On ti, 05 huhti 2022, Francis Augusto Medeiros-Logeay wrote:
Thanks Alexander:
---------------
1 range matched
---------------
dn: cn=IPA.MYDOMAIN_id_range,cn=ranges,cn=etc,dc=ipa,dc=mydomain
cn: IPA.MYDOMAIN_id_range
ipabaseid: 1987000000
ipaidrangesize: 200000
ipabaserid: 0
ipasecondarybaserid: 100000000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
----------------------------
Number of entries returned 1
----------------------------
Is that wrong?
ipabaserid value cannot be 0. In a typical environment it is 1000
because RIDs in a domain user SID below 1000 have special meaning.
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/security-identifiers
explains how SIDs are built.
So a solution would be to set ipabaserid value to 1000.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
