peter Larsen 01 Dec '25

01 Dec '25

After having seen a lot of SERVFAIL for named-pkcs11 resolutions (resulting in a very slow name resolution) I choose to restart all services to start debugging from a clean state. Well, careful what you wish for. Dirsrv no longer starts, and the errors I see begin with: INFO - bdb_start - Resizing db cache size: 161433681 -> 161433517 ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher AES ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. ERR - attrcrypt_unwrap_key - Failed to unwrap key for cipher 3DES ERR - attrcrypt_cipher_init - Symmetric key failed to unwrap with the private key; Cert might have been renewed since the key is wrapped. To recover the encrypted contents, keep the wrapped symmetric key value. ERR - attrcrypt_init - All prepared ciphers are not available. Please disable attribute encryption. ERR - memberof-plugin - memberof_config - Error 53: The ipaOwner configuration attribute must be set to an attribute defined to use either the Distinguished Name or Name and Optional UID syntax. (illegal value: memberOfGroupAttr) ERR - memberof-plugin - memberof_postop_start - Configuration failed (Server is unwilling to perform) ERR - plugin_dependency_startall - Failed to start betxnpostoperation plugin MemberOf Plugin ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! ====== The last update was to enable dnssec on the server. That seems to have worked fine, ods have been creating/updating keys as expected. I then see a lot of WARN about key dn's missing: WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=domain,dc=tld So reading/consistency of the opened files is definitely not working. This is followed by ERR - NSACLPlugin - __aclp__init_targetattr - targetattr "ipapwddictcheck" does not exist in schema. Please add attributeTypes "ipapwddictcheck" to schema if necessary. I feel like the best way forward is to grab a copy of a replica and start from there, Before I do that, I would love to understand what may be missing, because of it cannot "decrypt" the ldap, I'm not sure what a new copy requiring the same encryption would do? This is the version running. Name : ipa-server Version : 4.9.13 Release : 18.module+el8.10.0+23403+cc1f9b40 // Peter

2 2

Failed DNSSEC master - created new replica in cluster, how to promote to DNSSEC master?
by Peter Larsen 30 Nov '25

30 Nov '25

See $SUBJECT. When running "ipa-dns-instal --dnssec-master" it failures saying "DNSSEC key master(s): <ipa server> Only one DNSSEC key master is supported ..." The problem is that the server marked as DNSSEC master is failed, and (see other post) will not start dirsrv with what looks like a corruption in some files. I tried for quite a while to find a solution to recover the old replica, but I gave up. It's still "as is" but I hope to transfer it's responsibilities including DNSSEC to a new server before removing the old failed one. Hopefully someone has a link that documents this. All I find seems to insist I need to create a new DNSSEC master node first. I guess I can do that only if I totally remove the old failed server first. The key is that I cannot run any ipa-dns-commands on it, nor ipa-server commands - nothing is running, dirsrv fails starting right after the daemon is loaded but it then goes into a loop of not being able to find key DNs like hosts, users etc. Thanks!

1 0

ipa-ca-install - second password?
by ether bunny 26 Nov '25

26 Nov '25

When I run this command from a replica Im asked for two passwords. The first appears to be the admin account on the primary host but I don't know what the second one is or how to set it. # ipa-ca-install Directory Manager (existing master) password: <-- I know this one Running ipa-certupdate...done Run connection check to master host/replica.domain.edu@DOMAIN.EDU@primary.domain.edu's password: <--- I don't know this one I went to the host entry for the replica and tried to set a OTP but was unable. "IPA Error 3009: ValidationError" Not sure where to look for other errors.

3 5

Adding a replica - problems with kinit, sudo, etc
by ether bunny 21 Nov '25

21 Nov '25

Setup: primary host: centos7 - ipa v 4.6.8 Attempted replica: rocky9 - ipa 4.12.2 Ultimate goal is to ditch the centos 7 host. Replica installation finished without any (apparent) errors. Subsequent attempts to kinit gave me the "kinit: Generic error (see e-text) while getting initial credentials". (details are summarized here: https://serverfault.com/questions/1196002/freeipa-replica-issues-cant-kinit… ) It seems that Im lacking proper SID assignments owing to the old version of the primary host. Unfortunately when I tried to fix this (per https://enotty.pipebreaker.pl/posts/2024/01/woes-with-freeipa-and-sids/) [root@freeipa ~]# ipa config-mod --enable-sid --add-sids Usage: ipa [global-options] config-mod [options] ipa: error: no such option: --enable-sid So Im guessing I need to upgrade the primary host somehow.. But all the centos7 repos are shut down. One thing I noticed: # ipa user-show admin --all | grep ipantsecurityidentifier This does show the -500 - and the admin group has the -512 as well. It doesn't appear that I have the ipa-print-pac command available.

2 1

FreeIP 4.12.5-2-fc42 missing dse.ldif
by Eric Ashley 20 Nov '25

20 Nov '25

Hello people, So on 5 Oct 2025, I attempted to upgrade my FreeIPA server from 4.12.5-2-fc42 to 4.12.5-3-fc42. For some it didn’t save dse.ldif in /etc/dirsrv/slapd-IPA-EXAMPLE-COM/. Looking in that directory, there is a dse.ldif.startOK that is close to the size of many of the dse.ldif.ipa.XXXXXXXXXXXXXXX also saved there. dse.ldif.bak and dse.ldif.modified.out are both empty. Obviously, since dse.ldif is missing, IPA won’t start. Will my copying dse.ldif.startOK to dse.ldif work to get IPA back online so I can then do the upgrade? I think I accidentally rebooted the host machine while the VM was finishing updating or backing up. Thanks, Eric -- Secured with Tuta Mail: https://tuta.com/free-email

2 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users