Hi, On Wed, Jul 31, 2024 at 12:20 PM Thomas Boroske via FreeIPA-users < [email protected]> wrote:
> Hello dear FreeIPA experts, > > I am currently in the process of trying to migrate a system consisting of > two ipa masters ipa1,ipa2 (no ca, no dns, no pkinit) running on CentOS7 to > two new systems running on Alma Linux 9 (RHEL 9 based). > > At least some of the user-IDs and GIDs in the system are very old, > however, since before IPA there was an openldap based system and the user > config data traveled over when the switch to IPA was initially made. > > I managed to setup new system ipa3, did a test ipa server install with > some (solvable) problems, looks OK. But I needed a replica of course, so > rollback and try ipa-replica-install instead of server-install. > > This eventually worked somewhat. During the replication/setup process I > got told I have user accounts without SID and if I want to convert them/add > the SIDs. I went with the default option of "no" since I didn't really know > if I needed that and was not sure it wouldn't damage the function of the > old master servers. > > The result was: kinit and login to web interface only worked for the admin > user. WIth ipa-user find or in the web interface it seemed that other than > that the data has traveled over. Modifications we hat in the 99user.ldif > also traveled over. > > Of course, the problem with kinit and web login is due to the missing SIDs. > > I found out you can redo the conversion I skipped during the replica > install by using "ipa config-mod –enable-sid –add-sids" > > However, this didn't change anything, and from looking at the dirsrv error > log I learned the script did not work because some of my uid/gid is outside > the idrange configured for IPA. > > At this point I decided to do a rollback to do more research on how to > handle those issues, so I'm back to two masters on CentOS7. > > My existing IPA installation only has this one idrange: > > [root@charon ~]# LANG=C ipa idrange-find > --------------- > 1 range matched > --------------- > Range name: NET.IDA_id_range > First Posix ID of the range: 531600000 > Number of IDs in the range: 200000 > Range type: local domain range > ---------------------------- > Number of entries returned 1 > ---------------------------- > > Note there is no primary or secondary RID base set for this range. > > I do have users with UID starting at 999 and GID starting at 100 that were > probably created before IPA. > > Now I understand I have to do something like > > "ipa idrange-add NET.IDA_low_id_range --base-id=1 --range-size=20000 > --rid-base=200000000 --secondary-rid-base=300000000" > > and then maybe the ipa config-mod with "--add-sids" should work. > > But I do have questions before I try that: > > First: Since my existing range has no RID set, how do I know the rid base > ranges won't conflict? > The user and group entries have a POSIX id, from which a mapping algorithm derives a RID in order to create ipaNTSecurityIdentifier (or SID) with the format $DOMAINSID-RID. For instance, - my local domain has a SID S-1-5-21-1166032515-3431855665-2561613534, visible with # ipa trustconfig-show Domain: ipa.test Security Identifier: S-1-5-21-1166032515-3431855665-2561613534 NetBIOS name: IPA Domain GUID: 8358294d-1b2a-4b83-af23-7529b29b8fdd Fallback primary group: Default SMB Group IPA AD trust agents: server.ipa.test IPA AD trust controllers: server.ipa.test - my user testuser123 has a posix id 205400113 # ipa user-show testuser123 User login: testuser123 First name: test Last name: user123 Home directory: /home/testuser123 Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] Email address: [email protected] UID: 205400113 GID: 205400113 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False - my range for this posix id is: Range name: IPA.TEST_id_range First Posix ID of the range: *205400000* Number of IDs in the range: 200000 First RID of the corresponding RID range: *1000* First RID of the secondary RID range: 100000000 Range type: local domain range This means that a posix id *205400000* is translated into RID *1000* 205400001 -> 1001 205400002 -> 1002 ... 205400113 -> 1113 ... 205600000 -> 201000 The RIDs can have values between 1000 and 200999. Same gymnastics for secondary RIDS: 100'000'000 to 100'199'999. The SID for my user has the format $DOMAINSID-$RID: S-1-5-21-1166032515-3431855665-2561613534-1113 The RID must be unique, but if you only have one range you can pick any base value as long as the primary and secondary RIDs don't overlap. In my case the RIDS can be inside 1000-200999 and 100'000'000-100'199'999. If you want all the details, you can read https://pagure.io/freeipa/blob/master/f/doc/designs/id-mapping.md > And then: On which point and where during the replicate-to-new-system > process do I have to do what? > > - I guess I could even add the idranges on the old servers before > creating a replica? Would it work? Is it a good idea? > The ID range object is replicated. If you create it on the master, the same object is available on the replica. > - what about the "ipa config-mod –enable-sid –add-sid" : > - is this available on the old CentOS 7 too and should I try to enable > it there before creating a replica? > - or is it only possible/necessary on the new replica, but then, what > will be the state of my ipa master server cluster then? Most importantly, > will the old ipa servers continue to work while I test the new replica with > single clients, create a second new replica etc pp? > The operation adds SIDs to the user entries which are replicated, so the old CentOS 7 master will also see the SIDs. > In short: At what point and where do I need to run the "ipa addrange", and > at what point and where do I need to run the "ipa config mod –enable-sid > –add-sid". > Please refer to https://access.redhat.com/solutions/7014959 flo > Many thanks for any help. > > Kind regards, > > Thomas > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
