Am Sat, Jul 01, 2023 at 03:08:51PM +0200 schrieb Harald Dunkel via FreeIPA-users: > Hi folks, > > still trying to migrate from Centos7 to 8 I get an error message > from ipa-replica-install on the first CentOS 8 host saying > > : > Finalize replication settings > Restarting the KDC > Configuring SID generation > [1/7]: creating samba domain object > Samba domain object already exists > [2/7]: adding admin(group) SIDs > Admin SID already set, nothing to do > Admin group SID already set, nothing to do > [3/7]: adding RID bases > Found more than one local domain ID range with no RID base set. > [error] RuntimeError: Too many ID ranges > > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > Too many ID ranges > > The ipa-replica-install command failed. See > /var/log/ipareplica-install.log for more information > > The existing servers running CentOS 7 show a huge set of irritating error > messages in their ipareplica-install.log, e.g. > > [01/Jul/2023:14:28:21.640127492 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:28:21.643664115 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:28:28.521873989 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:28:28.533330535 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:28:28.586507750 +0200] - ERR - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389) - > Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) > () > [01/Jul/2023:14:28:28.592028265 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:28:28.596813608 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:28:28.634530928 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): > Replication bind with GSSAPI auth resumed > [01/Jul/2023:14:28:29.734133911 +0200] - INFO - NSMMReplicationPlugin - > repl5_tot_run - Beginning total update of replica > "agmt="cn=meToipaca8.example.com" (ipaca8:389)". > [01/Jul/2023:14:28:29.879962503 +0200] - ERR - NSMMReplicationPlugin - > check_flow_control_tot_init - agmt="cn=meToipaca8.example.com" (ipaca8:389) - > Total update flow control gives time (2000 msec) to the consumer before > sending more entries [ msgid sent: 1273, rcv: 272]) > If total update fails you can try to increase nsds5ReplicaFlowControlPause > and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement > configuration > [01/Jul/2023:14:28:37.172991476 +0200] - INFO - NSMMReplicationPlugin - > repl5_tot_run - Finished total update of replica > "agmt="cn=meToipaca8.example.com" (ipaca8:389)". Sent 2450 entries. > [01/Jul/2023:14:28:37.184680247 +0200] - ERR - NSMMReplicationPlugin - > agmt="cn=meToipaca8.example.com" (ipaca8:389): Total update flow control > triggered 2 times > You may increase nsds5ReplicaFlowControlPause and/or decrease > nsds5ReplicaFlowControlWindow in the replica agreement configuration > [01/Jul/2023:14:28:39.292861041 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:28:42.238638987 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:28:45.252557867 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:28:48.099823076 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:28:51.115124375 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:28:54.569369909 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:28:55.372406568 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:28:55.375939992 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:28:55.401821331 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:28:55.405166233 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:28:57.163613285 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:29:00.163149244 +0200] - ERR - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > acquire replica: permission denied. The bind dn "" does not have permission > to supply replication updates to the replica. Will retry later. > [01/Jul/2023:14:29:03.169779479 +0200] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > receive the response for a startReplication extended operation to consumer > (Can't contact LDAP server). Will retry later. > [01/Jul/2023:14:29:06.194564448 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): > Replication bind with GSSAPI auth resumed > [01/Jul/2023:14:29:12.781739365 +0200] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > receive the response for a startReplication extended operation to consumer > (Can't contact LDAP server). Will retry later. > [01/Jul/2023:14:29:15.828272021 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): > Replication bind with GSSAPI auth resumed > [01/Jul/2023:14:29:22.331677615 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:29:22.336648109 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:29:22.381929587 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:29:22.385856628 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:29:39.014631450 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:29:39.018564522 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:29:39.060413149 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:29:39.063778450 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:29:57.610268113 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:29:57.641460597 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:29:57.646901146 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:29:57.650273580 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:29:57.966813928 +0200] - WARN - NSMMReplicationPlugin - > repl5_inc_run - agmt="cn=caToipaca8.example.com" (ipaca8:389): The remote > replica has a different database generation ID than the local database. You > may have to reinitialize the remote replica, or the local replica. > [01/Jul/2023:14:29:58.254056287 +0200] - INFO - NSMMReplicationPlugin - > repl5_tot_run - Beginning total update of replica > "agmt="cn=caToipaca8.example.com" (ipaca8:389)". > [01/Jul/2023:14:30:07.529903162 +0200] - INFO - NSMMReplicationPlugin - > repl5_tot_run - Finished total update of replica > "agmt="cn=caToipaca8.example.com" (ipaca8:389)". Sent 812 entries. > [01/Jul/2023:14:30:21.240947781 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:30:21.258555098 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:30:21.265646281 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:30:21.269315594 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:30:30.822736296 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:30:30.826194504 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:31:23.431259302 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:31:23.434660242 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:31:23.460663707 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:31:23.463998899 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:31:27.728622122 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:31:27.731885674 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:32:21.101350084 +0200] - ERR - NSMMReplicationPlugin - > release_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Attempting > to release replica, but unable to receive endReplication extended operation > response from the replica. Error -1 (Can't contact LDAP server) > [01/Jul/2023:14:32:24.721580643 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): > Replication bind with GSSAPI auth resumed > [01/Jul/2023:14:32:36.926940968 +0200] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=caToipaca8.example.com" (ipaca8:389): Unable to > receive the response for a startReplication extended operation to consumer > (Can't contact LDAP server). Will retry later. > [01/Jul/2023:14:32:37.826884159 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:32:37.832202241 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:32:37.849761419 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. > [01/Jul/2023:14:32:37.853061285 +0200] - ERR - ipa_sidgen_add_post_op - [file > ipa_sidgen.c, line 140]: Failed to get ID ranges. > [01/Jul/2023:14:32:43.233314167 +0200] - WARN - NSMMReplicationPlugin - > acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to > receive the response for a startReplication extended operation to consumer > (Can't contact LDAP server). Will retry later. > [01/Jul/2023:14:33:00.770698631 +0200] - ERR - > repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: > Incompatible IPA versions, pausing replication. This server: "20100614120000" > remote server: "(null)". > [01/Jul/2023:14:33:01.189340299 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): > Replication bind with GSSAPI auth resumed > [01/Jul/2023:14:33:21.446637163 +0200] - INFO - NSMMReplicationPlugin - > bind_and_check_pwp - agmt="cn=caToipaca8.example.com" (ipaca8:389): > Replication bind with GSSAPI auth resumed > > Looking at this I don't have the impression that FreeIPA 4.6.8 (CentOS7) and > 4.9.11 (CentOS8) work very well together. Esp I am concerned about the "Failed > to convert LDAP entry to range struct". That seems to be exactly the item > causing all that trouble.
Hi, those error are most probably caused by the missing RID bases. > > Just to be sure, I had increased the domainlevel to 1, as recommended in the > migration gitelines: > > [root@ipa1 ~]# ipa domainlevel-get > ----------------------- > Current domain level: 1 > ----------------------- > > > Trying to manually set the base RID on CentOS7 I get: > > [root@ipa1 ~]# ipa idrange-find --raw > ---------------- > 3 ranges matched > ---------------- > cn: EXAMPLE.COM_id_range > ipabaseid: 379400000 > ipaidrangesize: 200000 > iparangetype: ipa-local > > cn: EXAMPLE.COM_posix > ipabaseid: 1000 > ipaidrangesize: 99000 > iparangetype: ipa-local > > cn: EXAMPLE.COM_subid_range > ipabaseid: 2147483648 > ipaidrangesize: 2147352576 > ipabaserid: 2147283648 > ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194 > iparangetype: ipa-ad-trust > ---------------------------- > Number of entries returned 3 > ---------------------------- > > [root@ipa1 ~]# ipa idrange-mod --rid-base=1000 EXAMPLE.COM_posix > ipa: ERROR: This command can not be used to change ID allocation for > local IPA domain. Run `ipa help idrange` for more information > > Some doc on the net recommended to try setting the missing Base RID using > ldapmodify. Won't that put my existing CentOS 7 hosts at risk? A proper backup is always recommended when doing such kind of operations. Adding the RID bases with ldapmodify should for a start have no additional effects. Only when you start to add new users the sidgen plugin might now start to add a SID to the new users. For the existing users you have to start a sidgen task manually. This might even be required for the migration because recent version of IPA require a SID for IPA users even if there is no trust to AD. bye, Sumit > > How can I get out of this nightmare? Every helpful comment is highly > appreciated > > > Harri > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
