Done. https://pagure.io/freeipa/issue/9873

On Thu, Nov 6, 2025 at 12:28 PM Rob Crittenden <[email protected]> wrote:

> Russell Jones via FreeIPA-users wrote:
> > Last reply -
> >
> > I can confirm now if I delete the subid range from the user using
> > ldapdelete, I am able to rename the user without any issues.
> >
> > As soon as I use "ipa subid-generate --owner=<user>" and then try to
> > rename them again, it fails with the same error.
>
> I was able to reproduce this. Can you open an upstream issue on it at
> https://pagure.io/freeipa/new_issue with the steps you provided here?
>
> thanks
>
> rob
>
> >
> > On Thu, Nov 6, 2025 at 9:44 AM Russell Jones <[email protected]
> > <mailto:[email protected]>> wrote:
> >
> >     This error just doesn't make any sense to me. I have gone through
> >     all 4 servers grabbing the raw ldap data for the ipauniqueid it's
> >     complaining about, and I am not seeing anything missing. It matches
> >     across all 4 replicas:
> >
> >     [root@freeipa1 slapd-US-EP-CORP-LOCAL]# ipa subid-show
> >     05c48cfb-5503-4162-9e14-648d88767356 --all --raw
> >
> >       dn:
> >
>  
> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local
> >
> >       ipauniqueid: 05c48cfb-5503-4162-9e14-648d88767356
> >
> >       description: auto-assigned subid
> >
> >       ipaowner:
> >     uid=<username>,cn=users,cn=accounts,dc=us,dc=ep,dc=corp,dc=local
> >
> >       ipasubuidnumber: 2147549184
> >
> >       ipasubuidcount: 65536
> >
> >       ipasubgidnumber: 2147549184
> >
> >       ipasubgidcount: 65536
> >
> >       objectclass: ipasubordinateidentry
> >
> >       objectclass: ipasubordinateid
> >
> >       objectclass: ipasubordinategid
> >
> >       objectclass: ipasubordinateuid
> >
> >       objectclass: top
> >
> >
> >
> >
> >
> >     Are there any known issues with renaming accounts that have subid's
> >     attached to them?
> >
> >
> >     On Thu, Nov 6, 2025 at 9:16 AM Russell Jones <[email protected]
> >     <mailto:[email protected]>> wrote:
> >
> >         Hi all,
> >
> >         We somewhat recently upgraded our FreeIPA cluster (4 nodes in
> >         all-replication setup) from 4.8 to 4.10, and then 4.10 to 4.12
> >         using replication. Stood up two new 4.10 servers, replicated
> >         from 4.8. Then stood up two new 4.12 servers, and replicated
> >         from 4.10. After that, created two more 4.12 servers and added
> >         them into the cluster.
> >
> >         All went fairly well, however I just discovered that renaming
> >         users fails. When I try to rename a user, I get the following
> >         error in server logs:
> >
> >
> >             [06/Nov/2025:09:09:01.741275830 -0600] - ERR -
> >             get_value_from_string - type does not match: dsEntryDN !=
> >             dsEntryDN;vucsn-68f12ab70000000f0000
> >             [06/Nov/2025:09:09:01.932930359 -0600] - ERR -
> >             oc_check_required - Entry
> >
>  
> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local"
> >             missing attribute "ipaOwner" required by object class
> >             "ipaSubordinateId"
> >             [06/Nov/2025:09:09:01.933838475 -0600] - ERR -
> >             referint-plugin - _update_all_per_mod - Entry
> >
>  
> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local
> >             failed (65)
> >             [06/Nov/2025:09:09:01.934989371 -0600] - ERR -
> >             oc_check_required - Entry
> >
>  
> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local"
> >             missing attribute "ipaOwner" required by object class
> >             "ipaSubordinateId"
> >             [06/Nov/2025:09:09:01.936187948 -0600] - WARN -
> >             memberof-plugin - Entry
> >
>  
> ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local
> >             - schema violation caught - repair operation succeeded
> >             [06/Nov/2025:09:09:01.937103924 -0600] - ERR -
> >             oc_check_required - Entry
> >
>  
> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local"
> >             missing attribute "ipaOwner" required by object class
> >             "ipaSubordinateId"
> >             [06/Nov/2025:09:09:01.937911140 -0600] - ERR -
> >             slapi_entry_schema_check_ext - Entry
> >
>  
> "ipauniqueid=05c48cfb-5503-4162-9e14-648d88767356,cn=subids,cn=accounts,dc=us,dc=ep,dc=corp,dc=local"
> >             single-valued attribute "ipaOwner" has multiple values
> >             [06/Nov/2025:09:09:01.940516533 -0600] - WARN - flush_hash -
> >             Upon BETXN callback failure, entry cache is flushed during
> >             0.000252889
> >             [06/Nov/2025:09:09:01.941317487 -0600] - WARN - flush_hash -
> >             Upon BETXN callback failure, entry cache is flushed during
> >             0.000233924
> >
> >
> >
> >         I enabled the subid feature a little while back and used the
> >         script (/usr/libexec/ipa/ipa-subids) to generate subid's for
> >         everybody without any errors. I am uncertain what has happened
> >         or how to proceed from here.
> >
> >         Could use some pointers. Thanks!
> >
> >
>
>
-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to