[Freeipa-users] error; Allocation of a new value

[lejeczek]

On 25/11/16 07:52, Martin Babinsky wrote:
> On 11/24/2016 07:30 PM, lejeczek wrote:
>>
>>
>> On 24/11/16 17:14, lejeczek wrote:
>>> hi
>>>
>>> I see this:
>>>
>>> 2 ranges matched
>>> ----------------
>>>   Range name: xx.id_range
>>>   First Posix ID of the range: 1952400000
>>>   Number of IDs in the range: 200000
>>>   First RID of the corresponding RID range: 0
>>>   Domain SID of the trusted domain:
>>> S-1-5-21-1144915091-2252175215-702530032
>>>   Range type: Active Directory domain range
>>>
>>>   Range name: xx.xx.xx.xx.x_id_range
>>>   First Posix ID of the range: 1875000000
>>>   Number of IDs in the range: 200000
>>>   First RID of the corresponding RID range: 1000
>>>   First RID of the secondary RID range: 100000000
>>>   Range type: local domain range
>>> ----------------------------
>>> Number of entries returned 2
>>>
>>> some time ago when I first set up IPA I migrated users 
>>> from samba3's
>>> ldap backend. Since then until today there was no new 
>>> users I needed
>>> to add but now I do.
>>> First on the list range I think it is a remnant of AD 
>>> trust which does
>>> not exists any more (should it be removed?).
>>> I'm not sure how to read those ranges info, one thing I 
>>> notice is that
>>> UIDs from migration are probably between 500 & 2000 and 
>>> now if I
>>> supply uid manually to user-add and gid (which is old 
>>> Samba's domain
>>> users group) then creation of new user succeeds.
>>> Is this normal, expected?
>>>
>>> mthx,
>>> L
>>>
>> ok, solution(ldapmodify) to the problem:
>> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html 
>>
>> but could some experts shed more light on it - I see that 
>> some time
>> ago(after migration/import) I actually created manually a 
>> user:
>> $ id netdevadmin
>> uid=1875000006(netdevadmin) gid=1875000006(netdevadmin)
>> groups=1875000006(netdevadmin)
>>
>> today, after ldapmodify I create a new user but uids seem 
>> to come from
>> (what?) a different range??
>> $ id appmgr
>> uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)
>>
>> what's is happening?
>> regards
>> L
>>
>
> You are seeing this because you probably set s too low 
> (5000 or so) and, as tha name of the attribute implies, it 
> sets the maximum UID/GID for the range assigned by the 
> plugin.
>
> By default, the local IPA ID ranges are set to huge 
> numbers (on my test VMs I have dnaMaxValue 241799999) to 
> aviod collisions with UIDs/GIDs of local users which are 
> typically in the range of thousands/tens of thousands).
>
> However, the changes done directly in the DNA plugin 
> configuration are not reflected in ID range objects, 
> that's why you may observe the disparity between ID range 
> characteristics and actual UIDs/GIDs provisioned.
>
can you guess what changed those dnaMaxValue after initial 
setup/installation (soon after I created 
1875000006(netdevadmin), UID was assigned by IPA)? It 
certainly was not me.
Should I worry about these disparities? Should I be setting 
dnaMaxValue(and any relavent) to correspond to idrange(s)?
Lastly, I see my IPA has two ranges, one is from AD trust 
which has been removed, is it ok to leave/keep that range?

mthx,
L.