[Freeipa-users] error; Allocation of a new value

Martin Babinsky mbabinsk at redhat.com
Fri Nov 25 07:52:19 UTC 2016 

On 11/24/2016 07:30 PM, lejeczek wrote:
>
>
> On 24/11/16 17:14, lejeczek wrote:
>> hi
>>
>> I see this:
>>
>> 2 ranges matched
>> ----------------
>>   Range name: xx.id_range
>>   First Posix ID of the range: 1952400000
>>   Number of IDs in the range: 200000
>>   First RID of the corresponding RID range: 0
>>   Domain SID of the trusted domain:
>> S-1-5-21-1144915091-2252175215-702530032
>>   Range type: Active Directory domain range
>>
>>   Range name: xx.xx.xx.xx.x_id_range
>>   First Posix ID of the range: 1875000000
>>   Number of IDs in the range: 200000
>>   First RID of the corresponding RID range: 1000
>>   First RID of the secondary RID range: 100000000
>>   Range type: local domain range
>> ----------------------------
>> Number of entries returned 2
>>
>> some time ago when I first set up IPA I migrated users from samba3's
>> ldap backend. Since then until today there was no new users I needed
>> to add but now I do.
>> First on the list range I think it is a remnant of AD trust which does
>> not exists any more (should it be removed?).
>> I'm not sure how to read those ranges info, one thing I notice is that
>> UIDs from migration are probably between 500 & 2000 and now if I
>> supply uid manually to user-add and gid (which is old Samba's domain
>> users group) then creation of new user succeeds.
>> Is this normal, expected?
>>
>> mthx,
>> L
>>
> ok, solution(ldapmodify) to the problem:
> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
> but could some experts shed more light on it - I see that some time
> ago(after migration/import) I actually created manually a user:
> $ id netdevadmin
> uid=1875000006(netdevadmin) gid=1875000006(netdevadmin)
> groups=1875000006(netdevadmin)
>
> today, after ldapmodify I create a new user but uids seem to come from
> (what?) a different range??
> $ id appmgr
> uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)
>
> what's is happening?
> regards
> L
>

You are seeing this because you probably set dnaMaxValue too low (5000 
or so) and, as tha name of the attribute implies, it sets the maximum 
UID/GID for the range assigned by the plugin.

By default, the local IPA ID ranges are set to huge numbers (on my test 
VMs I have dnaMaxValue 241799999) to aviod collisions with UIDs/GIDs of 
local users which are typically in the range of thousands/tens of 
thousands).

However, the changes done directly in the DNA plugin configuration are 
not reflected in ID range objects, that's why you may observe the 
disparity between ID range characteristics and actual UIDs/GIDs provisioned.

-- 
Martin^3 Babinsky

More information about the Freeipa-users mailing list