Hello,
I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html

Now, adding a group from console with command
ipa group-add
I get this kind of error:
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.

the same if I add from web gui without specifying GID.
Instead if I specify a GID it gets completed, both from console and web gui

[root@c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add --gid 1639600009
Group name: mynewgroup
Description: My New Group
-----------------------
Added group "mynewgroup"
-----------------------
  Group name: mynewgroup
  Description: My New Group
  GID: 1639600009


I notice that previously created groups (from command line) in 6.5 got GIDs
starting from 1639600001.
The system generated groups admins and editors have 1639600000
and 1639600002.

my dna config in migrated CentOS 7 server is this:

dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Posix IDs
dnaType: uidNumber
dnaType: gidNumber
dnaNextValue: 1101
dnaMaxValue: 1100
dnaMagicRegen: -1
dnaFilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
 aIDobject))
dnaScope: dc=localdomain,dc=local
dnaThreshold: 500
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141206144811Z
modifyTimestamp: 20141206144811Z
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
 "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify
DNA
 Range,cn=permissions,cn=pbac,dc=localdomain,dc=local";)

My CentOS 6.5 server was created with command
ipa-server-install
without any options

And after install, the creation of the first userid got this output....

[root@infra install]# ipa user-add
First name: Gianluca
Last name: Cecchi
User login [gcecchi]:
--------------------
Added user "gcecchi"
--------------------
  User login: gcecchi
  First name: Gianluca
  Last name: Cecchi
  Full name: Gianluca Cecchi
  Display name: Gianluca Cecchi
  Initials: GC
  Home directory: /home/gcecchi
  GECOS field: Gianluca Cecchi
  Login shell: /bin/sh
  Kerberos principal: gcecchi@LOCALDOMAIN.LOCAL
  Email address: gcecchi@localdomain.local
  UID: 1639600001
  GID: 1639600001
  Password: False
  Kerberos keys available: False

So the GID was autoset to 1639600001
Could it be that sort of "dnaNextRange:" was not migrated from CentOS 6.5
to CentOS 7.0?

I found this kind of information in manual about adding ranges...

ldapmodify -x -D "cn=Directory Manager" -W -h server.example.com -p 389
Enter LDAP Password: *******
dn: cn=POSIX IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
changetype: modify
add: dnaNextRange
dnaNextRange: 123400000-123500000

But I also see in CentOS 7 config thei line that I don't understand...
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
 "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify
DNA
 Range,cn=permissions,cn=pbac,dc=localdomain,dc=local";)


Inside the log file about the required schema update for CentOS 6.5 to be
run before creating replica for CentOS 7 I see:

2014-12-06T11:42:10Z INFO Updating existing entry: cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn
=plugins,cn=config
2014-12-06T11:42:10Z DEBUG ---------------------------------------------
2014-12-06T11:42:10Z DEBUG Initial value
2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric
Assignment Plugin,cn=plugins,cn=config
2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG dnathreshold: 500
2014-12-06T11:42:10Z DEBUG cn: Posix IDs
2014-12-06T11:42:10Z DEBUG objectclass:
2014-12-06T11:42:10Z DEBUG      top
2014-12-06T11:42:10Z DEBUG      extensibleObject
2014-12-06T11:42:10Z DEBUG dnanextvalue: 1639600008
2014-12-06T11:42:10Z DEBUG dnamagicregen: 999
2014-12-06T11:42:10Z DEBUG dnafilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaI
Dobject))
2014-12-06T11:42:10Z DEBUG dnatype:
2014-12-06T11:42:10Z DEBUG      uidNumber
2014-12-06T11:42:10Z DEBUG      gidNumber
2014-12-06T11:42:10Z DEBUG dnamaxvalue: 1639799999
2014-12-06T11:42:10Z DEBUG dnasharedcfgdn:
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG replace:
(|(objectclass=posixAccount)(objectClass=posixGroup)) not found, skipping
2014-12-06T11:42:10Z DEBUG ---------------------------------------------
2014-12-06T11:42:10Z DEBUG Final value after applying updates
2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric
Assignment Plugin,cn=plugins,cn=config
2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG dnathreshold: 500
2014-12-06T11:42:10Z DEBUG cn: Posix IDs
2014-12-06T11:42:10Z DEBUG objectclass:
2014-12-06T11:42:10Z DEBUG      top
2014-12-06T11:42:10Z DEBUG      extensibleObject
2014-12-06T11:42:10Z DEBUG dnanextvalue: 1639600008
2014-12-06T11:42:10Z DEBUG dnamagicregen: 999
2014-12-06T11:42:10Z DEBUG dnafilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
2014-12-06T11:42:10Z DEBUG dnatype:
2014-12-06T11:42:10Z DEBUG      uidNumber
2014-12-06T11:42:10Z DEBUG      gidNumber
2014-12-06T11:42:10Z DEBUG dnamaxvalue: 1639799999
2014-12-06T11:42:10Z DEBUG dnasharedcfgdn:
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG []
2014-12-06T11:42:10Z DEBUG Live 1, updated 0
2014-12-06T11:42:10Z INFO Done

Thanks in advance for any insight and help to fix the problem.

Gianluca
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to