On Чцв, 26 вер 2024, Kris C via FreeIPA-users wrote:
Here's my dilemma, I have 30 years' worth of users and data, and their files are EVERYWHERE so the thought of having to re-UID everything doesn't sound appealing. If I create the user accounts without the UID field and then change it after the accounts are created, will that work?
All you need to do is to add the ID range before adding users (and restart dirsrv). For example: suppose you have legacy user accounts within 1000..32999 range and you have default IPA ID range that already defines main and secondary RID bases: # ipa idrange-find ---------------- 5 ranges matched ---------------- Range name: IPA1.TEST_id_range First Posix ID of the range: 449800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range .... You want to add new ID range for these users: # ipa idrange-add IPA1.TEST_legacy_id_range \ --base-id=1000 --range-size=32000 \ --rid-base=$((200000+1000)) \ --secondary-rid-base=$((200000+1000+320000)) \ --type=ipa-local E.g. we start with POSIX ID at 1000 and end at 33000 (range size 32000). RID base of the default IPA ID range starts at 1000 and that range contains 200000 IDs, so our RID base should be outside of [1000;201000] and should not overlap with that's ID range's secondary RID range of [100000000;100200000]. For simplicity, our RID bases are adjacent to existing RID range of the default ID range. Now restart your dirsrv to make it take this new ID range into account: # systemctl restart dirsrv@IPA1-TEST and adding users will not cause any issue: # ipa user-add test5 --uid 5421 --random --first test5 --last test5 ------------------ Added user "test5" ------------------ User login: test5 First name: test5 Last name: test5 Full name: test5 test5 Display name: test5 test5 Initials: tt Home directory: /home/test5 GECOS: test5 test5 Login shell: /bin/sh Principal name: [email protected] Principal alias: [email protected] User password expiration: 20240926163037Z Email address: [email protected] Random password: 0Fi[J7KGaiy2fDfVgW88b! UID: 5421 GID: 5421 Password: True Member of groups: ipausers Kerberos keys available: True # ipa user-show test5 --all|grep securityidentifier ipantsecurityidentifier: S-1-5-21-890255870-1654639547-3010339007-205421 You can see that IPA chose RID 205421 (ID 5421 minus base ID of 1000 plus RID base 201000 = 205421). -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
