[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range
Not quiet sure. I did check some of the imported groups and there is at least one below 100 (god knows why - guess ancient relic). If there is just one or two i think it would be better to change those IDs. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range
So i could add something like: Range name: DOMAIN.LOCAL_third_range First Posix ID of the range: 10 Number of IDs in the range: 1590 Range type: local domain range First RID of the corresponding RID range: 51 First RID of the secondary RID range: 512000 To cover the IDs we might have missed too? No conflict with IPA default IDs or something like that? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range
Still some problems with our setup: ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 521]: Cannot convert Posix ID [1576] into an unused SID Am i right that error occurs because 1576 is outside of our DOMAIN.LOCAL_new_range 1600-3600? Is it possible to adjust the first posixID of that range to 1500? Or can i delete the range and recreate it without causing more ruckus? Any other clean way to fix that problem? Thanks in advance ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range
Think i found a way to change it. For documentation purpose if someone else has this problem: In /etc/ipa/default.conf i found our ldap_uri Then issued this commands: #verify correct dn ldapsearch -b 'cn=DOMAIN.LOCAL_new_range,cn=ranges,cn=etc,dc=domain,dc=local' ldapmodify -H ldapi://%2Frun%2Fslapd-DOMAIN-LOCAL.socket dn: cn=DOMAIN.LOCAL_new_range,cn=ranges,cn=etc,dc=domain,dc=local changetype: modify add: ipabaserid ipabaserid:50 commit with enter on an empty line. Did the same for add: ipasecondarybaserid ipasecondarybaserid:503000 Now "ipa config-mod --enable-sid --add-sids" did run successful. Let's hope the auth problems are fixed too =) Thanks for your time and help! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range
Unfortunately ipa doesn't allow me to change the range via idrange-mod. Do i have to shut down a service before that command? ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range
dn: cn=DOMAIN.LOCAL_new_range,cn=ranges,cn=etc,dc=domain,dc=local cn: DOMAIN.LOCAL_new_range ipabaseid: 1600 ipaidrangesize: 2000 iparangetype: ipa-local objectclass: ipaIDrange objectclass: ipadomainidrange I think we created this one because we had some old YP users starting their id at 1600 ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] New primary rid range overlaps with existing primary rid range
Greetings, we also upgraded to RHEL9.2 and got the auth problems. following the advice here i wanted to use "ipa config-mod --enable-sid --add-sids" but unfortunately i get an error in /etc/messages ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary rid range overlaps with existing primary rid range. Using ipa idrange-find 3 ranges matched Range name: DOMAIN.LOCAL_id_range First Posix ID of the range: 51280 Number of IDs in the range: 20 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1 Range type: local domain range Range name: DOMAIN.LOCAL_new_range First Posix ID of the range: 1600 Number of IDs in the range: 2000 Range type: local domain range Range name: DOMAIN.LOCAL_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-2958400175 Range type: Active Directory domain range Number of entries returned 3 On a first glance they seems not to overlap. Can someone help me how i can troubleshoot that problem further? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue