Thanks, Adding with ldapmodify seems to have done the trick. Can run ipa-adtrust-install at least. Now having other issues, but that’s for a different thread. :)
Cheers, Darren. On 3/9/16, 3:17 PM, "Sumit Bose" <[email protected]> wrote: >On Wed, Mar 09, 2016 at 02:21:31PM +0000, Darren Poulson wrote: >> Hi, >> >> Here’s what I get. The initial default range as created by freeipa and >> contains all our users, and a second one that I created for system >> accounts. > >The 'ipa idrange' utility does various checks to prevent that idranges >which are in use are modified or deleted. > >Did you create the 'System Users' idrange just to block the IDs because >they are used by accounts in /etc/passwd or do you have users with a UID >between 500 and 1500 in IPA? In the former case you can just delete the >idrange and recreate it with the RID bases set. Please note the IPA >won't create idranges with POSIX IDs below 200000 automatically. So it >might be even possible to just delete the idrange in this case. > >In the latter case you cannot remove the idrange, because there are >users in it, and unfortunately you cannot modify it with 'ipa >idrange-mod' either. Nevertheless you have to add the RID bases so that >ipa-adtrust-install can run successfully. This can be done manually with >ldapmodify as root: > >ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF >dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops >changetype: modify >add: ipabaserid >ipabaserid: 200000000 >- >add: ipasecondarybaserid >ipasecondarybaserid: 210000000 >- >EOF > > >As an alternative you can remove the check from the 'ipa idrange' >utility but I would recommend ldapmodify. > >After this ipa-adtrust-install should run successfully because it is >able to add the missing RID bases to one idrange already. I guess we >should enhance it to handle multiple idranges as in your case as well. > >HTH > >bye, >Sumit > >> >> [root@freeipa1-01 ~]# ipa idrange-find >> ---------------- >> 2 ranges matched >> ---------------- >> Range name: BUR.US.GENOPS_id_range >> First Posix ID of the range: 50000 >> Number of IDs in the range: 10000 >> Range type: local domain range >> >> Range name: System Users >> First Posix ID of the range: 500 >> Number of IDs in the range: 1000 >> Range type: local domain range >> ---------------------------- >> Number of entries returned 2 >> —————————————— >> >> If it makes any difference, this install was initially (I believe) >>freeipa >> 3.3. >> >> Darren. >> >> >> >> On 3/9/16, 1:31 PM, "[email protected] on behalf of >>Darren >> Poulson" <[email protected] on behalf of >> [email protected]> wrote: >> >> >Hi, >> > >> >I’d tried that, but get this: >> > >> >[root@freeipa1-01 ~]# ipa idrange-mod <domain>_id_range --rid-base=1000 >> >ipa: ERROR: This command can not be used to change ID allocation for >>local >> >IPA domain. Run `ipa help idrange` for more information >> > >> > >> >Thanks, >> > >> >Darren. >> > >> > >> >On 3/9/16, 9:45 AM, "[email protected] on behalf of >>Sumit >> >Bose" <[email protected] on behalf of [email protected]> >> >wrote: >> > >> >>On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote: >> >>> Hi, >> >>> >> >>> We¹re currently trying to set up an AD domain (great fun for a >>bunch of >> >>> linux adminsŠ not) so that we can get authentication working with >> >>>various >> >>> bits of hardware that only support AD. We want this domain to trust >>our >> >>> existing FreeIPA setup. >> >>> >> >>> When trying to ipa-adtrust-install I¹m getting: >> >>> >> >>> [10/22]: adding RID bases >> >>> ipa : CRITICAL Found more than one local domain ID range >>with >> >>>no RID >> >>> base set. >> >>> >> >>> >From reading up, I need to have the id ranges configured with >>primary >> >>>and >> >>> secondary RIDs. Is there any way to do this, or do I have to delete >>and >> >> >> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing >> >>ranges. >> >> >> >>HTH >> >> >> >>bye, >> >>Sumit >> >> >> >>> recreate the ranges? And if I do that, what are the implications? >> >>> >> >>> IPA 4.2.0 (CentOS 7) >> >>> AD 2012R2 >> >>> >> >>> Cheers, >> >>> >> >>> Darren. >> >>> >> >>> >> >>> >> >> >> >> >> >> >> >>> -- >> >>> Manage your subscription for the Freeipa-users mailing list: >> >>> https://www.redhat.com/mailman/listinfo/freeipa-users >> >>> Go to http://freeipa.org for more info on the project >> >> >> >>-- >> >>Manage your subscription for the Freeipa-users mailing list: >> >>https://www.redhat.com/mailman/listinfo/freeipa-users >> >>Go to http://freeipa.org for more info on the project >> >> > >
smime.p7s
Description: S/MIME cryptographic signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
