On la, 11 helmi 2023, Grant Janssen via FreeIPA-users wrote:

users were reporting password change issues. ipa_check_consistency and cipa showed synchronization issues.

grant@ef-idm04:~[20230211-7:01][#211]$ ipa-replica-manage re-initialize --from ef-idm01.production.efilm.comhttp://ef-idm01.production.efilm.com ipa: ERROR: Cannot open log file '/var/log/ipa/cli.log': [Errno 13] Permission denied: '/var/log/ipa/cli.log' Update in progress, 6 seconds elapsed Update succeeded

grant@ef-idm04:~[20230211-7:02][#212]$

I am in the middle of a migration from 7 —> 8 (3 of 5 servers are still CentOS 7) The almalinux 8 systems showed an issue with log permissions when I executed the sync. The CentOS 7 systems did not output any error. ipa_check_consistency and cipa show these are all “in sync” now.

what can I do to resolve these log issues, so next time I won’t see these again?

ipa-*-manage tools expect to be run as root on IPA servers. You are running ipa-replica-manage as non-root and it cannot write to /var/log/ipa/cli.log because only root can write there.

Granted, man page for ipa-replica-manage(1) does not explicitly state this but examples of using the command in the man page point to root's session.

Same applies to all IPA tools from freeipa-server (ipa-server in RHEL/CentOS) package. They all are part of /usr/sbin and hence (at least traditionally) aim for administrative use as root.