Hello dear FreeIPA experts, I am currently in the process of trying to migrate a system consisting of two ipa masters ipa1,ipa2 (no ca, no dns, no pkinit) running on CentOS7 to two new systems running on Alma Linux 9 (RHEL 9 based).
At least some of the user-IDs and GIDs in the system are very old, however, since before IPA there was an openldap based system and the user config data traveled over when the switch to IPA was initially made. I managed to setup new system ipa3, did a test ipa server install with some (solvable) problems, looks OK. But I needed a replica of course, so rollback and try ipa-replica-install instead of server-install. This eventually worked somewhat. During the replication/setup process I got told I have user accounts without SID and if I want to convert them/add the SIDs. I went with the default option of "no" since I didn't really know if I needed that and was not sure it wouldn't damage the function of the old master servers. The result was: kinit and login to web interface only worked for the admin user. WIth ipa-user find or in the web interface it seemed that other than that the data has traveled over. Modifications we hat in the 99user.ldif also traveled over. Of course, the problem with kinit and web login is due to the missing SIDs. I found out you can redo the conversion I skipped during the replica install by using "ipa config-mod –enable-sid –add-sids" However, this didn't change anything, and from looking at the dirsrv error log I learned the script did not work because some of my uid/gid is outside the idrange configured for IPA. At this point I decided to do a rollback to do more research on how to handle those issues, so I'm back to two masters on CentOS7. My existing IPA installation only has this one idrange: [root@charon ~]# LANG=C ipa idrange-find --------------- 1 range matched --------------- Range name: NET.IDA_id_range First Posix ID of the range: 531600000 Number of IDs in the range: 200000 Range type: local domain range ---------------------------- Number of entries returned 1 ---------------------------- Note there is no primary or secondary RID base set for this range. I do have users with UID starting at 999 and GID starting at 100 that were probably created before IPA. Now I understand I have to do something like "ipa idrange-add NET.IDA_low_id_range --base-id=1 --range-size=20000 --rid-base=200000000 --secondary-rid-base=300000000" and then maybe the ipa config-mod with "--add-sids" should work. But I do have questions before I try that: First: Since my existing range has no RID set, how do I know the rid base ranges won't conflict? And then: On which point and where during the replicate-to-new-system process do I have to do what? - I guess I could even add the idranges on the old servers before creating a replica? Would it work? Is it a good idea? - what about the "ipa config-mod –enable-sid –add-sid" : - is this available on the old CentOS 7 too and should I try to enable it there before creating a replica? - or is it only possible/necessary on the new replica, but then, what will be the state of my ipa master server cluster then? Most importantly, will the old ipa servers continue to work while I test the new replica with single clients, create a second new replica etc pp? In short: At what point and where do I need to run the "ipa addrange", and at what point and where do I need to run the "ipa config mod –enable-sid –add-sid". Many thanks for any help. Kind regards, Thomas -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
