Hi Rob, okay that not easy to explain… this affects mulitple installations. the objects are in ldap and they work. When i log into FreeIPA UI, Users, Group, Hosts, Sudo, Hostgroup and some other object types are total empty. Same if i use ipa command, if i use “ipa user-find” without entering a search term, i get nothing. If i do a specific search for an object, i find it, except DNS, there is no way to get dns zones except you know what you have to hack into the url to get into the zone (/ipa/#/e/dnszone/records/zonename…), search show no zones. Lets give you an example, this is a server with around 20-30 Users, 10-15 DNS zones, handful groups, sudo rules, host groups, etc., ipa1 + ipa2 sync with each other, both authenticate users, deliver dns and certificates, so this servers do their job until you want to find/browse something. Lets do a simple query without a term [root@ipa1 /]# ipa user-find --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- I get nothing, but users should be visible. Same behaviour in the Web UI, nothing, all above mentions areas are empty. Now lets do a search with a term to find something specific i know [root@ipa1 /]# ipa user-find testuser -------------- 1 user matched -------------- User login: testuser First name: XXX Last name: XXX Home directory: /home/testuser Login shell: /usr/bin/zsh Principal name: testuser@XXX Principal alias: testuser@XXX Email address: testuser@XXX UID: 357400030 GID: 357400030 Account disabled: True ---------------------------- Number of entries returned 1 ---------------------------- [root@ipa1 /]# id testuser uid=357400030(testuser) gid=357400030(testuser) … Now we get something, same behaveiour in the Web GUI, search for a existing object and you find it. Lets create a fresh object, like a user, could also be a group or dns zone, doesnt matter, outcome is the same [root@ipa1 /]# ipa user-add First name: demo Last name: user User login [duser]: duser ------------------ Added user "duser" ------------------ User login: duser First name: demo Last name: user Full name: demo user Display name: demo user Initials: du Home directory: /home/duser GECOS: demo user Login shell: /usr/bin/zsh Principal name: duser@XXX Principal alias: duser@XXX Email address: duser@XXX UID: 357400068 GID: 357400068 Password: False Member of groups: ipausers Kerberos keys available: False Now again search with no search term [root@ipa1 /]# ipa user-find -------------- 1 user matched -------------- User login: duser First name: demo Last name: user Home directory: /home/duser Login shell: /usr/bin/zsh Principal name: duser@xxx Principal alias: duser@xxx Email address: duser@xxx UID: 357400068 GID: 357400068 Account disabled: False ---------------------------- Number of entries returned 1 ---------------------------- Now we see a result without searching for something specific and this also works in the Web UI, it just show this new user in the users tab, not the other ~30 or the testuser i search for above. Conclusion: no data in LDAP is missing, the api (used by Web UI and ipa command) is unable to show existing “old” objects until i search specificly for an known object, all new generated objects are always visible/listed. This is of course really bad, if you dont know what to search for, you cant find anything this way. This is not just this installation, another standalone installation on a customer site behave like this, and just now, i found this also affects my private system. So three installation in total. All Installation are based on RHEL 8.10 or AlmaLinux 8.10. IPA on all systems is 4.9.13-20. This issue first appeared ~1 weeks ago and like the OP, the impact is visible after a reboot. Sven
Am Montag, Januar 19, 2026 19:12 CET, schrieb Rob Crittenden <[email protected]>: Sven Jansen via FreeIPA-users wrote: > Hi, > > I see the same problem on my IPA installations for around one or two > weeks now. All affected machines run FreeIPA 4.9.13-20. > > * one machine is a RHEL 8.10 standalone deployment > * two machines are AlmaLinux 8.10 sync between each other > * All instances have the full capability, DNS, Certificate Authority > and acme. > > These installations are not related and in different companys. On the > first RHEL machine, users are listed, groups are not, some other object > types are missing, you can find objects by searching for the name, same > with ipa find-user. Fresh created users/group/hosts work fine and show > up in Web interface and ipa find-user. Can you be more precise? Users are listed where? Through SSSD/nss? Via the command-line/UI tools? Are they in LDAP? In what context is this happening? Did it start out of the blue or after something was done? It may even be something that seems benign. > > On the second pair (running AlmaLinux), its a bit different, no users, > groups, hosts, sudo rules etc. are shown, only fresh created objects > show up by using the Web interface or using ipa command. DNS is a bit > different, on IPA1, all DNS zones are visible, on IPA2, no zones are > visible, except i create a new zone. Luckly i still can see all zones on > IPA1. Searching for DNS zones on IPA2 does not work, but i can reach the > zone by changing the url to “/ipa/ui/#/e/dnszone/records/mydomain.com” > on IPA2, so they are there and accessible. > > I tried to edit existing objects to see if they pop up, but no luck. I > ran ipa-server-upgrade to see if some migration is missing, but it > finish without issue and the problem persist. > > No issues with DNS lookups, getting certs or provide authentication, > just searching/showing objects is broken I have no clue how to fix that, > i can see no “useful” information in my slapd logs or i dont know what > to lock for. > > How are you authenticating? If no users exist then its quite surprising that you can authenticate. Do you see them in LDAP? rob
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
