[Freeipa-users] struggling with RID base on migration from CentOS 7 to 8

Harald Dunkel via FreeIPA-users Sat, 01 Jul 2023 06:09:20 -0700

Hi folks,

still trying to migrate from Centos7 to 8 I get an error message
from ipa-replica-install on the first CentOS 8 host saying


        :
        Finalize replication settings
        Restarting the KDC
        Configuring SID generation
          [1/7]: creating samba domain object
        Samba domain object already exists
          [2/7]: adding admin(group) SIDs
        Admin SID already set, nothing to do
        Admin group SID already set, nothing to do
          [3/7]: adding RID bases
        Found more than one local domain ID range with no RID base set.
          [error] RuntimeError: Too many ID ranges

        Your system may be partly configured.
        Run /usr/sbin/ipa-server-install --uninstall to clean up.

        Too many ID ranges

        The ipa-replica-install command failed. See 
/var/log/ipareplica-install.log for more information

The existing servers running CentOS 7 show a huge set of irritating error
messages in their ipareplica-install.log, e.g.

[01/Jul/2023:14:28:21.640127492 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:28:21.643664115 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:28:28.521873989 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:28:28.533330535 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:28:28.586507750 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp 
- agmt="cn=meToipaca8.example.com" (ipaca8:389) - Replication bind with GSSAPI 
auth failed: LDAP error 49 (Invalid credentials) ()
[01/Jul/2023:14:28:28.592028265 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:28:28.596813608 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:28:28.634530928 +0200] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication 
bind with GSSAPI auth resumed
[01/Jul/2023:14:28:29.734133911 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning 
total update of replica "agmt="cn=meToipaca8.example.com" (ipaca8:389)".
[01/Jul/2023:14:28:29.879962503 +0200] - ERR - NSMMReplicationPlugin - 
check_flow_control_tot_init - agmt="cn=meToipaca8.example.com" (ipaca8:389) -  
Total update flow control gives time (2000 msec) to the consumer before sending more 
entries [ msgid sent: 1273, rcv: 272])
If total update fails you can try to increase nsds5ReplicaFlowControlPause 
and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement 
configuration
[01/Jul/2023:14:28:37.172991476 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished 
total update of replica "agmt="cn=meToipaca8.example.com" (ipaca8:389)". Sent 
2450 entries.
[01/Jul/2023:14:28:37.184680247 +0200] - ERR - NSMMReplicationPlugin - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Total update flow control 
triggered 2 times
You may increase nsds5ReplicaFlowControlPause and/or decrease 
nsds5ReplicaFlowControlWindow in the replica agreement configuration
[01/Jul/2023:14:28:39.292861041 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:28:42.238638987 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:28:45.252557867 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:28:48.099823076 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:28:51.115124375 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:28:54.569369909 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:28:55.372406568 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:28:55.375939992 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:28:55.401821331 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:28:55.405166233 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:28:57.163613285 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:29:00.163149244 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission 
denied. The bind dn "" does not have permission to supply replication updates to the 
replica. Will retry later.
[01/Jul/2023:14:29:03.169779479 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response 
for a startReplication extended operation to consumer (Can't contact LDAP server). Will 
retry later.
[01/Jul/2023:14:29:06.194564448 +0200] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication 
bind with GSSAPI auth resumed
[01/Jul/2023:14:29:12.781739365 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response 
for a startReplication extended operation to consumer (Can't contact LDAP server). Will 
retry later.
[01/Jul/2023:14:29:15.828272021 +0200] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication 
bind with GSSAPI auth resumed
[01/Jul/2023:14:29:22.331677615 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:29:22.336648109 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:29:22.381929587 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:29:22.385856628 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:29:39.014631450 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:29:39.018564522 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:29:39.060413149 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:29:39.063778450 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:29:57.610268113 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:29:57.641460597 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:29:57.646901146 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:29:57.650273580 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:29:57.966813928 +0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - 
agmt="cn=caToipaca8.example.com" (ipaca8:389): The remote replica has a 
different database generation ID than the local database.  You may have to reinitialize 
the remote replica, or the local replica.
[01/Jul/2023:14:29:58.254056287 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning 
total update of replica "agmt="cn=caToipaca8.example.com" (ipaca8:389)".
[01/Jul/2023:14:30:07.529903162 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished 
total update of replica "agmt="cn=caToipaca8.example.com" (ipaca8:389)". Sent 
812 entries.
[01/Jul/2023:14:30:21.240947781 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:30:21.258555098 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:30:21.265646281 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:30:21.269315594 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:30:30.822736296 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:30:30.826194504 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:31:23.431259302 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:31:23.434660242 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:31:23.460663707 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:31:23.463998899 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:31:27.728622122 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:31:27.731885674 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:32:21.101350084 +0200] - ERR - NSMMReplicationPlugin - release_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Attempting to release replica, 
but unable to receive endReplication extended operation response from the replica. Error 
-1 (Can't contact LDAP server)
[01/Jul/2023:14:32:24.721580643 +0200] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication 
bind with GSSAPI auth resumed
[01/Jul/2023:14:32:36.926940968 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=caToipaca8.example.com" (ipaca8:389): Unable to receive the response 
for a startReplication extended operation to consumer (Can't contact LDAP server). Will 
retry later.
[01/Jul/2023:14:32:37.826884159 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:32:37.832202241 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:32:37.849761419 +0200] - ERR - get_ranges - [file 
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[01/Jul/2023:14:32:37.853061285 +0200] - ERR - ipa_sidgen_add_post_op - [file 
ipa_sidgen.c, line 140]: Failed to get ID ranges.
[01/Jul/2023:14:32:43.233314167 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - 
agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response 
for a startReplication extended operation to consumer (Can't contact LDAP server). Will 
retry later.
[01/Jul/2023:14:33:00.770698631 +0200] - ERR - repl_version_plugin_recv_acquire_cb - [file 
ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: 
"20100614120000" remote server: "(null)".
[01/Jul/2023:14:33:01.189340299 +0200] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication 
bind with GSSAPI auth resumed
[01/Jul/2023:14:33:21.446637163 +0200] - INFO - NSMMReplicationPlugin - 
bind_and_check_pwp - agmt="cn=caToipaca8.example.com" (ipaca8:389): Replication 
bind with GSSAPI auth resumed

