I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate our lack of CA into the new servers).
When I went to set new passwords on all the migrated accounts, I get this error in the web ui: "IPA Error 4031: EmptyResult no matching entry found".
The CLI results in this:
# ipa user-mod homer --random ipa: ERROR: Operations error: key encryption/encoding failed
Any idea what might cause this and how I should fix it?
Bret Wortman via FreeIPA-users wrote:
I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate our lack of CA into the new servers).
When I went to set new passwords on all the migrated accounts, I get this error in the web ui: "IPA Error 4031: EmptyResult no matching entry found".
The CLI results in this:
# ipa user-mod homer --random ipa: ERROR: Operations error: key encryption/encoding failedAny idea what might cause this and how I should fix it?
Look in /var/log/dirsrv-YOURINSTANCE/errors for additional logging on this.
Looks like it is failing in generating the Kerberos principal key.
Any chance you could show a migrated entry?
rob
-- photo
*Bret Wortman* Founder, Damascus Products LLC
855-644-2783 tel:855-644-2783 | 303-523-8037 tel:303-523-8037 | bret@damascusproducts.com mailto:bret@damascusproducts.com
10332 Main St Suite 319 Fairfax, VA 22030
http://facebook.com/wrapbuddiesco http://www.linkedin.com/in/bretwortman http://twitter.com/wrapbuddiesco http://instagram.com/wrapbuddies
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
I can show a migrated entry, certainly. I'll use my own.
First, the log shows these entries when I try to generate or set a password:
[datetime] - ERR - ipapwd_encrypt_encode_key - [file_encoding.c, line 143]: no krbPrincipalName present in this entry [datetime] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed
Here's the user entry:
# ipa user-find bretw -------------- 1 user matched -------------- User login: bretw First name: Bret Last name: Wortman Home directory: /nethome/bretw Login shell: /bin/bash Email address: bret@damascusgrp.com UID: 10042 GID: 100 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- #
On 05/04/2018 10:48 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate our lack of CA into the new servers).
When I went to set new passwords on all the migrated accounts, I get this error in the web ui: "IPA Error 4031: EmptyResult no matching entry found".
The CLI results in this:
# ipa user-mod homer --random ipa: ERROR: Operations error: key encryption/encoding failed
Any idea what might cause this and how I should fix it?
Look in /var/log/dirsrv-YOURINSTANCE/errors for additional logging on this.
Looks like it is failing in generating the Kerberos principal key.
Any chance you could show a migrated entry?
rob
-- photo
*Bret Wortman* Founder, Damascus Products LLC
855-644-2783 tel:855-644-2783 | 303-523-8037 tel:303-523-8037 | bret@damascusproducts.com mailto:bret@damascusproducts.com
10332 Main St Suite 319 Fairfax, VA 22030
http://facebook.com/wrapbuddiesco http://www.linkedin.com/in/bretwortman http://twitter.com/wrapbuddiesco http://instagram.com/wrapbuddies
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Bret Wortman via FreeIPA-users wrote:
I can show a migrated entry, certainly. I'll use my own.
First, the log shows these entries when I try to generate or set a password:
[datetime] - ERR - ipapwd_encrypt_encode_key - [file_encoding.c, line 143]: no krbPrincipalName present in this entry [datetime] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed
Here's the user entry:
# ipa user-find bretw
1 user matched
User login: bretw First name: Bret Last name: Wortman Home directory: /nethome/bretw Login shell: /bin/bash Email address: bret@damascusgrp.com UID: 10042 GID: 100 Account disabled: False
Number of entries returned 1
#
Ok, I was hoping to see the whole LDAP entry. In any case it looks like when you migrated the users you didn't set krbPrincipalName.
You'll also need to be sure that the users have the krbprincipalaux objectclass.
rob
On 05/04/2018 10:48 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate our lack of CA into the new servers).
When I went to set new passwords on all the migrated accounts, I get this error in the web ui: "IPA Error 4031: EmptyResult no matching entry found".
