I’m trying to upgrade an old Centos 7 based FreeIPA setup to run on Rocky Linux 8
The server is installed with the command " ipa-replica-install --principal admin --admin-password ‘xxx’ --setup-dns --setup-ca --setup-kra --forwarder=10.18.38.9" and I didnt notice any errors
All seem to be working fine in the backend as far as I can see (lkinit etc)
But when I try to login to the Web UI the login failes with
Your session has expired. Please log in again.
Looking at /var/log/httpd/error_log I can see a the following error when trying to login in
[Wed Jun 04 15:11:49.072233 2025] [wsgi:error] [pid 2305:tid 139625594136320] [remote 172.17.0.3:44693] ipa: INFO: [jsonserver_i18n_messages] UNKNOWN: i18n_messages(version='2.251'): SUCCESS
[Wed Jun 04 15:11:49.145416 2025] [wsgi:error] [pid 2306:tid 139625594136320] [remote 172.17.0.3:44695] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
[Wed Jun 04 15:11:49.281768 2025] [wsgi:error] [pid 2306:tid 139625594136320] [remote 172.17.0.3:44695] ipa: INFO: 401 Unauthorized: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
and in /var/log/krb5kdc.log
Jun 04 15:56:33 ipa02.opr.ngc.dk krb5kdc[2233](info): TGS_REQ (6 etypes {aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26), camellia128-cts-cmac(25)}) 172.18.38.11: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime 1749045392, etypes {rep=UNSUPPORTED:(0)} HTTP/ipa02.opr.ngc.dk@HPC.NGC.DK for ldap/ipa02.opr.ngc.dk@HPC.NGC.DK, KDC policy rejects request
Jun 04 15:56:33 ipa02.opr.ngc.dk krb5kdc[2233](info): ... CONSTRAINED-DELEGATION s4u-client=<unknown>
Jun 04 15:56:33 ipa02.opr.ngc.dk krb5kdc[2233](info): closing down fd 11
edit . ok so I think I have identied the issue on
which indicated that tis is a uproblem with SIDs and the sollution should be to generate the SIDs with “ipa config-mod --enable-sid --add-sids” buth this command is not valid on my rocky 8.10 server
# ipa config-mod --enable-sid --add-sids
Usage: ipa [global-options] config-mod [options]
ipa: error: no such option: --enable-sid
# cat /etc/redhat-release
Rocky Linux release 8.10 (Green Obsidian)
# ipa --version
VERSION: 4.9.13, API_VERSION: 2.251
Do anyone have an idea how to fix this ?