I have an ipa server running for over a year now. Recently, when I try to add a new user via https or the terminal it fails with the following error message.
IPA-Fehler 4203: DatabaseError
Server is unwilling to perform: Managed Entry Plugin rejected add operation (see errors log).
In the error logs, I see:
[timestamp] [:warn] [pid 2731] [client xxx] failed to set perms (3140) on file (/var/run/ipa/ccaches/user@xxx)!, referer: xxx
[timestamp] [:error] [pid 2727] ipa: INFO: [jsonserver_session] user@xxx: group_find(None, posix=True, version=u'2.230', no_members=True): SUCCESS
[timestamp] [:warn] [pid 2731] [client xxx] failed to set perms (3140) on file (/var/run/ipa/ccaches/user@xxx)!, referer: xxx
[timestamp] [:error] [pid 2726] ipa: INFO: [jsonserver_session] user@xxx: user_add(u'xxx', givenname=u'xxx', sn=u'xxx', userpassword=u'********', version=u'2.230'): DatabaseError
The user is not created but I have to remove the managed group as described here: https://www.redhat.com/archives/freeipa-users/2016-August/msg00092.html before I can try again. What is going on? Any help is appreciated.
$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
$ ipa --version
VERSION: 4.6.4, API_VERSION: 2.230
So I managed to solve the Problem. While experimenting with other settings I tried to add the user without a private group and got the error message:
A quick search showed, that error is happening, when the user is to be added to a group that does not exist, which happened due to an outdated Auto-Membership-Rule. Correcting that, the user can be added.