Hi flo, thanks for your help!
I do understand the reason for rid and second rid and read up on the calculation. However, my currently running system has no rid base and secondary rid base defined, probably because trust was never set up: -bash-4.2$ LANG=C ipa trustconfig-show ipa: ERROR: : trust configuration not found The reason I am asking about making sure to not overlap the ranges is that I already know I have to manually add a second posix range to make the "--add-sids" function work on the new replica. But by now I have come to assume I could try running "--enable-sid" (without --add-sid) on the replica (if it's not done during the replica install anyway) and see if it automatically creates the rid ranges for the single existing local domain (I did not check if that was the case before rolling back the vm running the replica. But I guess it should, it could not work otherwise). Then I could manually create a second range to cover my old uids with rid bases not overlapping the other one's rid bases.. There is also an "ipa idrange-mod" command, however, documentation seems to suggest it cannot be used on "local domain" type ranges. My problem is similar to this one: https://enotty.pipebreaker.pl/posts/2024/01/woes-with-freeipa-and-sids/ Except for me it shows up when trying to make a replica on a newer system (as part of a migration process) so I have to consider how config changes will coexist with the old system too. > The ID range object is replicated. If you create it on the master, the same > object is available on the replica. OK, that makes sense. But note that the two old master systems are running without "--enable-sid" so far. Will login/kinit on/these still continue to work (without pac), and login on the new replica will be with pac? Don't get me wrong, I have no intention of keeping the old systems running once I have two stable and working new replicas, but I will need several days for testing before I switch over. > Please refer to https://access.redhat.com/solutions/7014959 I could actually access that article after "Activating subsciptions" in my free redhat account, nice! The article has good background info on why the changes are needed. Also points to https://access.redhat.com/solutions/394763 regarding my "old uid outside existing range" problem. I will be away from office for a while, but my plan for when I return now is 1. redo the replica-install 2. see if the existing id range now has rid and secondary rid (It should I guess) 3. as per the last article, use ipa idrange-add to create a second range covering the old uid and gid 4. run the config mod with --add-sid again, checking the error log Login on the replica should then work. Then, check if anything exploded on the old servers :-) Kind regards, Thomas -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
