[Freeipa-users] error; Allocation of a new value

Fri Nov 25 12:02:25 UTC 2016

On 11/25/2016 12:48 PM, lejeczek wrote:
>
>
> On 25/11/16 07:52, Martin Babinsky wrote:
>> On 11/24/2016 07:30 PM, lejeczek wrote:
>>>
>>>
>>> On 24/11/16 17:14, lejeczek wrote:
>>>> hi
>>>>
>>>> I see this:
>>>>
>>>> 2 ranges matched
>>>> ----------------
>>>>   Range name: xx.id_range
>>>>   First Posix ID of the range: 1952400000
>>>>   Number of IDs in the range: 200000
>>>>   First RID of the corresponding RID range: 0
>>>>   Domain SID of the trusted domain:
>>>> S-1-5-21-1144915091-2252175215-702530032
>>>>   Range type: Active Directory domain range
>>>>
>>>>   Range name: xx.xx.xx.xx.x_id_range
>>>>   First Posix ID of the range: 1875000000
>>>>   Number of IDs in the range: 200000
>>>>   First RID of the corresponding RID range: 1000
>>>>   First RID of the secondary RID range: 100000000
>>>>   Range type: local domain range
>>>> ----------------------------
>>>> Number of entries returned 2
>>>>
>>>> some time ago when I first set up IPA I migrated users from samba3's
>>>> ldap backend. Since then until today there was no new users I needed
>>>> to add but now I do.
>>>> First on the list range I think it is a remnant of AD trust which does
>>>> not exists any more (should it be removed?).
>>>> I'm not sure how to read those ranges info, one thing I notice is that
>>>> UIDs from migration are probably between 500 & 2000 and now if I
>>>> supply uid manually to user-add and gid (which is old Samba's domain
>>>> users group) then creation of new user succeeds.
>>>> Is this normal, expected?
>>>>
>>>> mthx,
>>>> L
>>>>
>>> ok, solution(ldapmodify) to the problem:
>>> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
>>>
>>> but could some experts shed more light on it - I see that some time
>>> ago(after migration/import) I actually created manually a user:
>>> $ id netdevadmin
>>> uid=1875000006(netdevadmin) gid=1875000006(netdevadmin)
>>> groups=1875000006(netdevadmin)
>>>
>>> today, after ldapmodify I create a new user but uids seem to come from
>>> (what?) a different range??
>>> $ id appmgr
>>> uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)
>>>
>>> what's is happening?
>>> regards
>>> L
>>>
>>
>> You are seeing this because you probably set s too low (5000 or so)
>> and, as tha name of the attribute implies, it sets the maximum UID/GID
>> for the range assigned by the plugin.
>>
>> By default, the local IPA ID ranges are set to huge numbers (on my
>> test VMs I have dnaMaxValue 241799999) to aviod collisions with
>> UIDs/GIDs of local users which are typically in the range of
>> thousands/tens of thousands).
>>
>> However, the changes done directly in the DNA plugin configuration are
>> not reflected in ID range objects, that's why you may observe the
>> disparity between ID range characteristics and actual UIDs/GIDs
>> provisioned.
>>
> can you guess what changed those dnaMaxValue after initial
> setup/installation (soon after I created 1875000006(netdevadmin), UID
> was assigned by IPA)? It certainly was not me.
Well, you wrote:

 > ok, solution(ldapmodify) to the problem:
 > https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html

so I guess you indeed changed the value by running ldapmodify?
> Should I worry about these disparities? Should I be setting
> dnaMaxValue(and any relavent) to correspond to idrange(s)?
I general, I would not meddle with DNA plugin settings unless something 
is seriously wrong (like a replica that did not receive any DNA range 
block before the master was decomissioned, se [1]), and even then I 
would be extra careful to set the DNA plugin ranges to correspond to the 
actual IPA ID ranges to avoid any UID/GID collisions (which can get 
nasty very quickly).

> Lastly, I see my IPA has two ranges, one is from AD trust which has been
> removed, is it ok to leave/keep that range?
>

The leftover range from AD does no harm, you can safely remove it just 
to avoid confusion.
> mthx,
> L.
>
>


[1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
-- 
Martin^3 Babinsky