Re: [Freeipa-users] posix ids not propgating
Bryan Pearson wrote: > Am I mistaken in your example: > > "You can find the master it is trying to talk to here: > $ ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" > > Mine: > $ ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan You're not sharing enough information. A list of DNA hosts tells us nothing when we don't know which host you're having a problem on, if a host is down or has been replaced, etc. I'd poke around the DNA plugin configuration in cn=config on each master to see what the actual DNA configuration is. You have one with the default max 1000, next 1001 expired configuration pointing at a host that is either down or has no ranges. Or easier, if you are running IPA 3.3+ then ipa-replica-manage has some DNA commands which makes this easier to figure out and fix. You don't want to set overlapping ranges. rob > Bryan > > > On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden wrote: >> Bryan Pearson wrote: >>> I believe that my master dna server isnt currently being used, so I did >>> this. >>> >>> ldapsearch -x -D 'cn=Directory Manager' -W -b >>> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan >>> Enter LDAP Password: >> >> That's not the right location to search for the DNA configuration. See >> http://blog-rcritten.rhcloud.com/?p=50 >> >> rob >> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
Am I mistaken in your example: "You can find the master it is trying to talk to here: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com" Mine: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Bryan On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden wrote: > Bryan Pearson wrote: >> I believe that my master dna server isnt currently being used, so I did this. >> >> ldapsearch -x -D 'cn=Directory Manager' -W -b >> cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan >> Enter LDAP Password: > > That's not the right location to search for the DNA configuration. See > http://blog-rcritten.rhcloud.com/?p=50 > > rob > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
Bryan Pearson wrote: > I believe that my master dna server isnt currently being used, so I did this. > > ldapsearch -x -D 'cn=Directory Manager' -W -b > cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan > Enter LDAP Password: That's not the right location to search for the DNA configuration. See http://blog-rcritten.rhcloud.com/?p=50 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
I believe that my master dna server isnt currently being used, so I did this. ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Enter LDAP Password: # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # posix-ids, dna, ipa, etc, EXAMPLE.lan dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan objectClass: nsContainer objectClass: top cn: posix-ids # ipa3.EXAMPLE.lan + 0, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=0,cn=posix-ids,cn=dna ,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan dnaRemainingValues: 0 dnaSecurePortNum: 636 dnaPortNum: 0 dnaHostname: ipa3.EXAMPLE.lan objectClass: dnaSharedConfig objectClass: top # ipa3.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=d na,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan dnaRemainingValues: 7 dnaSecurePortNum: 636 dnaPortNum: 389 dnaHostname: ipa3.EXAMPLE.lan objectClass: dnaSharedConfig objectClass: top # ipa4.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa4.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ip a,cn=etc,dc=EXAMPLE,dc=lan objectClass: dnaSharedConfig objectClass: top dnaHostname: ipa4.EXAMPLE.lan dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 0 # ipa2.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa2.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn =dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan objectClass: dnaSharedConfig objectClass: top dnaHostname: ipa2.EXAMPLE.lan dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 0 # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 Bryan On Fri, Apr 17, 2015 at 7:08 AM, Sumit Bose wrote: > On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote: >> Should I add the same range to this machine or give each one it's own id >> range? > > The ranges are global for the whole IPA domain. The idranges manages > with the ipa tool have their data in the replicated tree hence changes > are available on all replicas. The DNA plugin has its own scheme to > distribute the data, see e.g. > > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html > > for details. > > bye, > Sumit >> On Apr 17, 2015 3:53 AM, "Sumit Bose" wrote: >> >> > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: >> > > I ran this comand on each of my IPA servers and one returned usable >> > > response: ipa idrange-find >> > > >> > > --- >> > > 1 range matched >> > > --- >> > > Range name: HOSTNAME.LAN_id_range >> > > First Posix ID of the range: 192020 >> > > Number of IDs in the range: 30 >> > > Range type: local domain range >> > > >> > > Number of entries returned 1 >> > > >> > > >> > > While trying to add a new user on one of the other severs I recieve: >> > > *** >> > > Operations error: Allocation of a new value for range cn=posix >> > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config >> > > failed! Unable to proceed. >> > > *** >> > >> > This is expected, unfortunately the idranges used to manage different >> > idranges in environments with trust and the range used by the DNA plugin >> > to assign IDs to local users and groups are currently not connected. >> > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix >> > this. >> > >> > bye, >> > Sumit >> > >> > > >> > > Should I go forward on other masters and do: >> > > >> > > *** >> > > ldapmodify -x -D 'cn=Directory Manager' -W >> > > Enter LDAP Password: >> > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment >> > Plugin,cn=plugins,cn=config >> > > changetype: modify >> > > replace: dnaNextValue >> > > dnaNextValue: 168970 >> > > - >> > > replace: dnaMaxValue >> > > dnaMaxValue: 168979 >> > > ^D >> > > >> > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment >> > > Plugin,cn=plugins,cn=config" >> > > *** >> > > >> > > -- >> > > Manage your subscription for the Freeipa-users mailing list: >> > > https://www.redhat.com/mailman/listinfo/freeipa-users >> > > Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote: > Should I add the same range to this machine or give each one it's own id > range? The ranges are global for the whole IPA domain. The idranges manages with the ipa tool have their data in the replicated tree hence changes are available on all replicas. The DNA plugin has its own scheme to distribute the data, see e.g. