Bret Wortman via FreeIPA-users wrote:
I can show a migrated entry, certainly. I'll use my own.
First, the log shows these entries when I try to generate or set a password:
[datetime] - ERR - ipapwd_encrypt_encode_key - [file_encoding.c, line
143]: no krbPrincipalName present in this entry
[datetime] - ERR - ipapwd_gen_hashes - [file encoding.c, line 234]: key
Here's the user entry:
# ipa user-find bretw
1 user matched
User login: bretw
First name: Bret
Last name: Wortman
Home directory: /nethome/bretw
Login shell: /bin/bash
Email address: bret(a)damascusgrp.com
Account disabled: False
Number of entries returned 1
Ok, I was hoping to see the whole LDAP entry. In any case it looks like
when you migrated the users you didn't set krbPrincipalName.
You'll also need to be sure that the users have the krbprincipalaux
On 05/04/2018 10:48 AM, Rob Crittenden wrote:
> Bret Wortman via FreeIPA-users wrote:
>> I've just finished setting up a new IPA server, planning to use it
>> and some replicas to replace our existing servers. I did this by
>> dumping all the data from the old ones using a series of ipa commands
>> and then used custom parsers to re-create the entries on the new one
>> (so as not to propagate our lack of CA into the new servers).
>> When I went to set new passwords on all the migrated accounts, I get
>> this error in the web ui: "IPA Error 4031: EmptyResult no matching
>> entry found".
>> The CLI results in this:
>> # ipa user-mod homer --random
>> ipa: ERROR: Operations error: key encryption/encoding failed
>> Any idea what might cause this and how I should fix it?
> Look in /var/log/dirsrv-YOURINSTANCE/errors for additional logging on
> Looks like it is failing in generating the Kerberos principal key.
> Any chance you could show a migrated entry?
>> *Bret Wortman*
>> Founder, Damascus Products LLC
>> 855-644-2783 <tel:855-644-2783> | 303-523-8037 <tel:303-523-8037> |
>> bret(a)damascusproducts.com <mailto:email@example.com>
>> 10332 Main St Suite 319 Fairfax, VA 22030
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org