Rocky 8.9 Idm Server Problem

After upgrading to version 8.9 there was a serious problem with the idm server.
In particular, the ipa service stopped working, requiring a python library that was installed but was actually not present in the file system.
To recover the situation I extracted the contents of the python3-dateutil-2.6.1-6.el8.noarch.rpm package and manually copied it where it should have been.
This allowed the use of existing accounts in the sense that users are able to authenticate on the computers that use that idm server.
Unfortunately, however, when I define a new user (with ipa user-add) or try to use any ipa command the system gives me an error with the following message:
ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credential cache is empty)
Has anyone had the same problem?

I have the same problem after the Rocky upgrade. Any ipa command invoked gives the same error.

I’ve not seen any other reports of an issue with IPA in Rocky 8. On the surface, it may be a kerberos issue. If you have ran a kinit and you are still receiving errors, I would suggest installing ipa-healthcheck and then running ipa-healthcheck to start diving down into where the issue may be on your domains.

Resolved with:
/usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid --netbios-name YOURNETBIOSDOMAIN --add-sids
You must enter the --netbios-name option even if you don’t need a netbios domain. This is due to an additional bug. I found the solution in Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working - FreeIPA-users - Fedora Mailing-Lists

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.