[Freeipa-users] Adding RID base to existing range

Darren Poulson darren.poulson at genesys.com
Thu Mar 10 02:47:14 UTC 2016 

Thanks,

Adding with ldapmodify seems to have done the trick. Can run
ipa-adtrust-install at least. Now having other issues, but that’s for a
different thread. :)

Cheers,

Darren.


On 3/9/16, 3:17 PM, "Sumit Bose" <sbose at redhat.com> wrote:

>On Wed, Mar 09, 2016 at 02:21:31PM +0000, Darren Poulson wrote:
>> Hi,
>> 
>> Here’s what I get. The initial default range as created by freeipa and
>> contains all our users, and a second one that I created for system
>> accounts.
>
>The 'ipa idrange' utility does various checks to prevent that idranges
>which are in use are modified or deleted.
>
>Did you create the 'System Users' idrange just to block the IDs because
>they are used by accounts in /etc/passwd or do you have users with a UID
>between 500 and 1500 in IPA? In the former case you can just delete the
>idrange and recreate it with the RID bases set. Please note the IPA
>won't create idranges with POSIX IDs below 200000 automatically. So it
>might be even possible to just delete the idrange in this case.
>
>In the latter case you cannot remove the idrange, because there are
>users in it, and unfortunately you cannot modify it with 'ipa
>idrange-mod' either. Nevertheless you have to add the RID bases so that
>ipa-adtrust-install can run successfully. This can be done manually with
>ldapmodify as root:
>
>ldapmodify -H ldapi://%2fvar%2frun%2fslapd-BUR-US-GENOPS.socket << EOF
>dn: cn=System Users,cn=ranges,cn=etc,dc=bur,dc=us,dc=genops
>changetype: modify
>add: ipabaserid
>ipabaserid: 200000000
>-
>add: ipasecondarybaserid
>ipasecondarybaserid: 210000000
>-
>EOF
>
>
>As an alternative you can remove the check from the 'ipa idrange'
>utility but I would recommend ldapmodify.
>
>After this ipa-adtrust-install should run successfully because it is
>able to add the missing RID bases to one idrange already. I guess we
>should enhance it to handle multiple idranges as in your case as well.
>
>HTH
>
>bye,
>Sumit
>
>> 
>> [root at freeipa1-01 ~]# ipa idrange-find
>> ----------------
>> 2 ranges matched
>> ----------------
>>   Range name: BUR.US.GENOPS_id_range
>>   First Posix ID of the range: 50000
>>   Number of IDs in the range: 10000
>>   Range type: local domain range
>> 
>>   Range name: System Users
>>   First Posix ID of the range: 500
>>   Number of IDs in the range: 1000
>>   Range type: local domain range
>> ----------------------------
>> Number of entries returned 2
>> ——————————————
>> 
>> If it makes any difference, this install was initially (I believe)
>>freeipa
>> 3.3.
>> 
>> Darren.
>> 
>> 
>> 
>> On 3/9/16, 1:31 PM, "freeipa-users-bounces at redhat.com on behalf of
>>Darren
>> Poulson" <freeipa-users-bounces at redhat.com on behalf of
>> darren.poulson at genesys.com> wrote:
>> 
>> >Hi,
>> >
>> >I’d tried that, but get this:
>> >
>> >[root at freeipa1-01 ~]# ipa idrange-mod <domain>_id_range --rid-base=1000
>> >ipa: ERROR: This command can not be used to change ID allocation for
>>local
>> >IPA domain. Run `ipa help idrange` for more information
>> >
>> >
>> >Thanks,
>> >
>> >Darren.
>> >
>> >
>> >On 3/9/16, 9:45 AM, "freeipa-users-bounces at redhat.com on behalf of
>>Sumit
>> >Bose" <freeipa-users-bounces at redhat.com on behalf of sbose at redhat.com>
>> >wrote:
>> >
>> >>On Wed, Mar 09, 2016 at 01:29:14AM +0000, Darren Poulson wrote:
>> >>> Hi,
>> >>> 
>> >>> We¹re currently trying to set up an AD domain (great fun for a
>>bunch of
>> >>> linux adminsŠ not) so that we can get authentication working with
>> >>>various
>> >>> bits of hardware that only support AD. We want this domain to trust
>>our
>> >>> existing FreeIPA setup.
>> >>> 
>> >>> When trying to ipa-adtrust-install I¹m getting:
>> >>> 
>> >>>   [10/22]: adding RID bases
>> >>> ipa         : CRITICAL Found more than one local domain ID range
>>with
>> >>>no RID
>> >>> base set.
>> >>> 
>> >>> >From reading up, I need to have the id ranges configured with
>>primary
>> >>>and
>> >>> secondary RIDs. Is there any way to do this, or do I have to delete
>>and
>> >>
>> >>You can use 'ipa idrange-mod ...' to add the RID bases to existing
>> >>ranges.
>> >>
>> >>HTH
>> >>
>> >>bye,
>> >>Sumit
>> >>
>> >>> recreate the ranges? And if I do that, what are the implications?
>> >>> 
>> >>> IPA 4.2.0 (CentOS 7)
>> >>> AD 2012R2
>> >>> 
>> >>> Cheers,
>> >>> 
>> >>> Darren.
>> >>> 
>> >>> 
>> >>> 
>> >>
>> >>
>> >>
>> >>> -- 
>> >>> Manage your subscription for the Freeipa-users mailing list:
>> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >>> Go to http://freeipa.org for more info on the project
>> >>
>> >>-- 
>> >>Manage your subscription for the Freeipa-users mailing list:
>> >>https://www.redhat.com/mailman/listinfo/freeipa-users
>> >>Go to http://freeipa.org for more info on the project
>> >>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2414 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160310/1e7ebb46/attachment.p7s>

More information about the Freeipa-users mailing list