This error just doesn't make any sense to me. I have gone through all 4 servers grabbing the raw ldap data for the ipauniqueid it's complaining about, and I am not seeing anything missing. It matches across all 4 replicas:
[root@freeipa1 slapd-US-EP-CORP-LOCAL]# ipa subid-show 05c48cfb-5503-4162-9e14-648d88767356 --all --raw dn: ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local ipauniqueid: 05c48cfb-5503-4162-9e14-648d88767356 description: auto-assigned subid ipaowner: uid=<username>,cn=users,cn=accounts,dc=us,dc=ep,dc=corp,dc=local ipasubuidnumber: 2147549184 ipasubuidcount: 65536 ipasubgidnumber: 2147549184 ipasubgidcount: 65536 objectclass: ipasubordinateidentry objectclass: ipasubordinateid objectclass: ipasubordinategid objectclass: ipasubordinateuid objectclass: top Are there any known issues with renaming accounts that have subid's attached to them? On Thu, Nov 6, 2025 at 9:16 AM Russell Jones <[email protected]> wrote: > Hi all, > > We somewhat recently upgraded our FreeIPA cluster (4 nodes in > all-replication setup) from 4.8 to 4.10, and then 4.10 to 4.12 using > replication. Stood up two new 4.10 servers, replicated from 4.8. Then stood > up two new 4.12 servers, and replicated from 4.10. After that, created two > more 4.12 servers and added them into the cluster. > > All went fairly well, however I just discovered that renaming users fails. > When I try to rename a user, I get the following error in server logs: > >> >> [06/Nov/2025:09:09:01.741275830 -0600] - ERR - get_value_from_string - >> type does not match: dsEntryDN != dsEntryDN;vucsn-68f12ab70000000f0000 >> [06/Nov/2025:09:09:01.932930359 -0600] - ERR - oc_check_required - Entry >> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >> missing attribute "ipaOwner" required by object class "ipaSubordinateId" >> [06/Nov/2025:09:09:01.933838475 -0600] - ERR - referint-plugin - >> _update_all_per_mod - Entry >> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local >> failed (65) >> [06/Nov/2025:09:09:01.934989371 -0600] - ERR - oc_check_required - Entry >> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >> missing attribute "ipaOwner" required by object class "ipaSubordinateId" >> [06/Nov/2025:09:09:01.936187948 -0600] - WARN - memberof-plugin - Entry >> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local >> - schema violation caught - repair operation succeeded >> [06/Nov/2025:09:09:01.937103924 -0600] - ERR - oc_check_required - Entry >> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >> missing attribute "ipaOwner" required by object class "ipaSubordinateId" >> [06/Nov/2025:09:09:01.937911140 -0600] - ERR - >> slapi_entry_schema_check_ext - Entry >> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >> single-valued attribute "ipaOwner" has multiple values >> [06/Nov/2025:09:09:01.940516533 -0600] - WARN - flush_hash - Upon BETXN >> callback failure, entry cache is flushed during 0.000252889 >> [06/Nov/2025:09:09:01.941317487 -0600] - WARN - flush_hash - Upon BETXN >> callback failure, entry cache is flushed during 0.000233924 > > > > I enabled the subid feature a little while back and used the script ( > /usr/libexec/ipa/ipa-subids) to generate subid's for everybody without > any errors. I am uncertain what has happened or how to proceed from here. > > Could use some pointers. Thanks! >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
