Thanks Alex, your comment helped me a lot and so I could fix the issue. I had exactly the same issue.
Problem is, that none of my user hat the attribute "ipantsecurityidentifier". I found the instruction here: https://access.redhat.com/documentation/de-de/red_hat_enterprise_linux/8/html/managing_idm_users_groups_hosts_and_access_control_rules/assembly_strengthening-kerberos-security-with-pac-information_managing-users-groups-hosts#con_privilege-attribute-certificate-pac-use-in-idm_assembly_strengthening-kerberos-security-with-pac-information Procedure Enable SID usage and trigger the SIDgen task to generate SIDs for existing users and groups. This task might be resource-intensive: # kinit admin # ipa config-mod --enable-sid --add-sids Verification Verify that the IdM admin user account entry has an ipantsecurityidentifier attribute with a SID that ends with -500, the SID reserved for the domain administrator: [root@server ~]# ipa user-show admin --all | grep ipantsecurityidentifier ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500 After this procedure, my admin user hat the attribute "ipantsecurityidentifier" and I could successful login to the WebUI. The issue I encountered was, that not all of my users had been upgraded with the new attribute. Therefore I had to delete and recreate them. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
