Russell Jones via FreeIPA-users wrote: > Last reply - > > I can confirm now if I delete the subid range from the user using > ldapdelete, I am able to rename the user without any issues. > > As soon as I use "ipa subid-generate --owner=<user>" and then try to > rename them again, it fails with the same error.
I was able to reproduce this. Can you open an upstream issue on it at https://pagure.io/freeipa/new_issue with the steps you provided here? thanks rob > > On Thu, Nov 6, 2025 at 9:44 AM Russell Jones <[email protected] > <mailto:[email protected]>> wrote: > > This error just doesn't make any sense to me. I have gone through > all 4 servers grabbing the raw ldap data for the ipauniqueid it's > complaining about, and I am not seeing anything missing. It matches > across all 4 replicas: > > [root@freeipa1 slapd-US-EP-CORP-LOCAL]# ipa subid-show > 05c48cfb-5503-4162-9e14-648d88767356 --all --raw > > dn: > > ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local > > ipauniqueid: 05c48cfb-5503-4162-9e14-648d88767356 > > description: auto-assigned subid > > ipaowner: > uid=<username>,cn=users,cn=accounts,dc=us,dc=ep,dc=corp,dc=local > > ipasubuidnumber: 2147549184 > > ipasubuidcount: 65536 > > ipasubgidnumber: 2147549184 > > ipasubgidcount: 65536 > > objectclass: ipasubordinateidentry > > objectclass: ipasubordinateid > > objectclass: ipasubordinategid > > objectclass: ipasubordinateuid > > objectclass: top > > > > > > Are there any known issues with renaming accounts that have subid's > attached to them? > > > On Thu, Nov 6, 2025 at 9:16 AM Russell Jones <[email protected] > <mailto:[email protected]>> wrote: > > Hi all, > > We somewhat recently upgraded our FreeIPA cluster (4 nodes in > all-replication setup) from 4.8 to 4.10, and then 4.10 to 4.12 > using replication. Stood up two new 4.10 servers, replicated > from 4.8. Then stood up two new 4.12 servers, and replicated > from 4.10. After that, created two more 4.12 servers and added > them into the cluster. > > All went fairly well, however I just discovered that renaming > users fails. When I try to rename a user, I get the following > error in server logs: > > > [06/Nov/2025:09:09:01.741275830 -0600] - ERR - > get_value_from_string - type does not match: dsEntryDN != > dsEntryDN;vucsn-68f12ab70000000f0000 > [06/Nov/2025:09:09:01.932930359 -0600] - ERR - > oc_check_required - Entry > > "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" > missing attribute "ipaOwner" required by object class > "ipaSubordinateId" > [06/Nov/2025:09:09:01.933838475 -0600] - ERR - > referint-plugin - _update_all_per_mod - Entry > > ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local > failed (65) > [06/Nov/2025:09:09:01.934989371 -0600] - ERR - > oc_check_required - Entry > > "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" > missing attribute "ipaOwner" required by object class > "ipaSubordinateId" > [06/Nov/2025:09:09:01.936187948 -0600] - WARN - > memberof-plugin - Entry > > ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local > - schema violation caught - repair operation succeeded > [06/Nov/2025:09:09:01.937103924 -0600] - ERR - > oc_check_required - Entry > > "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" > missing attribute "ipaOwner" required by object class > "ipaSubordinateId" > [06/Nov/2025:09:09:01.937911140 -0600] - ERR - > slapi_entry_schema_check_ext - Entry > > "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local" > single-valued attribute "ipaOwner" has multiple values > [06/Nov/2025:09:09:01.940516533 -0600] - WARN - flush_hash - > Upon BETXN callback failure, entry cache is flushed during > 0.000252889 > [06/Nov/2025:09:09:01.941317487 -0600] - WARN - flush_hash - > Upon BETXN callback failure, entry cache is flushed during > 0.000233924 > > > > I enabled the subid feature a little while back and used the > script (/usr/libexec/ipa/ipa-subids) to generate subid's for > everybody without any errors. I am uncertain what has happened > or how to proceed from here. > > Could use some pointers. Thanks! > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
