Last reply - I can confirm now if I delete the subid range from the user using ldapdelete, I am able to rename the user without any issues.
As soon as I use "ipa subid-generate --owner=<user>" and then try to rename them again, it fails with the same error. On Thu, Nov 6, 2025 at 9:44 AM Russell Jones <[email protected]> wrote: > This error just doesn't make any sense to me. I have gone through all 4 > servers grabbing the raw ldap data for the ipauniqueid it's complaining > about, and I am not seeing anything missing. It matches across all 4 > replicas: > > [root@freeipa1 slapd-US-EP-CORP-LOCAL]# ipa subid-show > 05c48cfb-5503-4162-9e14-648d88767356 --all --raw > > dn: > ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local > > ipauniqueid: 05c48cfb-5503-4162-9e14-648d88767356 > > description: auto-assigned subid > > ipaowner: > uid=<username>,cn=users,cn=accounts,dc=us,dc=ep,dc=corp,dc=local > > ipasubuidnumber: 2147549184 > > ipasubuidcount: 65536 > > ipasubgidnumber: 2147549184 > > ipasubgidcount: 65536 > > objectclass: ipasubordinateidentry > > objectclass: ipasubordinateid > > objectclass: ipasubordinategid > > objectclass: ipasubordinateuid > > objectclass: top > > > > > > Are there any known issues with renaming accounts that have subid's > attached to them? > > On Thu, Nov 6, 2025 at 9:16 AM Russell Jones <[email protected]> wrote: > >> Hi all, >> >> We somewhat recently upgraded our FreeIPA cluster (4 nodes in >> all-replication setup) from 4.8 to 4.10, and then 4.10 to 4.12 using >> replication. Stood up two new 4.10 servers, replicated from 4.8. Then stood >> up two new 4.12 servers, and replicated from 4.10. After that, created two >> more 4.12 servers and added them into the cluster. >> >> All went fairly well, however I just discovered that renaming users >> fails. When I try to rename a user, I get the following error in server >> logs: >> >>> >>> [06/Nov/2025:09:09:01.741275830 -0600] - ERR - get_value_from_string - >>> type does not match: dsEntryDN != dsEntryDN;vucsn-68f12ab70000000f0000 >>> [06/Nov/2025:09:09:01.932930359 -0600] - ERR - oc_check_required - Entry >>> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >>> missing attribute "ipaOwner" required by object class "ipaSubordinateId" >>> [06/Nov/2025:09:09:01.933838475 -0600] - ERR - referint-plugin - >>> _update_all_per_mod - Entry >>> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local >>> failed (65) >>> [06/Nov/2025:09:09:01.934989371 -0600] - ERR - oc_check_required - Entry >>> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >>> missing attribute "ipaOwner" required by object class "ipaSubordinateId" >>> [06/Nov/2025:09:09:01.936187948 -0600] - WARN - memberof-plugin - Entry >>> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local >>> - schema violation caught - repair operation succeeded >>> [06/Nov/2025:09:09:01.937103924 -0600] - ERR - oc_check_required - Entry >>> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >>> missing attribute "ipaOwner" required by object class "ipaSubordinateId" >>> [06/Nov/2025:09:09:01.937911140 -0600] - ERR - >>> slapi_entry_schema_check_ext - Entry >>> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" >>> single-valued attribute "ipaOwner" has multiple values >>> [06/Nov/2025:09:09:01.940516533 -0600] - WARN - flush_hash - Upon BETXN >>> callback failure, entry cache is flushed during 0.000252889 >>> [06/Nov/2025:09:09:01.941317487 -0600] - WARN - flush_hash - Upon BETXN >>> callback failure, entry cache is flushed during 0.000233924 >> >> >> >> I enabled the subid feature a little while back and used the script ( >> /usr/libexec/ipa/ipa-subids) to generate subid's for everybody without >> any errors. I am uncertain what has happened or how to proceed from here. >> >> Could use some pointers. Thanks! >> >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
