Re: [Freeipa-users] Adding RID base to existing range

2016-03-09 Thread Darren Poulson 
Thanks,

Adding with ldapmodify seems to have done the trick. Can run
ipa-adtrust-install at least. Now having other issues, but that’s for a
different thread. :)

Cheers,

Darren.


On 3/9/16, 3:17 PM, "Sumit Bose"  wrote:

>On Wed, Mar 09, 2016 at 02:21:31PM +, Darren Poulson wrote:
>> Hi,
>> 
>> Here’s what I get. The initial default range as created by freeipa and
>> contains all our users, and a second one that I created for system
>> accounts.
>
>The 'ipa idrange' utility does various checks to prevent that idranges
>which are in use are modified or deleted.
>
>Did you create the 'System Users' idrange just to block the IDs because
>they are used by accounts in /etc/passwd or do you have users with a UID
>between 500 and 1500 in IPA? In the former case you can just delete the
>idrange and recreate it with the RID bases set. Please note the IPA
>won't create idranges with POSIX IDs below 20 automatically. So it
>might be even possible to just delete the idrange in this case.
>
>In the latter case you cannot remove the idrange, because there are
>users in it, and unfortunately you cannot modify it with 'ipa
>idrange-mod' either. Nevertheless you have to add the RID bases so that
>ipa-adtrust-install can run successfully. This can be done manually with
>ldapmodify as root:
>
>ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF
>dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops
>changetype: modify
>add: ipabaserid
>ipabaserid: 2
>-
>add: ipasecondarybaserid
>ipasecondarybaserid: 21000
>-
>EOF
>
>
>As an alternative you can remove the check from the 'ipa idrange'
>utility but I would recommend ldapmodify.
>
>After this ipa-adtrust-install should run successfully because it is
>able to add the missing RID bases to one idrange already. I guess we
>should enhance it to handle multiple idranges as in your case as well.
>
>HTH
>
>bye,
>Sumit
>
>> 
>> [root@freeipa1-01 ~]# ipa idrange-find
>> 
>> 2 ranges matched
>> 
>>   Range name: BUR.US.GENOPS_id_range
>>   First Posix ID of the range: 5
>>   Number of IDs in the range: 1
>>   Range type: local domain range
>> 
>>   Range name: System Users
>>   First Posix ID of the range: 500
>>   Number of IDs in the range: 1000
>>   Range type: local domain range
>> 
>> Number of entries returned 2
>> ——
>> 
>> If it makes any difference, this install was initially (I believe)
>>freeipa
>> 3.3.
>> 
>> Darren.
>> 
>> 
>> 
>> On 3/9/16, 1:31 PM, "freeipa-users-boun...@redhat.com on behalf of
>>Darren
>> Poulson" > darren.poul...@genesys.com> wrote:
>> 
>> >Hi,
>> >
>> >I’d tried that, but get this:
>> >
>> >[root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000
>> >ipa: ERROR: This command can not be used to change ID allocation for
>>local
>> >IPA domain. Run `ipa help idrange` for more information
>> >
>> >
>> >Thanks,
>> >
>> >Darren.
>> >
>> >
>> >On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of
>>Sumit
>> >Bose" 
>> >wrote:
>> >
>> >>On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
>> >>> Hi,
>> >>> 
>> >>> We¹re currently trying to set up an AD domain (great fun for a
>>bunch of
>> >>> linux adminsŠ not) so that we can get authentication working with
>> >>>various
>> >>> bits of hardware that only support AD. We want this domain to trust
>>our
>> >>> existing FreeIPA setup.
>> >>> 
>> >>> When trying to ipa-adtrust-install I¹m getting:
>> >>> 
>> >>>   [10/22]: adding RID bases
>> >>> ipa : CRITICAL Found more than one local domain ID range
>>with
>> >>>no RID
>> >>> base set.
>> >>> 
>> >>> >From reading up, I need to have the id ranges configured with
>>primary
>> >>>and
>> >>> secondary RIDs. Is there any way to do this, or do I have to delete
>>and
>> >>
>> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing
>> >>ranges.
>> >>
>> >>HTH
>> >>
>> >>bye,
>> >>Sumit
>> >>
>> >>> recreate the ranges? And if I do that, what are the implications?
>> >>> 
>> >>> IPA 4.2.0 (CentOS 7)
>> >>> AD 2012R2
>> >>> 
>> >>> Cheers,
>> >>> 
>> >>> Darren.
>> >>> 
>> >>> 
>> >>> 
>> >>
>> >>
>> >>
>> >>> -- 
>> >>> Manage your subscription for the Freeipa-users mailing list:
>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >>> Go to http://freeipa.org for more info on the project
>> >>
>> >>-- 
>> >>Manage your subscription for the Freeipa-users mailing list:
>> >>https://www.redhat.com/mailman/listinfo/freeipa-users
>> >>Go to http://freeipa.org for more info on the project
>> >>
>
>


smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding RID base to existing range

2016-03-09 Thread Sumit Bose 
On Wed, Mar 09, 2016 at 02:21:31PM +, Darren Poulson wrote:
> Hi,
> 
> Here’s what I get. The initial default range as created by freeipa and
> contains all our users, and a second one that I created for system
> accounts.

The 'ipa idrange' utility does various checks to prevent that idranges
which are in use are modified or deleted.

Did you create the 'System Users' idrange just to block the IDs because
they are used by accounts in /etc/passwd or do you have users with a UID
between 500 and 1500 in IPA? In the former case you can just delete the
idrange and recreate it with the RID bases set. Please note the IPA
won't create idranges with POSIX IDs below 20 automatically. So it
might be even possible to just delete the idrange in this case.

In the latter case you cannot remove the idrange, because there are
users in it, and unfortunately you cannot modify it with 'ipa
idrange-mod' either. Nevertheless you have to add the RID bases so that
ipa-adtrust-install can run successfully. This can be done manually with
ldapmodify as root:

ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF
dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops
changetype: modify
add: ipabaserid
ipabaserid: 2
-
add: ipasecondarybaserid
ipasecondarybaserid: 21000
-
EOF


As an alternative you can remove the check from the 'ipa idrange'
utility but I would recommend ldapmodify.

After this ipa-adtrust-install should run successfully because it is
able to add the missing RID bases to one idrange already. I guess we
should enhance it to handle multiple idranges as in your case as well.

HTH

bye,
Sumit

> 
> [root@freeipa1-01 ~]# ipa idrange-find
> 
> 2 ranges matched
> 
>   Range name: BUR.US.GENOPS_id_range
>   First Posix ID of the range: 5
>   Number of IDs in the range: 1
>   Range type: local domain range
> 
>   Range name: System Users
>   First Posix ID of the range: 500
>   Number of IDs in the range: 1000
>   Range type: local domain range
> 
> Number of entries returned 2
> ——
> 
> If it makes any difference, this install was initially (I believe) freeipa
> 3.3.
> 
> Darren.
> 
> 
> 
> On 3/9/16, 1:31 PM, "freeipa-users-boun...@redhat.com on behalf of Darren
> Poulson"  darren.poul...@genesys.com> wrote:
> 
> >Hi,
> >
> >I’d tried that, but get this:
> >
> >[root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000
> >ipa: ERROR: This command can not be used to change ID allocation for local
> >IPA domain. Run `ipa help idrange` for more information
> >
> >
> >Thanks,
> >
> >Darren.
> >
> >
> >On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of Sumit
> >Bose" 
> >wrote:
> >
> >>On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
> >>> Hi,
> >>> 
> >>> We¹re currently trying to set up an AD domain (great fun for a bunch of
> >>> linux adminsŠ not) so that we can get authentication working with
> >>>various
> >>> bits of hardware that only support AD. We want this domain to trust our
> >>> existing FreeIPA setup.
> >>> 
> >>> When trying to ipa-adtrust-install I¹m getting:
> >>> 
> >>>   [10/22]: adding RID bases
> >>> ipa : CRITICAL Found more than one local domain ID range with
> >>>no RID
> >>> base set.
> >>> 
> >>> >From reading up, I need to have the id ranges configured with primary
> >>>and
> >>> secondary RIDs. Is there any way to do this, or do I have to delete and
> >>
> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing
> >>ranges.
> >>
> >>HTH
> >>
> >>bye,
> >>Sumit
> >>
> >>> recreate the ranges? And if I do that, what are the implications?
> >>> 
> >>> IPA 4.2.0 (CentOS 7)
> >>> AD 2012R2
> >>> 
> >>> Cheers,
> >>> 
> >>> Darren.
> >>> 
> >>> 
> >>> 
> >>
> >>
> >>
> >>> -- 
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> >>
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
> >>


