Re: [Freeipa-users] posix ids not propgating
On 17.4.2015 01:46, Bryan Pearson wrote: I ran this comand on each of my IPA servers and one returned usable response: ipa idrange-find --- 1 range matched --- Range name: HOSTNAME.LAN_id_range First Posix ID of the range: 192020 Number of IDs in the range: 30 Range type: local domain range Number of entries returned 1 While trying to add a new user on one of the other severs I recieve: *** Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. *** Is your original master server running and reachable? According to https://bugzilla.redhat.com/show_bug.cgi?id=1211366 ID ranges are distributed from original master to replicas only on first use (not immediately after replica installation) so you need to add a user on replica before you take the original master off-line. Petr^2 Spacek Should I go forward on other masters and do: *** ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaNextValue dnaNextValue: 168970 - replace: dnaMaxValue dnaMaxValue: 168979 ^D modifying entry cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config *** -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: I ran this comand on each of my IPA servers and one returned usable response: ipa idrange-find --- 1 range matched --- Range name: HOSTNAME.LAN_id_range First Posix ID of the range: 192020 Number of IDs in the range: 30 Range type: local domain range Number of entries returned 1 While trying to add a new user on one of the other severs I recieve: *** Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. *** This is expected, unfortunately the idranges used to manage different idranges in environments with trust and the range used by the DNA plugin to assign IDs to local users and groups are currently not connected. There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix this. bye, Sumit Should I go forward on other masters and do: *** ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaNextValue dnaNextValue: 168970 - replace: dnaMaxValue dnaMaxValue: 168979 ^D modifying entry cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
Bryan Pearson wrote: Am I mistaken in your example: You can find the master it is trying to talk to here: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com Mine: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan You're not sharing enough information. A list of DNA hosts tells us nothing when we don't know which host you're having a problem on, if a host is down or has been replaced, etc. I'd poke around the DNA plugin configuration in cn=config on each master to see what the actual DNA configuration is. You have one with the default max 1000, next 1001 expired configuration pointing at a host that is either down or has no ranges. Or easier, if you are running IPA 3.3+ then ipa-replica-manage has some DNA commands which makes this easier to figure out and fix. You don't want to set overlapping ranges. rob Bryan On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden rcrit...@redhat.com wrote: Bryan Pearson wrote: I believe that my master dna server isnt currently being used, so I did this. ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Enter LDAP Password: That's not the right location to search for the DNA configuration. See http://blog-rcritten.rhcloud.com/?p=50 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
Am I mistaken in your example: You can find the master it is trying to talk to here: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com Mine: $ ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Bryan On Fri, Apr 17, 2015 at 9:19 AM, Rob Crittenden rcrit...@redhat.com wrote: Bryan Pearson wrote: I believe that my master dna server isnt currently being used, so I did this. ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Enter LDAP Password: That's not the right location to search for the DNA configuration. See http://blog-rcritten.rhcloud.com/?p=50 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
I believe that my master dna server isnt currently being used, so I did this. ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Enter LDAP Password: # extended LDIF # # LDAPv3 # base cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan with scope subtree # filter: (objectclass=*) # requesting: ALL # # posix-ids, dna, ipa, etc, EXAMPLE.lan dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan objectClass: nsContainer objectClass: top cn: posix-ids # ipa3.EXAMPLE.lan + 0, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=0,cn=posix-ids,cn=dna ,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan dnaRemainingValues: 0 dnaSecurePortNum: 636 dnaPortNum: 0 dnaHostname: ipa3.EXAMPLE.lan objectClass: dnaSharedConfig objectClass: top # ipa3.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=d na,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan dnaRemainingValues: 7 dnaSecurePortNum: 636 dnaPortNum: 389 dnaHostname: ipa3.EXAMPLE.lan objectClass: dnaSharedConfig objectClass: top # ipa4.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa4.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ip a,cn=etc,dc=EXAMPLE,dc=lan objectClass: dnaSharedConfig objectClass: top dnaHostname: ipa4.EXAMPLE.lan dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 0 # ipa2.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan dn: dnaHostname=ipa2.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn =dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan objectClass: dnaSharedConfig objectClass: top dnaHostname: ipa2.EXAMPLE.lan dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 0 # search result search: 2 result: 0 Success # numResponses: 6 # numEntries: 5 Bryan On Fri, Apr 17, 2015 at 7:08 AM, Sumit Bose sb...@redhat.com wrote: On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote: Should I add the same range to this machine or give each one it's own id range? The ranges are global for the whole IPA domain. The idranges manages with the ipa tool have their data in the replicated tree hence changes are available on all replicas. The DNA plugin has its own scheme to distribute the data, see e.g. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html for details. bye, Sumit On Apr 17, 2015 3:53 AM, Sumit Bose sb...@redhat.com wrote: On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: I ran this comand on each of my IPA servers and one returned usable response: ipa idrange-find --- 1 range matched --- Range name: HOSTNAME.LAN_id_range First Posix ID of the range: 192020 Number of IDs in the range: 30 Range type: local domain range Number of entries returned 1 While trying to add a new user on one of the other severs I recieve: *** Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. *** This is expected, unfortunately the idranges used to manage different idranges in environments with trust and the range used by the DNA plugin to assign IDs to local users and groups are currently not connected. There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix this. bye, Sumit Should I go forward on other masters and do: *** ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaNextValue dnaNextValue: 168970 - replace: dnaMaxValue dnaMaxValue: 168979 ^D modifying entry cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
Bryan Pearson wrote: I believe that my master dna server isnt currently being used, so I did this. ldapsearch -x -D 'cn=Directory Manager' -W -b cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan Enter LDAP Password: That's not the right location to search for the DNA configuration. See http://blog-rcritten.rhcloud.com/?p=50 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] posix ids not propgating
On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote: Should I add the same range to this machine or give each one it's own id range? The ranges are global for the whole IPA domain. The idranges manages with the ipa tool have their data in the replicated tree hence changes are available on all replicas. The DNA plugin has its own scheme to distribute the data, see e.g. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html for details. bye, Sumit On Apr 17, 2015 3:53 AM, Sumit Bose sb...@redhat.com wrote: On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote: I ran this comand on each of my IPA servers and one returned usable response: ipa idrange-find --- 1 range matched --- Range name: HOSTNAME.LAN_id_range First Posix ID of the range: 192020 Number of IDs in the range: 30 Range type: local domain range Number of entries returned 1 While trying to add a new user on one of the other severs I recieve: *** Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed. *** This is expected, unfortunately the idranges used to manage different idranges in environments with trust and the range used by the DNA plugin to assign IDs to local users and groups are currently not connected. There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix this. bye, Sumit Should I go forward on other masters and do: *** ldapmodify -x -D 'cn=Directory Manager' -W Enter LDAP Password: dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaNextValue dnaNextValue: 168970 - replace: dnaMaxValue dnaMaxValue: 168979 ^D modifying entry cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config *** -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project