Ah thanks. I'll tried that and it worked :) Am Mo., 24. Feb. 2025 um 09:15 Uhr schrieb Florence Blanc-Renaud < [email protected]>:
> Hi, > > With the upgrade IPA now requires user entries to contain a SID. You can > check with > # kinit admin > # ipa user-show boris --all --raw > Check if the output contains a field ipaNTSecurityIdentifier and the > objectclass: ipantuserattrs > > If that's not the case, you can do the following to generate SIDs for all > your user entries: > # kinit admin > # ipa config-mod --enable-sid --add-sids > > When the SIDs are generated you can safely upgrade to f39. > > HTH, > flo > > On Fri, Feb 21, 2025 at 4:54 PM Boris via FreeIPA-users < > [email protected]> wrote: > >> Ok, I was able to restore the last state from backup and >> `ipa-replica-manage re-initialize --from ipa2` fixed the replication errors >> in the log. >> >> Going to postpone the update to next week. That was really scary. >> >> Am Fr., 21. Feb. 2025 um 16:11 Uhr schrieb Boris <[email protected]>: >> >>> I've checked some more logs. >>> >>> the krb5kdc.log is flooded with these logs >>> Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes >>> {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), >>> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >>> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: >>> NEEDED_PREAUTH: boris@redacted for krbtgt/redacted@redacted, Additional >>> pre-authentication required >>> Feb 21 16:01:42 ipa1.redacted krb5kdc[1344](info): closing down fd 11 >>> Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): preauth (spake) >>> verify failure: More preauthentication data is required >>> Feb 21 16:01:43 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes >>> {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), >>> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >>> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: >>> PREAUTH_FAILED: boris@redacted for krbtgt/redacted@redacted, More >>> preauthentication data is required >>> ... >>> Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ : >>> handle_authdata (2) >>> Feb 21 16:01:45 ipa1.redacted krb5kdc[1344](info): AS_REQ (6 etypes >>> {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), >>> aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >>> camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 10.0.255.11: >>> HANDLE_AUTHDATA: boris@redacted for krbtgt/redacted@redacted, No such >>> file or directory >>> >>> But I still haven't found something that leads into any direction. >>> >>> Am Fr., 21. Feb. 2025 um 13:11 Uhr schrieb Boris <[email protected]>: >>> >>>> Hi, >>>> >>>> sorry to pester this mailinglist with my problems. >>>> >>>> After you people helped me to get the old problems off the table I did >>>> an fedora upgrade to 39 with the freeipa-server-4.12.2-1.fc39.x86_64 >>>> >>>> dnf upgrade --refresh >>>> dnf system-upgrade download --releasever=39 >>>> dnf system-upgrade reboot >>>> ipa-server-upgrade >>>> >>>> >>>> This all went through without errors. >>>> >>>> But now the webinterface login gives the error "Username or password >>>> incorrect". This is what the httpd log says: >>>> >>>> ipa: DEBUG: WSGI wsgi_dispatch.__call__: >>>> ipa: DEBUG: WSGI login_password.__call__: >>>> ipa: DEBUG: Valid Referer https://ipa1.redacted/ipa/ui/ >>>> ipa: DEBUG: Obtaining armor in ccache /run/ipa/ccaches/armor_1378 >>>> ipa: DEBUG: Initializing anonymous ccache >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=['/usr/bin/kinit', '-n', '-c', >>>> '/run/ipa/ccaches/armor_1378', '-X', >>>> 'X509_anchors=FILE:/var/kerberos/krb5kdc/kdc.crt', '-X', >>>> 'X509_anchors=FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem'] >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: DEBUG: Initializing principal boris using password >>>> ipa: DEBUG: Using armor ccache /run/ipa/ccaches/armor_1378 for FAST >>>> webauth >>>> ipa: DEBUG: Requesting principal canonicalization >>>> ipa: DEBUG: Using enterprise principal >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=['/usr/bin/kinit', '-c', >>>> '/run/ipa/ccaches/kinit_1378', '-T', '/run/ipa/ccaches/armor_1378', '-C', >>>> '-E', '--', 'boris'] >>>> ipa: DEBUG: Process finished, return code=1 >>>> ipa: DEBUG: stdout=Password for boris@redacted: >>>> >>>> ipa: DEBUG: stderr=kinit: Generic error (see e-text) while getting >>>> initial credentials >>>> >>>> ipa: DEBUG: Cleanup the armor ccache >>>> ipa: DEBUG: Starting external process >>>> ipa: DEBUG: args=['/usr/bin/kdestroy', '-A', '-c', >>>> '/run/ipa/ccaches/armor_1378'] >>>> ipa: DEBUG: Process finished, return code=0 >>>> ipa: DEBUG: stdout= >>>> ipa: DEBUG: stderr= >>>> ipa: INFO: 401 Unauthorized: kinit: Generic error (see e-text) while >>>> getting initial credentials >>>> >>>> and when I try a kinit on the terminal of ipa1 I receive >>>> >>>> [root@ipa1 ~]# kinit boris@redacted >>>> Password for boris@redacted: >>>> kinit: Generic error (see e-text) while getting initial credentials >>>> >>>> the ipa2 is still on fedora37 and the login works there. >>>> >>>> -- >>>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend >>>> im groüen Saal. >>>> >>> >>> >>> -- >>> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >>> groüen Saal. >>> >> >> >> -- >> Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im >> groüen Saal. >> -- >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- Die Selbsthilfegruppe "UTF-8-Probleme" trifft sich diesmal abweichend im groüen Saal.
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
