I can show a migrated entry, certainly. I'll use my own.

First, the log shows these entries when I try to generate or set a password:

[datetime] - ERR - ipapwd_encrypt_encode_key - [file_encoding.c, line 143]: no krbPrincipalName present in this entry
[datetime] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key encryption/encoding failed

Here's the user entry:

# ipa user-find bretw
1 user matched
  User login: bretw
  First name: Bret
  Last name: Wortman
  Home directory: /nethome/bretw
  Login shell: /bin/bash
  Email address: bret@damascusgrp.com
  UID: 10042
  GID: 100
  Account disabled: False
Number of entries returned 1

On 05/04/2018 10:48 AM, Rob Crittenden wrote:
Bret Wortman via FreeIPA-users wrote:
I've just finished setting up a new IPA server, planning to use it and some replicas to replace our existing servers. I did this by dumping all the data from the old ones using a series of ipa commands and then used custom parsers to re-create the entries on the new one (so as not to propagate our lack of CA into the new servers).

When I went to set new passwords on all the migrated accounts, I get this error in the web ui: "IPA Error 4031: EmptyResult no matching entry found".

The CLI results in this:

    # ipa user-mod homer --random
    ipa: ERROR: Operations error: key encryption/encoding failed

Any idea what might cause this and how I should fix it?

Look in /var/log/dirsrv-YOURINSTANCE/errors for additional logging on this.

Looks like it is failing in generating the Kerberos principal key.

Any chance you could show a migrated entry?


*Bret Wortman*
Founder, Damascus Products LLC

855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> | bret@damascusproducts.com <mailto:bret@damascusproducts.com>


10332 Main St Suite 319 Fairfax, VA 22030


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org