Hi,
On Thu, Feb 1, 2024 at 12:51 PM Steve Berg via FreeIPA-users < [email protected]> wrote: > Still not working. I do not have any trust set up with any active > directory currently, we have a AD running on the network but that and my > ipa domain don't trust each other in any way. > > Got two idranges setup: > ----------- > Range name: domain_id_range > First Posix ID of the range: 824400000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > > Range name: EDIPIs_id_range > First Posix ID of the range: 1009210100 > Number of IDs in the range: 619332697 > Range type: local domain range > ----------- > The above range is missing RID base and secondary rid base. You can refer to this KCS: https://access.redhat.com/solutions/7052703 especially section *3. **Fixing ID range issues*. You will have to add ipabaserid and ipasecondarybaserid to the range. RID Values from 1,000-200,999 and 100,000,000-100,199,999 are already taken by the id range domain_id_range, you can pick any values not overlapping. flo > And dnarange/dnanextrange is setup also. The dnanext ranges match up to > the EDIPIs range. > ----------- > [root@ipa02 ~]# ipa-replica-manage dnarange-show > ipa25.domain: 824400015-824425499 > ipa08.domain: 824550503-824599999 > ipa22.domain: 824450504-824500499 > ipa02.domain: 824425523-824450499 > [root@ipa02 ~]# ipa-replica-manage dnanextrange-show > ipa25.domain: 1464499522-1619332666 > ipa08.domain: 1154833194-1309666338 > ipa22.domain: 1309666348-1464499502 > ipa02.domain: 1009210100-1154833174 > > ----------- > > Tried running the add-sids process and it errors out. There's nothing > in the error log > ----------- > [root@ipa02 ~]# ipa -vv config-mod --enable-sid --add-sids > ipa: INFO: Request: { > "id": 0, > "method": "config_mod/1", > "params": [ > [], > { > "add_sids": true, > "enable_sid": true, > "version": "2.251" > } > ] > } > ipa: INFO: Response: { > "error": { > "code": 4000, > "data": {}, > "message": "Configuration of SID failed. See details in the > error log", > "name": "ExecutionError" > }, > "id": 0, > "principal": "admin@domain", > "result": null, > "version": "4.9.12" > } > ipa: ERROR: Configuration of SID failed. See details in the error log > ----------- > > There's nothing in /var/log/dirsrv/slapd-DOMAIN/errors about the > failure. So I'm at a roadblock right now. Can't do what I need to do > and can't figure out why. > > > On 2/1/24 02:13, Giulio Casella via FreeIPA-users wrote: > > Ok, maybe you are missing some id range... > > Let's check this page, just to point in the right direction: > > > > https://www.linuxsysadmins.com/ipa-error-4203-databaseerror/ > > > > (I had that error, after a couple of migration: CentOS 7 -> CentOS 8 > > stream -> RHEL 9). > > > > Briefly: > > - "ipa idrange-find" should give id range (and subid range, but ignore > > it for now): write down "First Posix ID..." and "Number of IDs..." > > - "ipa-replica-manage dnarange-show" should give current dna ranges > > (maybe you have no dna range right now) > > - create dna ranges with "ipa-replica-manage dnarange-set > > server1.ipa.example.com 10000-20000" for every domain controller > > (range should be different for every server and included in range got > > from idrange-find) > > > > If you manage to have correct ID ranges (and DNA ranges), don't forget > > to fire the sids creation command at end. > > > > This procedure helped me to solve, I don't know if this is the correct > > way to go. Maybe some list guru out there can correct me. > > > > Good luck. > > -- > //- Fixer of that which is broke -// > //- Home = [email protected] -// > //- Sinners can repent, but stupid is forever. -// > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