Looking at this I don't have the impression that FreeIPA 4.6.8 (CentOS7) and
4.9.11 (CentOS8) work very well together. Esp I am concerned about the "Failed
to convert LDAP entry to range struct". That seems to be exactly the item
causing all that trouble.

Just to be sure, I had increased the domainlevel to 1, as recommended in the
migration gitelines:

        [root@ipa1 ~]# ipa domainlevel-get
        -----------------------
        Current domain level: 1
        -----------------------


Trying to manually set the base RID on CentOS7 I get:

        [root@ipa1 ~]# ipa idrange-find --raw
        ----------------
        3 ranges matched
        ----------------
          cn: EXAMPLE.COM_id_range
          ipabaseid: 379400000
          ipaidrangesize: 200000
          iparangetype: ipa-local

          cn: EXAMPLE.COM_posix
          ipabaseid: 1000
          ipaidrangesize: 99000
          iparangetype: ipa-local

          cn: EXAMPLE.COM_subid_range
          ipabaseid: 2147483648
          ipaidrangesize: 2147352576
          ipabaserid: 2147283648
          ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194
          iparangetype: ipa-ad-trust
        ----------------------------
        Number of entries returned 3
        ----------------------------

        [root@ipa1 ~]# ipa idrange-mod --rid-base=1000 EXAMPLE.COM_posix
        ipa: ERROR: This command can not be used to change ID allocation for 
local IPA domain. Run `ipa help idrange` for more information

Some doc on the net recommended to try setting the missing Base RID using
ldapmodify. Won't that put my existing CentOS 7 hosts at risk?

How can I get out of this nightmare? Every helpful comment is highly
appreciated


Harri
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] struggling with RID base on migration from CentOS 7 to 8

Reply via email to