On to, 07 loka 2021, Florence Renaud via FreeIPA-users wrote:
Hi,
the local domain range that is visible with *ipa idrange-find* shows the
IDs that IPA should use when it creates new users / new groups. That
configuration is set for the whole topology, stored in the LDAP tree that
is replicated across the servers (below *cn=ranges,cn=etc,$BASEDN*)
If there are n servers, they need to agree on a split of the existing
range, so that server1 and server2 do not create new entities with
conflicting ids.
At the server level, each server assigns new IDs based on its local
configuration stored in *cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config* (=not replicated). This setting is called the
DNA range (Distributed Numeric Assignment) and can be seen globally with
the command *ipa-replica-manage dnarange-show*. The DNA ranges configured
on each server must remain inside the local domain range, and must not
overlap between the servers.
What is your current DNA range setting? It looks like one of your servers
has a DNA range outside of the domain local range.
I have written a script some time ago that allows to visualize
differences between DNA ranges, ID ranges, and user/group objects.
See https://gist.github.com/abbra/33f5ac59c5cae750ecdb3974978d9cec for
details. Here is how to run it on IPA server:
# kinit admin
# ipa -e in_server=True console sync-ranges.py
It works with python3-based FreeIPA 4.8+.
flo
On Thu, Oct 7, 2021 at 10:56 AM lejeczek via FreeIPA-users <
[email protected]> wrote:
On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> I create new users - goes error-free seemingly - and
> integrated Samba does not see those. "Old" users are fine
> and one obvious, easy to spot thing is that new users lack
> 'ipantuserattrs'
> An old user:
> objectclass: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount,
> krbprincipalaux, krbticketpolicyaux,
> ipaobject, ipasshuser,
> ipaSshGroupOfPubKeys, mepOriginEntry,
> ipantuserattrs
> a new one:
> objectclass: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount,
> krbprincipalaux, krbticketpolicyaux,
> ipaobject, ipasshuser,
> ipaSshGroupOfPubKeys, mepOriginEntry
>
> is Samba integrations broken and if yes then how to check
> and fix it?
>
>
One another thing I noticed that from range:
-> $ ipa idrange-find
---------------
1 range matched
---------------
Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range
First Posix ID of the range: 57400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------
and a newly created user ends up with:
UID: 1107
GID: 1107
If I manually set 'uid' at creation time, to something from
that 'Posix' range then 'ipantuserattrs' is present.
Can someone shed more light on what is happening there?
many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