The CLI results in this:
# ipa user-mod homer --random ipa: ERROR: Operations error: key encryption/encoding failed
Any idea what might cause this and how I should fix it?
Look in /var/log/dirsrv-YOURINSTANCE/errors for additional logging on this.
Looks like it is failing in generating the Kerberos principal key.
Any chance you could show a migrated entry?
rob
-- photo
*Bret Wortman* Founder, Damascus Products LLC
855-644-2783 tel:855-644-2783 | 303-523-8037 tel:303-523-8037 | bret@damascusproducts.com mailto:bret@damascusproducts.com
10332 Main St Suite 319 Fairfax, VA 22030
http://facebook.com/wrapbuddiesco http://www.linkedin.com/in/bretwortman http://twitter.com/wrapbuddiesco http://instagram.com/wrapbuddies
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Mon, 07 May 2018, Rob Crittenden via FreeIPA-users wrote:
Bret Wortman via FreeIPA-users wrote:
I can show a migrated entry, certainly. I'll use my own.
First, the log shows these entries when I try to generate or set a password:
[datetime] - ERR - ipapwd_encrypt_encode_key - [file_encoding.c, line 143]: no krbPrincipalName present in this entry [datetime] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed
Here's the user entry:
# ipa user-find bretw
1 user matched
?? User login: bretw ?? First name: Bret ?? Last name: Wortman ?? Home directory: /nethome/bretw ?? Login shell: /bin/bash ?? Email address: bret@damascusgrp.com ?? UID: 10042 ?? GID: 100 ?? Account disabled: False
Number of entries returned 1
#
Ok, I was hoping to see the whole LDAP entry. In any case it looks like when you migrated the users you didn't set krbPrincipalName.
You'll also need to be sure that the users have the krbprincipalaux objectclass.
Yes. In order to easily get the entry output you can still use 'ipa' command:
ipa user-show --all --raw bretw
would display the content of the LDAP entry.
Yep, "ipa user-add-principal bretw@DAMASCUSGRP.COM" did the trick. I'll run through the rest next. Thanks for the help, Rob & Alexander.
On 05/07/2018 10:07 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
I can show a migrated entry, certainly. I'll use my own.
First, the log shows these entries when I try to generate or set a password:
[datetime] - ERR - ipapwd_encrypt_encode_key - [file_encoding.c, line 143]: no krbPrincipalName present in this entry [datetime] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed
Here's the user entry:
# ipa user-find bretw
1 user matched
User login: bretw First name: Bret Last name: Wortman Home directory: /nethome/bretw Login shell: /bin/bash Email address: bret@damascusgrp.com UID: 10042 GID: 100 Account disabled: False
Number of entries returned 1
#
Ok, I was hoping to see the whole LDAP entry. In any case it looks like when you migrated the users you didn't set krbPrincipalName.
You'll also need to be sure that the users have the krbprincipalaux objectclass.
rob
On 05/04/2018 10:48 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate our lack of CA into the new servers).
When I went to set new passwords on all the migrated accounts, I get this error in the web ui: "IPA Error 4031: EmptyResult no matching entry found".
The CLI results in this:
# ipa user-mod homer --random ipa: ERROR: Operations error: key encryption/encoding failed
Any idea what might cause this and how I should fix it?
Look in /var/log/dirsrv-YOURINSTANCE/errors for additional logging on this.
Looks like it is failing in generating the Kerberos principal key.
Any chance you could show a migrated entry?
rob
-- photo
*Bret Wortman* Founder, Damascus Products LLC
855-644-2783 tel:855-644-2783 | 303-523-8037 tel:303-523-8037 | bret@damascusproducts.com mailto:bret@damascusproducts.com
10332 Main St Suite 319 Fairfax, VA 22030
http://facebook.com/wrapbuddiesco http://www.linkedin.com/in/bretwortman http://twitter.com/wrapbuddiesco http://instagram.com/wrapbuddies
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Bret Wortman -
Rob Crittenden