Hi, With the upgrade IPA now requires user entries to contain a SID. You can check with # kinit admin # ipa user-show boris --all --raw Check if the output contains a field ipaNTSecurityIdentifier and the objectclass: ipantuserattrs
If that's not the case, you can do the following to generate SIDs for all your user entries: # kinit admin # ipa config-mod --enable-sid --add-sids When the SIDs are generated you can safely upgrade to f39. HTH, flo On Fri, Feb 21, 2025 at 4:54 PM Boris via FreeIPA-users < [email protected]> wrote: > Ok, I was able to restore the last state from backup and > `ipa-replica-manage re-initialize --from ipa2` fixed the replication errors > in the log. > > Going to postpone the update to next week. That was really scary. > > Am Fr., 21. Feb. 2025 um 16:11 Uhr schrieb Boris <[email protected]>: > >> I've checked some more logs. >> >> the krb5kdc.log is flooded with these logs >> Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes >> {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), >> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: >> NEEDED_PREAUTH: boris@redacted for krbtgt/redacted@redacted, Additional >> pre-authentication required >> Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): closing down fd 11 >> Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): preauth (spake) verify >> failure: More preauthentication data is required >> Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes >> {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), >> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: >> PREAUTH_FAILED: boris@redacted for krbtgt/redacted@redacted, More >> preauthentication data is required >> ... >> Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ : >> handle_authdata (2) >> Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes >> {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), >> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: >> HANDLE_AUTHDATA: boris@redacted for krbtgt/redacted@redacted, No such >> file or directory >> >> But I still haven't found something that leads into any direction. >> >> Am Fr., 21. Feb. 2025 um 13:11 Uhr schrieb Boris <[email protected]>: >> >>> Hi, >>> >>> sorry to pester this mailinglist with my problems. >>> >>> After you people helped me to get the old problems off the table I did >>> an fedora upgrade to 39 with the freeipa-server-4.12.2-1.fc39.x86_64 >>> >>> dnf upgrade --refresh >>> dnf system-upgrade download --releasever=39 >>> dnf system-upgrade reboot >>> ipa-server-upgrade >>> >>> >>> This all went through without errors. >>> >>> But now the webinterface login gives the error "Username or password >>> incorrect". This is what the httpd log says: >>> >>> ipa: DEBUG: WSGI wsgi_dispatch.__call__: >>> ipa: DEBUG: WSGI login_password.__call__: >>> ipa: DEBUG: Valid Referer https://ipa1.redacted/ipa/ui/ >>> ipa: DEBUG: Obtaining armor in ccache /run/ipa/ccaches/armor_1378 >>> ipa: DEBUG: Initializing anonymous ccache >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=['/usr/bin/kinit', '-n', '-c', >>> '/run/ipa/ccaches/armor_1378', '-X', >>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: DEBUG: Initializing principal boris using password >>> ipa: DEBUG: Using armor ccache /run/ipa/ccaches/armor_1378 for FAST >>> webauth >>> ipa: DEBUG: Requesting principal canonicalization >>> ipa: DEBUG: Using enterprise principal >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=['/usr/bin/kinit', '-c', '/run/ipa/ccaches/kinit_1378', >>> '-T', '/run/ipa/ccaches/armor_1378', '-C', '-E', '--', 'boris'] >>> ipa: DEBUG: Process finished, return code=1 >>> ipa: DEBUG: stdout=Password for boris@redacted: >>> >>> ipa: DEBUG: stderr=kinit: Generic error (see e-text) while getting >>> initial credentials >>> >>> ipa: DEBUG: Cleanup the armor ccache >>> ipa: DEBUG: Starting external process >>> ipa: DEBUG: args=['/usr/bin/kdestroy', '-A', '-c', >>> '/run/ipa/ccaches/armor_1378'] >>> ipa: DEBUG: Process finished, return code=0 >>> ipa: DEBUG: stdout= >>> ipa: DEBUG: stderr= >>> ipa: INFO: 401 Unauthorized: kinit: Generic error (see e-text) while >>> getting initial credentials >>> >>> and when I try a kinit on the terminal of ipa1 I receive >>> >>> [root@ipa1 ~]# kinit boris@redacted >>> Password for boris@redacted: >>> kinit: Generic error (see e-text) while getting initial credentials >>> >>> the ipa2 is still on fedora37 and the login works there. >>> >>> -- >>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >>> groüen Saal. >>> >> >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> > > > -- > Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im > groüen Saal. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