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding RID base to existing range

2016-03-09 Thread Darren Poulson 
Hi,

Here’s what I get. The initial default range as created by freeipa and
contains all our users, and a second one that I created for system
accounts.

[root@freeipa1-01 ~]# ipa idrange-find

2 ranges matched

  Range name: BUR.US.GENOPS_id_range
  First Posix ID of the range: 5
  Number of IDs in the range: 1
  Range type: local domain range

  Range name: System Users
  First Posix ID of the range: 500
  Number of IDs in the range: 1000
  Range type: local domain range

Number of entries returned 2
——

If it makes any difference, this install was initially (I believe) freeipa
3.3.

Darren.



On 3/9/16, 1:31 PM, "freeipa-users-boun...@redhat.com on behalf of Darren
Poulson"  wrote:

>Hi,
>
>I’d tried that, but get this:
>
>[root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000
>ipa: ERROR: This command can not be used to change ID allocation for local
>IPA domain. Run `ipa help idrange` for more information
>
>
>Thanks,
>
>Darren.
>
>
>On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of Sumit
>Bose" 
>wrote:
>
>>On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
>>> Hi,
>>> 
>>> We¹re currently trying to set up an AD domain (great fun for a bunch of
>>> linux adminsŠ not) so that we can get authentication working with
>>>various
>>> bits of hardware that only support AD. We want this domain to trust our
>>> existing FreeIPA setup.
>>> 
>>> When trying to ipa-adtrust-install I¹m getting:
>>> 
>>>   [10/22]: adding RID bases
>>> ipa : CRITICAL Found more than one local domain ID range with
>>>no RID
>>> base set.
>>> 
>>> >From reading up, I need to have the id ranges configured with primary
>>>and
>>> secondary RIDs. Is there any way to do this, or do I have to delete and
>>
>>You can use 'ipa idrange-mod ...' to add the RID bases to existing
>>ranges.
>>
>>HTH
>>
>>bye,
>>Sumit
>>
>>> recreate the ranges? And if I do that, what are the implications?
>>> 
>>> IPA 4.2.0 (CentOS 7)
>>> AD 2012R2
>>> 
>>> Cheers,
>>> 
>>> Darren.
>>> 
>>> 
>>> 
>>
>>
>>
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>
>>-- 
>>Manage your subscription for the Freeipa-users mailing list:
>>https://www.redhat.com/mailman/listinfo/freeipa-users
>>Go to http://freeipa.org for more info on the project
>>


smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding RID base to existing range

2016-03-09 Thread Sumit Bose 
On Wed, Mar 09, 2016 at 01:31:00PM +, Darren Poulson wrote:
> Hi,
> 
> I’d tried that, but get this:
> 
> [root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000
> ipa: ERROR: This command can not be used to change ID allocation for local
> IPA domain. Run `ipa help idrange` for more information

'ipa idrange-find' should show a second idrange with 'Range type: local
domain range'. Can you try if you can add the RID bases there?