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html for details. bye, Sumit > On Apr 17, 2015 3:53 AM, "Sumit Bose" wrote: > > > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > > > I ran this comand on each of my IPA servers and one returned usable > > > response: ipa idrange-find > > > > > > --- > > > 1 range matched > > > --- > > > Range name: HOSTNAME.LAN_id_range > > > First Posix ID of the range: 192020 > > > Number of IDs in the range: 30 > > > Range type: local domain range > > > > > > Number of entries returned 1 > > > > > > > > > While trying to add a new user on one of the other severs I recieve: > > > *** > > > Operations error: Allocation of a new value for range cn=posix > > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > > > failed! Unable to proceed. > > > *** > > > > This is expected, unfortunately the idranges used to manage different > > idranges in environments with trust and the range used by the DNA plugin > > to assign IDs to local users and groups are currently not connected. > > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix > > this. > > > > bye, > > Sumit > > > > > > > > Should I go forward on other masters and do: > > > > > > *** > > > ldapmodify -x -D 'cn=Directory Manager' -W > > > Enter LDAP Password: > > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment > > Plugin,cn=plugins,cn=config > > > changetype: modify > > > replace: dnaNextValue > > > dnaNextValue: 168970 > > > - > > > replace: dnaMaxValue > > > dnaMaxValue: 168979 > > > ^D > > > > > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > > > Plugin,cn=plugins,cn=config" > > > *** > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
Should I add the same range to this machine or give each one it's own id range? On Apr 17, 2015 3:53 AM, "Sumit Bose" wrote: > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > > I ran this comand on each of my IPA servers and one returned usable > > response: ipa idrange-find > > > > --- > > 1 range matched > > --- > > Range name: HOSTNAME.LAN_id_range > > First Posix ID of the range: 192020 > > Number of IDs in the range: 30 > > Range type: local domain range > > > > Number of entries returned 1 > > > > > > While trying to add a new user on one of the other severs I recieve: > > *** > > Operations error: Allocation of a new value for range cn=posix > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > > failed! Unable to proceed. > > *** > > This is expected, unfortunately the idranges used to manage different > idranges in environments with trust and the range used by the DNA plugin > to assign IDs to local users and groups are currently not connected. > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix > this. > > bye, > Sumit > > > > > Should I go forward on other masters and do: > > > > *** > > ldapmodify -x -D 'cn=Directory Manager' -W > > Enter LDAP Password: > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config > > changetype: modify > > replace: dnaNextValue > > dnaNextValue: 168970 > > - > > replace: dnaMaxValue > > dnaMaxValue: 168979 > > ^D > > > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > > Plugin,cn=plugins,cn=config" > > *** > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: > I ran this comand on each of my IPA servers and one returned usable > response: ipa idrange-find > > --- > 1 range matched > --- > Range name: HOSTNAME.LAN_id_range > First Posix ID of the range: 192020 > Number of IDs in the range: 30 > Range type: local domain range > > Number of entries returned 1 > > > While trying to add a new user on one of the other severs I recieve: > *** > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > failed! Unable to proceed. > *** This is expected, unfortunately the idranges used to manage different idranges in environments with trust and the range used by the DNA plugin to assign IDs to local users and groups are currently not connected. There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix this. bye, Sumit > > Should I go forward on other masters and do: > > *** > ldapmodify -x -D 'cn=Directory Manager' -W > Enter LDAP Password: > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: dnaNextValue > dnaNextValue: 168970 > - > replace: dnaMaxValue > dnaMaxValue: 168979 > ^D > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > *** > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
On 17.4.2015 01:46, Bryan Pearson wrote: > I ran this comand on each of my IPA servers and one returned usable > response: ipa idrange-find > > --- > 1 range matched > --- > Range name: HOSTNAME.LAN_id_range > First Posix ID of the range: 192020 > Number of IDs in the range: 30 > Range type: local domain range > > Number of entries returned 1 > > > While trying to add a new user on one of the other severs I recieve: > *** > Operations error: Allocation of a new value for range cn=posix > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config > failed! Unable to proceed. > *** Is your original master server running and reachable? According to https://bugzilla.redhat.com/show_bug.cgi?id=1211366 ID ranges are distributed from original master to replicas only on first use (not immediately after replica installation) so you need to add a user on replica before you take the original master off-line. Petr^2 Spacek > Should I go forward on other masters and do: > > *** > ldapmodify -x -D 'cn=Directory Manager' -W > Enter LDAP Password: > dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: dnaNextValue > dnaNextValue: 168970 > - > replace: dnaMaxValue > dnaMaxValue: 168979 > ^D > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment > Plugin,cn=plugins,cn=config" > *** -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] posix ids not propgating
I ran this comand on each of my IPA servers and one returned usable response: ipa idrange-find --- 1 range matched --- Range name: HOSTNAME.LAN_id_range First Posix ID of the range: 192020 Number of IDs in the range: 30 Range type: local domain range Number of entries returned 1 While trying to add a new user on one of the other severs I recieve: *** Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. *** Should I go forward on other masters and do: *** ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaNextValue dnaNextValue: 168970 - replace: dnaMaxValue dnaMaxValue: 168979 ^D modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project