[Freeipa-users] error; Allocation of a new value
Martin Babinsky
mbabinsk at redhat.com
Fri Nov 25 07:52:19 UTC 2016
On 11/24/2016 07:30 PM, lejeczek wrote:
>
>
> On 24/11/16 17:14, lejeczek wrote:
>> hi
>>
>> I see this:
>>
>> 2 ranges matched
>> ----------------
>> Range name: xx.id_range
>> First Posix ID of the range: 1952400000
>> Number of IDs in the range: 200000
>> First RID of the corresponding RID range: 0
>> Domain SID of the trusted domain:
>> S-1-5-21-1144915091-2252175215-702530032
>> Range type: Active Directory domain range
>>
>> Range name: xx.xx.xx.xx.x_id_range
>> First Posix ID of the range: 1875000000
>> Number of IDs in the range: 200000
>> First RID of the corresponding RID range: 1000
>> First RID of the secondary RID range: 100000000
>> Range type: local domain range
>> ----------------------------
>> Number of entries returned 2
>>
>> some time ago when I first set up IPA I migrated users from samba3's
>> ldap backend. Since then until today there was no new users I needed
>> to add but now I do.
>> First on the list range I think it is a remnant of AD trust which does
>> not exists any more (should it be removed?).
>> I'm not sure how to read those ranges info, one thing I notice is that
>> UIDs from migration are probably between 500 & 2000 and now if I
>> supply uid manually to user-add and gid (which is old Samba's domain
>> users group) then creation of new user succeeds.
>> Is this normal, expected?
>>
>> mthx,
>> L
>>
> ok, solution(ldapmodify) to the problem:
> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
> but could some experts shed more light on it - I see that some time
> ago(after migration/import) I actually created manually a user:
> $ id netdevadmin
> uid=1875000006(netdevadmin) gid=1875000006(netdevadmin)
> groups=1875000006(netdevadmin)
>
> today, after ldapmodify I create a new user but uids seem to come from
> (what?) a different range??
> $ id appmgr
> uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)
>
> what's is happening?
> regards
> L
>
You are seeing this because you probably set dnaMaxValue too low (5000
or so) and, as tha name of the attribute implies, it sets the maximum
UID/GID for the range assigned by the plugin.
By default, the local IPA ID ranges are set to huge numbers (on my test
VMs I have dnaMaxValue 241799999) to aviod collisions with UIDs/GIDs of
local users which are typically in the range of thousands/tens of
thousands).
However, the changes done directly in the DNA plugin configuration are
not reflected in ID range objects, that's why you may observe the
disparity between ID range characteristics and actual UIDs/GIDs provisioned.
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list