[Freeipa-users] Adding RID base to existing range

Sumit Bose sbose at redhat.com
Wed Mar 9 15:17:10 UTC 2016 

On Wed, Mar 09, 2016 at 02:21:31PM +0000, Darren Poulson wrote:
> Hi,
> 
> Here’s what I get. The initial default range as created by freeipa and
> contains all our users, and a second one that I created for system
> accounts.

The 'ipa idrange' utility does various checks to prevent that idranges
which are in use are modified or deleted.

Did you create the 'System Users' idrange just to block the IDs because
they are used by accounts in /etc/passwd or do you have users with a UID
between 500 and 1500 in IPA? In the former case you can just delete the
idrange and recreate it with the RID bases set. Please note the IPA
won't create idranges with POSIX IDs below 200000 automatically. So it
might be even possible to just delete the idrange in this case.

In the latter case you cannot remove the idrange, because there are
users in it, and unfortunately you cannot modify it with 'ipa
idrange-mod' either. Nevertheless you have to add the RID bases so that
ipa-adtrust-install can run successfully. This can be done manually with
ldapmodify as root:

ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF
dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops
changetype: modify
add: ipabaserid
ipabaserid: 200000000
-
add: ipasecondarybaserid
ipasecondarybaserid: 210000000
-
EOF


As an alternative you can remove the check from the 'ipa idrange'
utility but I would recommend ldapmodify.

After this ipa-adtrust-install should run successfully because it is
able to add the missing RID bases to one idrange already. I guess we
should enhance it to handle multiple idranges as in your case as well.

HTH

bye,
Sumit

> 
> [root at freeipa1-01 ~]# ipa idrange-find
> ----------------
> 2 ranges matched
> ----------------
>   Range name: BUR.US.GENOPS_id_range
>   First Posix ID of the range: 50000
>   Number of IDs in the range: 10000
>   Range type: local domain range
> 
>   Range name: System Users
>   First Posix ID of the range: 500
>   Number of IDs in the range: 1000
>   Range type: local domain range
> ----------------------------
> Number of entries returned 2
> ——————————————
> 
> If it makes any difference, this install was initially (I believe) freeipa
> 3.3.
> 
> Darren.
> 
> 
> 
> On 3/9/16, 1:31 PM, "freeipa-users-bounces at redhat.com on behalf of Darren
> Poulson" <freeipa-users-bounces at redhat.com on behalf of
> darren.poulson at genesys.com> wrote:
> 
> >Hi,
> >
> >I’d tried that, but get this:
> >
> >[root at freeipa1-01 ~]# ipa idrange-mod <domain>_id_range --rid-base=1000
> >ipa: ERROR: This command can not be used to change ID allocation for local
> >IPA domain. Run `ipa help idrange` for more information
> >
> >
> >Thanks,
> >
> >Darren.
> >
> >
> >On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of Sumit
> >Bose" <freeipa-users-bounces at redhat.com on behalf of sbose at redhat.com>
> >wrote:
> >
> >>On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote:
> >>> Hi,
> >>> 
> >>> We¹re currently trying to set up an AD domain (great fun for a bunch of
> >>> linux adminsŠ not) so that we can get authentication working with
> >>>various
> >>> bits of hardware that only support AD. We want this domain to trust our
> >>> existing FreeIPA setup.
> >>> 
> >>> When trying to ipa-adtrust-install I¹m getting:
> >>> 
> >>>   [10/22]: adding RID bases
> >>> ipa         : CRITICAL Found more than one local domain ID range with
> >>>no RID
> >>> base set.
> >>> 
> >>> >From reading up, I need to have the id ranges configured with primary
> >>>and
> >>> secondary RIDs. Is there any way to do this, or do I have to delete and
> >>
> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing
> >>ranges.
> >>
> >>HTH
> >>
> >>bye,
> >>Sumit
> >>
> >>> recreate the ranges? And if I do that, what are the implications?
> >>> 
> >>> IPA 4.2.0 (CentOS 7)
> >>> AD 2012R2
> >>> 
> >>> Cheers,
> >>> 
> >>> Darren.
> >>> 
> >>> 
> >>> 
> >>
> >>
> >>
> >>> -- 
> >>> Manage your subscription for the Freeipa-users mailing list:
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Go to http://freeipa.org for more info on the project
> >>
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
> >>

More information about the Freeipa-users mailing list