[Freeipa-users] posix ids not propgating
Bryan Pearson
bwp.pearson at gmail.com
Fri Apr 17 13:13:30 UTC 2015
I believe that my master dna server isnt currently being used, so I did this.
ldapsearch -x -D 'cn=Directory Manager' -W -b
cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# posix-ids, dna, ipa, etc, EXAMPLE.lan
dn: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan
objectClass: nsContainer
objectClass: top
cn: posix-ids
# ipa3.EXAMPLE.lan + 0, posix-ids, dna, ipa, etc, EXAMPLE.lan
dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=0,cn=posix-ids,cn=dna
,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan
dnaRemainingValues: 0
dnaSecurePortNum: 636
dnaPortNum: 0
dnaHostname: ipa3.EXAMPLE.lan
objectClass: dnaSharedConfig
objectClass: top
# ipa3.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan
dn: dnaHostname=ipa3.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=d
na,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan
dnaRemainingValues: 99997
dnaSecurePortNum: 636
dnaPortNum: 389
dnaHostname: ipa3.EXAMPLE.lan
objectClass: dnaSharedConfig
objectClass: top
# ipa4.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan
dn: dnaHostname=ipa4.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ip
a,cn=etc,dc=EXAMPLE,dc=lan
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: ipa4.EXAMPLE.lan
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 0
# ipa2.EXAMPLE.lan + 389, posix-ids, dna, ipa, etc, EXAMPLE.lan
dn: dnaHostname=ipa2.EXAMPLE.lan+dnaPortNum=389,cn=posix-ids,cn
=dna,cn=ipa,cn=etc,dc=EXAMPLE,dc=lan
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: ipa2.EXAMPLE.lan
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 0
# search result
search: 2
result: 0 Success
# numResponses: 6
# numEntries: 5
Bryan
On Fri, Apr 17, 2015 at 7:08 AM, Sumit Bose <sbose at redhat.com> wrote:
> On Fri, Apr 17, 2015 at 06:36:24AM -0400, Bryan Pearson wrote:
>> Should I add the same range to this machine or give each one it's own id
>> range?
>
> The ranges are global for the whole IPA domain. The idranges manages
> with the ipa tool have their data in the replicated tree hence changes
> are available on all replicas. The DNA plugin has its own scheme to
> distribute the data, see e.g.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Managing-Unique_UID_and_GID_Attributes.html
>
> for details.
>
> bye,
> Sumit
>> On Apr 17, 2015 3:53 AM, "Sumit Bose" <sbose at redhat.com> wrote:
>>
>> > On Thu, Apr 16, 2015 at 07:46:55PM -0400, Bryan Pearson wrote:
>> > > I ran this comand on each of my IPA servers and one returned usable
>> > > response: ipa idrange-find
>> > >
>> > > ---------------
>> > > 1 range matched
>> > > ---------------
>> > > Range name: HOSTNAME.LAN_id_range
>> > > First Posix ID of the range: 1920200000
>> > > Number of IDs in the range: 300000
>> > > Range type: local domain range
>> > > ----------------------------
>> > > Number of entries returned 1
>> > > ----------------------------
>> > >
>> > > While trying to add a new user on one of the other severs I recieve:
>> > > ***
>> > > Operations error: Allocation of a new value for range cn=posix
>> > > ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config
>> > > failed! Unable to proceed.
>> > > ***
>> >
>> > This is expected, unfortunately the idranges used to manage different
>> > idranges in environments with trust and the range used by the DNA plugin
>> > to assign IDs to local users and groups are currently not connected.
>> > There is ticket https://fedorahosted.org/freeipa/ticket/3609 to fix
>> > this.
>> >
>> > bye,
>> > Sumit
>> >
>> > >
>> > > Should I go forward on other masters and do:
>> > >
>> > > ***
>> > > ldapmodify -x -D 'cn=Directory Manager' -W
>> > > Enter LDAP Password:
>> > > dn: cn=Posix IDs,cn=Distributed Numeric Assignment
>> > Plugin,cn=plugins,cn=config
>> > > changetype: modify
>> > > replace: dnaNextValue
>> > > dnaNextValue: 1689700000
>> > > -
>> > > replace: dnaMaxValue
>> > > dnaMaxValue: 1689799999
>> > > ^D
>> > >
>> > > modifying entry "cn=Posix IDs,cn=Distributed Numeric Assignment
>> > > Plugin,cn=plugins,cn=config"
>> > > ***
>> > >
>> > > --
>> > > Manage your subscription for the Freeipa-users mailing list:
>> > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > > Go to http://freeipa.org for more info on the project
>> >
More information about the Freeipa-users
mailing list