Hi, your range configuration looks good to me.
The first range covers posix ids from 944'200'000 to 944'400'000 and RIDs from 1'000 to 201'000 / secondary RIDs from 100'000'000 to 100'200'000. The legacy range covers posix ids from 1000 to 2000 and RIDs from 302'000 to 303'000 / secondary RIDs from 200'000'000 to 200'001'000. There is no overlap in the posix ids, and there is no overlap in the RIDs. You can check if you already have an entry with the specified SID (replace dc=ipa,dc=test with your own base DN): ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -W -b dc=ipa,dc=test "(ipaNTSecurityIdentifier=S-1-5-21-3076474616-2786889582-2859700629-302272)" dn And check if you have entries with the same uidnumber/gidnumber: ldapsearch -LLL -o ldif-wrap=no -D cn=directory\ manager -w Secret123 -b dc=ipa,dc=test "(|(uidnumber=1272)(gidnumber=1272))" dn It's ok to have a user and a group with the same value, when the group is the private group for the user, but IIRC the migration creates regular groups instead of private groups. flo On Thu, Jul 18, 2024 at 7:38 PM Basile Pinsard via FreeIPA-users < [email protected]> wrote: > Hi, > I had an existing instance of freeipa that went broken so badly > (pki-tomcat unrecoverable) that the only option was spinning up a new one > and `ipa migrate-ds` from the broken one. > The new instance was set to reuse the same id-range as the previous one, > so all is good for the users in that range. > The older instance has a number of user that were imported from an even > older LDAP with IDs out of the IPA range. > > So after import, I quickly figured out that I need to create a small > (1000) `legacy` range that covers these, most of these legacy users were > then able to login. > Here are the id-ranges after the legacy was added. > > # ipa idrange-find > ---------------- > 3 ranges matched > ---------------- > Range name: DOMAIN_id_range > First Posix ID of the range: 944200000 > Number of IDs in the range: 200000 > First RID of the corresponding RID range: 1000 > First RID of the secondary RID range: 100000000 > Range type: local domain range > > Range name: DOMAIN_id_range_legacy > First Posix ID of the range: 1000 > Number of IDs in the range: 1000 > First RID of the corresponding RID range: 302000 > First RID of the secondary RID range: 200000000 > Range type: local domain range > > Range name: DOMAIN_subid_range > First Posix ID of the range: 2147483648 > Number of IDs in the range: 2147352576 > First RID of the corresponding RID range: 2147283648 > Domain SID of the trusted domain: S-1-5-21-738065-838566-3977953474 > Range type: Active Directory domain range > ---------------------------- > Number of entries returned 3 > ---------------------------- > > However, a number of the legacy users still cannot login. > I tried starting the sidgen task, and from the logs it seems that there is > a conflict with the ranges I chose for the legacy id range. > > > ``` > [18/Jul/2024:16:24:12.358313104 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [18/Jul/2024:16:24:12.598768115 +0000] - ERR - rid_to_sid_with_check - > [file ipa_sidgen_common.c, line 384]: SID > [S-1-5-21-3076474616-2786889582-2859700629-302272] is already used. > [18/Jul/2024:16:24:12.637972455 +0000] - ERR - rid_to_sid_with_check - > [file ipa_sidgen_common.c, line 384]: SID > [S-1-5-21-3076474616-2786889582-2859700629-200000272] is already used. > [18/Jul/2024:16:24:12.696381619 +0000] - ERR - find_sid_for_id - [file > ipa_sidgen_common.c, line 432]: Secondary SID is used as well. > [18/Jul/2024:16:24:12.746590836 +0000] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 532]: Cannot convert Posix ID [1272] into > an unused SID. > [18/Jul/2024:16:24:12.796710604 +0000] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [18/Jul/2024:16:24:12.854320074 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 199]: Sidgen task finished [19]. > ``` > > I cannot figure out what is my error and the documentation is quite scarce > on how to choose first-rids, except saying that ranges shouldn't overlap, > which I thought I made care of when creating the legacy range. > Maybe I am too dumb to understand where is the overlap I created, or why I > do get conflict. > > Thanks for your help and expertise! > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
