Hello, I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
Now, adding a group from console with command ipa group-add I get this kind of error: ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. the same if I add from web gui without specifying GID. Instead if I specify a GID it gets completed, both from console and web gui [root@c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add --gid 1639600009 Group name: mynewgroup Description: My New Group ----------------------- Added group "mynewgroup" ----------------------- Group name: mynewgroup Description: My New Group GID: 1639600009 I notice that previously created groups (from command line) in 6.5 got GIDs starting from 1639600001. The system generated groups admins and editors have 1639600000 and 1639600002. my dna config in migrated CentOS 7 server is this: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: Posix IDs dnaType: uidNumber dnaType: gidNumber dnaNextValue: 1101 dnaMaxValue: 1100 dnaMagicRegen: -1 dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaScope: dc=localdomain,dc=local dnaThreshold: 500 dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20141206144811Z modifyTimestamp: 20141206144811Z aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=localdomain,dc=local";) My CentOS 6.5 server was created with command ipa-server-install without any options And after install, the creation of the first userid got this output.... [root@infra install]# ipa user-add First name: Gianluca Last name: Cecchi User login [gcecchi]: -------------------- Added user "gcecchi" -------------------- User login: gcecchi First name: Gianluca Last name: Cecchi Full name: Gianluca Cecchi Display name: Gianluca Cecchi Initials: GC Home directory: /home/gcecchi GECOS field: Gianluca Cecchi Login shell: /bin/sh Kerberos principal: [email protected] Email address: [email protected] UID: 1639600001 GID: 1639600001 Password: False Kerberos keys available: False So the GID was autoset to 1639600001 Could it be that sort of "dnaNextRange:" was not migrated from CentOS 6.5 to CentOS 7.0? I found this kind of information in manual about adding ranges... ldapmodify -x -D "cn=Directory Manager" -W -h server.example.com -p 389 Enter LDAP Password: ******* dn: cn=POSIX IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify add: dnaNextRange dnaNextRange: 123400000-123500000 But I also see in CentOS 7 config thei line that I don't understand... aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version 3.0;acl "permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify DNA Range,cn=permissions,cn=pbac,dc=localdomain,dc=local";) Inside the log file about the required schema update for CentOS 6.5 to be run before creating replica for CentOS 7 I see: 2014-12-06T11:42:10Z INFO Updating existing entry: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn =plugins,cn=config 2014-12-06T11:42:10Z DEBUG --------------------------------------------- 2014-12-06T11:42:10Z DEBUG Initial value 2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG dnathreshold: 500 2014-12-06T11:42:10Z DEBUG cn: Posix IDs 2014-12-06T11:42:10Z DEBUG objectclass: 2014-12-06T11:42:10Z DEBUG top 2014-12-06T11:42:10Z DEBUG extensibleObject 2014-12-06T11:42:10Z DEBUG dnanextvalue: 1639600008 2014-12-06T11:42:10Z DEBUG dnamagicregen: 999 2014-12-06T11:42:10Z DEBUG dnafilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaI Dobject)) 2014-12-06T11:42:10Z DEBUG dnatype: 2014-12-06T11:42:10Z DEBUG uidNumber 2014-12-06T11:42:10Z DEBUG gidNumber 2014-12-06T11:42:10Z DEBUG dnamaxvalue: 1639799999 2014-12-06T11:42:10Z DEBUG dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG replace: (|(objectclass=posixAccount)(objectClass=posixGroup)) not found, skipping 2014-12-06T11:42:10Z DEBUG --------------------------------------------- 2014-12-06T11:42:10Z DEBUG Final value after applying updates 2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config 2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG dnathreshold: 500 2014-12-06T11:42:10Z DEBUG cn: Posix IDs 2014-12-06T11:42:10Z DEBUG objectclass: 2014-12-06T11:42:10Z DEBUG top 2014-12-06T11:42:10Z DEBUG extensibleObject 2014-12-06T11:42:10Z DEBUG dnanextvalue: 1639600008 2014-12-06T11:42:10Z DEBUG dnamagicregen: 999 2014-12-06T11:42:10Z DEBUG dnafilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject)) 2014-12-06T11:42:10Z DEBUG dnatype: 2014-12-06T11:42:10Z DEBUG uidNumber 2014-12-06T11:42:10Z DEBUG gidNumber 2014-12-06T11:42:10Z DEBUG dnamaxvalue: 1639799999 2014-12-06T11:42:10Z DEBUG dnasharedcfgdn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local 2014-12-06T11:42:10Z DEBUG [] 2014-12-06T11:42:10Z DEBUG Live 1, updated 0 2014-12-06T11:42:10Z INFO Done Thanks in advance for any insight and help to fix the problem. Gianluca
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
