Hi, On Fri, Jun 23, 2023 at 2:12 PM Harald Dunkel via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Hi folks, > > I am trying to migrate FreeIPA from CentOS7 to Rocky 8. No AD trust > relationship involved by now. Problem: ipa-replica-install on the > first Rocky 8 host to join the IPA servers complained > > > # > -------------------------------------------------------------------------- > [root@ipaca8 ~]# ipa-replica-install --setup-ca --ip-address 172.19.96.100 > Trust is configured but no NetBIOS domain name found, setting it now. > Enter the NetBIOS name for the IPA domain. > Only up to 15 uppercase ASCII letters, digits and dashes are allowed. > Example: EXAMPLE. > > > NetBIOS domain name [EXAMPLE]: > > > WARNING: 564 existing users or groups do not have a SID identifier > assigned. > Installer can run a task to have ipa-sidgen Directory Server plugin > generate > the SID identifier for all these users. Please note, in case of a high > number of users and groups, the operation might lead to high replication > traffic and performance degradation. Refer to ipa-adtrust-install(1) man > page > for details. > > Do you want to run the ipa-sidgen task? [no]: yes > Run connection check to master > Connection check OK > Disabled p11-kit-proxy > Configuring directory server (dirsrv). Estimated time: 30 seconds > [1/39]: creating directory server instance > Validate installation settings ... > Create file system structures ... > selinux is disabled, will not relabel ports or files. > Create database backend: dc=example,dc=de ... > Perform post-installation tasks ... > [2/39]: tune ldbm plugin > [3/39]: adding default schema > [4/39]: enabling memberof plugin > [5/39]: enabling winsync plugin > [6/39]: configure password logging > : > : > [20/30]: starting certificate server instance > [21/30]: Finalize replication settings > [22/30]: configure certmonger for renewals > [23/30]: Importing RA key > [24/30]: configure certificate renewals > [25/30]: Configure HTTP to proxy connections > [26/30]: updating IPA configuration > [27/30]: enabling CA instance > [28/30]: importing IPA certificate profiles > Lookup failed: Preferred host ipaca8.example.de does not provide CA. > Lookup failed: Preferred host ipaca8.example.de does not provide CA. > Failed to import profile 'acmeIPAServerCert': Request failed with status > 500: Non-2xx response from CA REST API: 500. . Running ipa-server-upgrade > when installation is completed may resolve this issue. > [29/30]: configuring certmonger renewal for lightweight CAs > [30/30]: deploying ACME service > Done configuring certificate server (pki-tomcatd). > Configuring Kerberos KDC (krb5kdc) > [1/1]: installing X509 Certificate for PKINIT > Done configuring Kerberos KDC (krb5kdc). > Applying LDAP updates > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: disabling Schema Compat > [6/10]: starting directory server > [7/10]: upgrading server > Could not get dnaHostname entries in 60 seconds > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > Done. > Finalize replication settings > Restarting the KDC > Configuring SID generation > [1/8]: creating samba domain object > [2/8]: adding admin(group) SIDs > [3/8]: adding RID bases > Found more than one local domain ID range with no RID base set. > [error] RuntimeError: Too many ID ranges > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Too many ID ranges > > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > # > -------------------------------------------------------------------------- > > > > > > > Here is the list of id ranges: > # > -------------------------------------------------------------------------- > [root@ipaca8 ~]# ipa idrange-find --all --raw > ---------------- > 3 ranges matched > ---------------- > dn: cn=EXAMPLE.DE_id_range,cn=ranges,cn=etc,dc=example,dc=de > cn: EXAMPLE.DE_id_range > ipabaseid: 379400000 > ipaidrangesize: 200000 > iparangetype: ipa-local > objectclass: top > objectclass: ipaIDrange > objectclass: ipaDomainIDRange > > dn: cn=EXAMPLE.DE_posix,cn=ranges,cn=etc,dc=example,dc=de > cn: EXAMPLE.DE_posix > ipabaseid: 1000 > ipaidrangesize: 99000 > iparangetype: ipa-local > objectclass: ipadomainidrange > objectclass: ipaIDrange > > The 2 above ranges don't have "First RID of the corresponding RID range" and "First RID of the secondary RID range" set. If you edit them with ipa idrange-mod --rid-base=INT --secondary-rid-base=INT this should fix the issue. The installer is able to add these values if there is only one range but prefers to let the admin manually select the right values if there are multiple ranges. For more information you can refer to https://pagure.io/freeipa/issue/9076, which contains a link to a mail thread with the workaround and a KCS. flo > dn: cn=EXAMPLE.DE_subid_range,cn=ranges,cn=etc,dc=example,dc=de > cn: EXAMPLE.DE_subid_range > ipabaseid: 2147483648 > ipaidrangesize: 2147352576 > ipabaserid: 2147283648 > ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194 > iparangetype: ipa-ad-trust > objectclass: top > objectclass: ipaIDrange > objectclass: ipaTrustedADDomainRange > ---------------------------- > Number of entries returned 3 > ---------------------------- > # > -------------------------------------------------------------------------- > > > > I didn't ask for an AD trust relationship, introducing even more complexity > to something that should be kept as simple as possible. And now its making > problems :-(. Is there some way to drop this again? > > AFAICT ipa idrange-mod cannot set the RID, so how can I resolve this > nightmare? > > Every helpful comment is highly appreciated. > > Harri > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