bye,
Sumit

> 
> 
> Thanks,
> 
> Darren.
> 
> 
> On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of Sumit
> Bose" 
> wrote:
> 
> >On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
> >> Hi,
> >> 
> >> We¹re currently trying to set up an AD domain (great fun for a bunch of
> >> linux adminsŠ not) so that we can get authentication working with
> >>various
> >> bits of hardware that only support AD. We want this domain to trust our
> >> existing FreeIPA setup.
> >> 
> >> When trying to ipa-adtrust-install I¹m getting:
> >> 
> >>   [10/22]: adding RID bases
> >> ipa : CRITICAL Found more than one local domain ID range with
> >>no RID
> >> base set.
> >> 
> >> >From reading up, I need to have the id ranges configured with primary
> >>and
> >> secondary RIDs. Is there any way to do this, or do I have to delete and
> >
> >You can use 'ipa idrange-mod ...' to add the RID bases to existing
> >ranges.
> >
> >HTH
> >
> >bye,
> >Sumit
> >
> >> recreate the ranges? And if I do that, what are the implications?
> >> 
> >> IPA 4.2.0 (CentOS 7)
> >> AD 2012R2
> >> 
> >> Cheers,
> >> 
> >> Darren.
> >> 
> >> 
> >> 
> >
> >
> >
> >> -- 
> >> Manage your subscription for the Freeipa-users mailing list:
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> >> Go to http://freeipa.org for more info on the project
> >
> >-- 
> >Manage your subscription for the Freeipa-users mailing list:
> >https://www.redhat.com/mailman/listinfo/freeipa-users
> >Go to http://freeipa.org for more info on the project
> >


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding RID base to existing range

2016-03-09 Thread Darren Poulson 
Hi,

I’d tried that, but get this:

[root@freeipa1-01 ~]# ipa idrange-mod _id_range --rid-base=1000
ipa: ERROR: This command can not be used to change ID allocation for local
IPA domain. Run `ipa help idrange` for more information


Thanks,

Darren.


On 3/9/16, 9:45 AM, "freeipa-users-boun...@redhat.com on behalf of Sumit
Bose" 
wrote:

>On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
>> Hi,
>> 
>> We¹re currently trying to set up an AD domain (great fun for a bunch of
>> linux adminsŠ not) so that we can get authentication working with
>>various
>> bits of hardware that only support AD. We want this domain to trust our
>> existing FreeIPA setup.
>> 
>> When trying to ipa-adtrust-install I¹m getting:
>> 
>>   [10/22]: adding RID bases
>> ipa : CRITICAL Found more than one local domain ID range with
>>no RID
>> base set.
>> 
>> >From reading up, I need to have the id ranges configured with primary
>>and
>> secondary RIDs. Is there any way to do this, or do I have to delete and
>
>You can use 'ipa idrange-mod ...' to add the RID bases to existing
>ranges.
>
>HTH
>
>bye,
>Sumit
>
>> recreate the ranges? And if I do that, what are the implications?
>> 
>> IPA 4.2.0 (CentOS 7)
>> AD 2012R2
>> 
>> Cheers,
>> 
>> Darren.
>> 
>> 
>> 
>
>
>
>> -- 
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
>


smime.p7s
Description: S/MIME cryptographic signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Adding RID base to existing range

2016-03-09 Thread Sumit Bose 
On Wed, Mar 09, 2016 at 01:29:14AM +, Darren Poulson wrote:
> Hi,
> 
> We¹re currently trying to set up an AD domain (great fun for a bunch of
> linux adminsŠ not) so that we can get authentication working with various
> bits of hardware that only support AD. We want this domain to trust our
> existing FreeIPA setup.
> 
> When trying to ipa-adtrust-install I¹m getting:
> 
>   [10/22]: adding RID bases
> ipa : CRITICAL Found more than one local domain ID range with no RID
> base set.
> 
> >From reading up, I need to have the id ranges configured with primary and
> secondary RIDs. Is there any way to do this, or do I have to delete and

You can use 'ipa idrange-mod ...' to add the RID bases to existing
ranges.

HTH

bye,
Sumit

> recreate the ranges? And if I do that, what are the implications?
> 
> IPA 4.2.0 (CentOS 7)
> AD 2012R2
> 
> Cheers,
> 
> Darren.
> 
> 
> 



> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project