On ma, 21 joulu 2020, Mikhail Kiselev via FreeIPA-users wrote:
I'm not add range:
Yes, you cannot because you are not following explanation in 'ipa help idrange' and what I suggested. You need to design it
carefully.
[root@ipa ~]# ipa idrange-add --base-id=1000 --range-size=1000 --rid-base=1000 --secondary-rid-base=1000000 magrated_range
You are attempting to create an ID range from 1000 to 2000.
ipa: ERROR: Constraint violation: New base range overlaps with existing base range. [root@ipa ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: E2E4.LOCAL_id_range First Posix ID of the range: 5 Number of IDs in the range: 100000 Domain SID of the trusted domain: S-1-5-21-585446347-204204591-2842534922 Range type: Active Directory trust range with POSIX attributes
The range from 5 to 100000 has been already occupied by this ID range. You cannot create an overlapping ID range object.
Range name: OPENTECH.LOCAL_id_range First Posix ID of the range: 346600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@ipa ~]# ipa idrange-del E2E4.LOCAL_id_range ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
You can manually check which IDs are in that range by looking at the query in the directory server's access log and re-running it manually as directory manager. When you run 'ipa idrange-del <range>', we do a check that uses the range's values like this: [21/Dec/2020:09:07:05.563137207 +0200] conn=345 op=4 SRCH base="cn=accounts,dc=ipa1,dc=test" scope=2 filter="(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDObject))(|(&(uidNumber>=775400000)(uidNumber<=775599999))(&(gidNumber>=775400000)(gidNumber<=775599999))))" attrs="uid cn" so in your case it would be something like (&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDObject))(|(&(uidNumber>=5)(uidNumber<=100005))(&(gidNumber>=5)(gidNumber<=100005)))) Obvisouly, since you already migrated your old users/groups which have UID/GID values in the range of (1000,2000), they would match the very same LDAP filter and would be counted as belonging to the ID range you are trying to remove, thus preventing you from removing the object.
[root@ipa ~]# ipa trust-find ---------------- 0 trusts matched ---------------- ---------------------------- Number of entries returned 0 ----------------------------
If you already don't have the trust in place, you can remove the ID object for E2E4.LOCAL_id_range with ldapdelete as cn=Directory Manager. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
