[Freeipa-users] Problem adding group after update IPA from CentOS 6.6 to 7.0
Gianluca Cecchi
gianluca.cecchi at gmail.com
Mon Dec 8 14:47:39 UTC 2014
Hello,
I followed the guide here to migrate IPA from CentOS 6.6 to CentOS 7.0:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html
Now, adding a group from console with command
ipa group-add
I get this kind of error:
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix
ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed!
Unable to proceed.
the same if I add from web gui without specifying GID.
Instead if I specify a GID it gets completed, both from console and web gui
[root at c7server slapd-LOCALDOMAIN-LOCAL]# ipa group-add --gid 1639600009
Group name: mynewgroup
Description: My New Group
-----------------------
Added group "mynewgroup"
-----------------------
Group name: mynewgroup
Description: My New Group
GID: 1639600009
I notice that previously created groups (from command line) in 6.5 got GIDs
starting from 1639600001.
The system generated groups admins and editors have 1639600000
and 1639600002.
my dna config in migrated CentOS 7 server is this:
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: Posix IDs
dnaType: uidNumber
dnaType: gidNumber
dnaNextValue: 1101
dnaMaxValue: 1100
dnaMagicRegen: -1
dnaFilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaScope: dc=localdomain,dc=local
dnaThreshold: 500
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20141206144811Z
modifyTimestamp: 20141206144811Z
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
"permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify
DNA
Range,cn=permissions,cn=pbac,dc=localdomain,dc=local";)
My CentOS 6.5 server was created with command
ipa-server-install
without any options
And after install, the creation of the first userid got this output....
[root at infra install]# ipa user-add
First name: Gianluca
Last name: Cecchi
User login [gcecchi]:
--------------------
Added user "gcecchi"
--------------------
User login: gcecchi
First name: Gianluca
Last name: Cecchi
Full name: Gianluca Cecchi
Display name: Gianluca Cecchi
Initials: GC
Home directory: /home/gcecchi
GECOS field: Gianluca Cecchi
Login shell: /bin/sh
Kerberos principal: gcecchi at LOCALDOMAIN.LOCAL
Email address: gcecchi at localdomain.local
UID: 1639600001
GID: 1639600001
Password: False
Kerberos keys available: False
So the GID was autoset to 1639600001
Could it be that sort of "dnaNextRange:" was not migrated from CentOS 6.5
to CentOS 7.0?
I found this kind of information in manual about adding ranges...
ldapmodify -x -D "cn=Directory Manager" -W -h server.example.com -p 389
Enter LDAP Password: *******
dn: cn=POSIX IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
changetype: modify
add: dnaNextRange
dnaNextRange: 123400000-123500000
But I also see in CentOS 7 config thei line that I don't understand...
aci: (targetattr=dnaNextRange || dnaNextValue || dnaMaxValue)(version
3.0;acl
"permission:Modify DNA Range";allow (write) groupdn = "ldap:///cn=Modify
DNA
Range,cn=permissions,cn=pbac,dc=localdomain,dc=local";)
Inside the log file about the required schema update for CentOS 6.5 to be
run before creating replica for CentOS 7 I see:
2014-12-06T11:42:10Z INFO Updating existing entry: cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn
=plugins,cn=config
2014-12-06T11:42:10Z DEBUG ---------------------------------------------
2014-12-06T11:42:10Z DEBUG Initial value
2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric
Assignment Plugin,cn=plugins,cn=config
2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG dnathreshold: 500
2014-12-06T11:42:10Z DEBUG cn: Posix IDs
2014-12-06T11:42:10Z DEBUG objectclass:
2014-12-06T11:42:10Z DEBUG top
2014-12-06T11:42:10Z DEBUG extensibleObject
2014-12-06T11:42:10Z DEBUG dnanextvalue: 1639600008
2014-12-06T11:42:10Z DEBUG dnamagicregen: 999
2014-12-06T11:42:10Z DEBUG dnafilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaI
Dobject))
2014-12-06T11:42:10Z DEBUG dnatype:
2014-12-06T11:42:10Z DEBUG uidNumber
2014-12-06T11:42:10Z DEBUG gidNumber
2014-12-06T11:42:10Z DEBUG dnamaxvalue: 1639799999
2014-12-06T11:42:10Z DEBUG dnasharedcfgdn:
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG replace:
(|(objectclass=posixAccount)(objectClass=posixGroup)) not found, skipping
2014-12-06T11:42:10Z DEBUG ---------------------------------------------
2014-12-06T11:42:10Z DEBUG Final value after applying updates
2014-12-06T11:42:10Z DEBUG dn: cn=Posix IDs,cn=Distributed Numeric
Assignment Plugin,cn=plugins,cn=config
2014-12-06T11:42:10Z DEBUG dnascope: dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG dnathreshold: 500
2014-12-06T11:42:10Z DEBUG cn: Posix IDs
2014-12-06T11:42:10Z DEBUG objectclass:
2014-12-06T11:42:10Z DEBUG top
2014-12-06T11:42:10Z DEBUG extensibleObject
2014-12-06T11:42:10Z DEBUG dnanextvalue: 1639600008
2014-12-06T11:42:10Z DEBUG dnamagicregen: 999
2014-12-06T11:42:10Z DEBUG dnafilter:
(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDobject))
2014-12-06T11:42:10Z DEBUG dnatype:
2014-12-06T11:42:10Z DEBUG uidNumber
2014-12-06T11:42:10Z DEBUG gidNumber
2014-12-06T11:42:10Z DEBUG dnamaxvalue: 1639799999
2014-12-06T11:42:10Z DEBUG dnasharedcfgdn:
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=localdomain,dc=local
2014-12-06T11:42:10Z DEBUG []
2014-12-06T11:42:10Z DEBUG Live 1, updated 0
2014-12-06T11:42:10Z INFO Done
Thanks in advance for any insight and help to fix the problem.
Gianluca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141208/0f35352c/attachment.htm>
More information about the Freeipa-users
mailing list