Hi, 1/ The local ID range NIX.VERSATUSHPC.COM.BR_id_range shows that you can have posix ids created on IdM: from 1,278,400,000 to 1,278,599,999. These posix ids can be created either by idm1 or by idm2 server, but you need to make sure that they don't use the same value if simultaneous user-add/group-add operations are performed on both servers. Currently, idm1 can pick any value in the 1,278,400,006-1,278,499,999 range (ids from 1,278,400,000 to 1,278,400,005 are probably already taken by existing users/groups). You need to find the list of posix ids already used, and adjust idm range starting from this max value +1. For the end of idm1 range, you can for instance cut the original range in 2, and have idm1 stop at 1,278,449,999, and idm2 start at 1,278,450,000 and stop at 1,278,499,999 (provided no value inside this range was already attributed).
2/ the ipa trust-fetch-domains output is normal, it returns 0 entry and if any additional domain is found it is displayed in ipa trustdomain-find. HTH, flo On Fri, Aug 20, 2021 at 11:01 PM Vinícius Ferrão <fer...@versatushpc.com.br> wrote: > Hi Florence. > > On 20 Aug 2021, at 05:29, Florence Renaud <f...@redhat.com> wrote: > > Hi, > > On Thu, Aug 19, 2021 at 7:09 PM Vinícius Ferrão via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hello, >> >> I had to reinstall our IPA server since we had Filesystem corruption >> beyond repair on it. >> >> After the reinstall (with ipa-replica-install) AD Trust does not seems to >> be working anymore. >> >> I tried to delete the trust and them re add it but there's no effect. >> Here's the outputs: >> >> [root@idm1 ~]# ipa-adtrust-install --add-agents >> >> The log file for this installation can be found in >> /var/log/ipaserver-adtrust-install.log >> >> ============================================================================== >> This program will setup components needed to establish trust to >> AD domains for >> the IPA Server. >> >> This includes: >> * Configure Samba >> * Add trust related objects to IPA LDAP server >> >> To accept the default shown in brackets, press the Enter key. >> >> Configuring cross-realm trusts for IPA server requires password for user >> 'admin'. >> This user is a regular system account used for IPA server administration. >> >> admin password: >> >> IPA generated smb.conf detected. >> Overwrite smb.conf? [no]: yes >> Do you want to enable support for trusted domains in Schema Compatibility >> plugin? >> This will allow clients older than SSSD 1.9 and non-Linux clients to work >> with trusted users. >> >> Enable trusted domains support in slapi-nis? [no]: yes >> >> >> The following operations may take some minutes to complete. >> Please wait until the prompt is returned. >> >> Configuring CIFS >> [1/24]: validate server hostname >> [2/24]: stopping smbd >> [3/24]: creating samba domain object >> Samba domain object already exists >> [4/24]: retrieve local idmap range >> [5/24]: writing samba config file >> [6/24]: creating samba config registry >> [7/24]: adding cifs Kerberos principal >> [8/24]: adding cifs and host Kerberos principals to the adtrust agents >> group >> [9/24]: check for cifs services defined on other replicas >> [10/24]: adding cifs principal to S4U2Proxy targets >> cifs principal already targeted, nothing to do. >> [11/24]: adding admin(group) SIDs >> Admin SID already set, nothing to do >> Admin group SID already set, nothing to do >> [12/24]: adding RID bases >> RID bases already set, nothing to do >> [13/24]: updating Kerberos config >> 'dns_lookup_kdc' already set to 'true', nothing to do. >> [14/24]: activating CLDAP plugin >> CLDAP plugin already configured, nothing to do >> [15/24]: activating sidgen task >> Sidgen task plugin already configured, nothing to do >> [16/24]: map BUILTIN\Guests to nobody group >> [17/24]: configuring smbd to start on boot >> [18/24]: enabling trusted domains support for older clients via Schema >> Compatibility plugin >> [19/24]: restarting Directory Server to take MS PAC and LDAP >> plugins changes into account >> [20/24]: adding fallback group >> Fallback group already set, nothing to do >> [21/24]: adding Default Trust View >> Default Trust View already exists. >> [22/24]: setting SELinux booleans >> [23/24]: starting CIFS services >> [24/24]: restarting smbd >> Done configuring CIFS. >> >> >> ============================================================================= >> Setup complete >> >> You must make sure these network ports are open: >> TCP Ports: >> * 135: epmap >> * 138: netbios-dgm >> * 139: netbios-ssn >> * 445: microsoft-ds >> * 1024..1300: epmap listener range >> * 3268: msft-gc >> UDP Ports: >> * 138: netbios-dgm >> * 139: netbios-ssn >> * 389: (C)LDAP >> * 445: microsoft-ds >> >> See the ipa-adtrust-install(1) man page for more details >> >> >> ============================================================================= >> >> >> Doing the trust add since the last command didn't added it: >> >> [root@idm1 ~]# ipa trust-add win.versatushpc.com.br >> Active Directory domain administrator: Administrator >> Active Directory domain administrator's password: >> --------------------------------------------------------------- >> Added Active Directory trust for realm "win.versatushpc.com.br" >> --------------------------------------------------------------- >> Realm name: win.versatushpc.com.br >> Domain NetBIOS name: VersatusHPC >> Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 >> Trust direction: Trusting forest >> Trust type: Active Directory domain >> Trust status: Established and verified >> >> >> Fetch domains return 0: >> >> [root@idm1 ~]# ipa trust-fetch-domains win.versatushpc.com.br >> >> ---------------------------------------------------------------------------------------- >> List of trust domains successfully refreshed. Use >> trustdomain-find command to list them. >> >> ---------------------------------------------------------------------------------------- >> ---------------------------- >> Number of entries returned 0 >> ---------------------------- >> >> >> But trustdomain-find is able to find the domain: >> >> [root@idm1 ~]# ipa trustdomain-find >> Realm name: win.versatushpc.com.br >> Domain name: win.versatushpc.com.br >> Domain NetBIOS name: VersatusHPC >> Domain Security Identifier: S-1-5-21-3644117338-1171143469-618167831 >> Domain enabled: True >> ---------------------------- >> Number of entries returned 1 >> ---------------------------- >> >> Healthcheck complains about those issues: >> >> [root@idm1 ~]# ipa-healthcheck --all --output-type human | grep >> -v SUCCESS >> WARNING: >> ipahealthcheck.ipa.trust.IPATrustCatalogCheck.S-1-5-21-3644117338-1171143469-618167831: >> Look up of S-1-5-21-3644117338-1171143469-618167831 returned nothing >> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD >> <http://ipahealthcheck.ipa.trust.ipatrustcatalogcheck.ad/> >> Global Catalog: AD Global Catalog not found in /usr/sbin/sssctl >> 'domain-status' output: Active servers: >> IPA: idm1.nix.versatushpc.com.br >> ERROR: ipahealthcheck.ipa.trust.IPATrustCatalogCheck.AD >> <http://ipahealthcheck.ipa.trust.ipatrustcatalogcheck.ad/> >> Domain Controller: AD Domain Controller not found in >> /usr/sbin/sssctl 'domain-status' output: Active servers: >> IPA: idm1.nix.versatushpc.com.br >> >> Can you show the output of " ipa idrange-find" ? > > > There you go: > > [root@idm1 ~]# ipa idrange-find > ---------------- > 2 ranges matched > ---------------- > Range name: NIX.VERSATUSHPC.COM.BR_id_range > First Posix ID of the range: 1278400000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > > Range name: WIN.VERSATUSHPC.COM.BR_id_range > First Posix ID of the range: 1499400000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 0 > Domain SID of the trusted domain: > S-1-5-21-3644117338-1171143469-618167831 > Range type: Active Directory domain range > ---------------------------- > Number of entries returned 2 > ---------------------------- > > >> And finally we had an DNA Range issue, but I was able to solve it with >> this guide: >> https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ >> >> [root@idm2 ~]# ipa-replica-manage dnarange-show >> idm1.nix.versatushpc.com.br: 1278400006-1278499999 >> idm2.nix.versatushpc.com.br: 1278400000-1278499999 >> >> The ranges are overlapping, this should be fixed. The range for idm2 > should end before the beginning of idm1 range. > > > Alright, which is the good advice to do this? Split the range in two > segments? Or just add more 99999 registries? > > PS: Regarding the issue, it's now working the AD Trust. What I've done? > Nothing. Gone to bed without it working and today is working. > ?????????????????????????? > > Thanks. > > flo > > Seems to be OK, I think... >> >> I'm running IPA on RHEL 8.4. >> >> If it's easier to just remove IPA and reinstall from scratch, that's OK. >> This is a development system, the same goes for the Windows domain. >> >> Thank you all. >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
