[Freeipa-users] error; Allocation of a new value

lejeczek peljasz at yahoo.co.uk
Fri Nov 25 12:18:10 UTC 2016 


On 25/11/16 12:02, Martin Babinsky wrote:
> On 11/25/2016 12:48 PM, lejeczek wrote:
>>
>>
>> On 25/11/16 07:52, Martin Babinsky wrote:
>>> On 11/24/2016 07:30 PM, lejeczek wrote:
>>>>
>>>>
>>>> On 24/11/16 17:14, lejeczek wrote:
>>>>> hi
>>>>>
>>>>> I see this:
>>>>>
>>>>> 2 ranges matched
>>>>> ----------------
>>>>>   Range name: xx.id_range
>>>>>   First Posix ID of the range: 1952400000
>>>>>   Number of IDs in the range: 200000
>>>>>   First RID of the corresponding RID range: 0
>>>>>   Domain SID of the trusted domain:
>>>>> S-1-5-21-1144915091-2252175215-702530032
>>>>>   Range type: Active Directory domain range
>>>>>
>>>>>   Range name: xx.xx.xx.xx.x_id_range
>>>>>   First Posix ID of the range: 1875000000
>>>>>   Number of IDs in the range: 200000
>>>>>   First RID of the corresponding RID range: 1000
>>>>>   First RID of the secondary RID range: 100000000
>>>>>   Range type: local domain range
>>>>> ----------------------------
>>>>> Number of entries returned 2
>>>>>
>>>>> some time ago when I first set up IPA I migrated users 
>>>>> from samba3's
>>>>> ldap backend. Since then until today there was no new 
>>>>> users I needed
>>>>> to add but now I do.
>>>>> First on the list range I think it is a remnant of AD 
>>>>> trust which does
>>>>> not exists any more (should it be removed?).
>>>>> I'm not sure how to read those ranges info, one thing 
>>>>> I notice is that
>>>>> UIDs from migration are probably between 500 & 2000 
>>>>> and now if I
>>>>> supply uid manually to user-add and gid (which is old 
>>>>> Samba's domain
>>>>> users group) then creation of new user succeeds.
>>>>> Is this normal, expected?
>>>>>
>>>>> mthx,
>>>>> L
>>>>>
>>>> ok, solution(ldapmodify) to the problem:
>>>> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html 
>>>>
>>>>
>>>> but could some experts shed more light on it - I see 
>>>> that some time
>>>> ago(after migration/import) I actually created manually 
>>>> a user:
>>>> $ id netdevadmin
>>>> uid=1875000006(netdevadmin) gid=1875000006(netdevadmin)
>>>> groups=1875000006(netdevadmin)
>>>>
>>>> today, after ldapmodify I create a new user but uids 
>>>> seem to come from
>>>> (what?) a different range??
>>>> $ id appmgr
>>>> uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)
>>>>
>>>> what's is happening?
>>>> regards
>>>> L
>>>>
>>>
>>> You are seeing this because you probably set s too low 
>>> (5000 or so)
>>> and, as tha name of the attribute implies, it sets the 
>>> maximum UID/GID
>>> for the range assigned by the plugin.
>>>
>>> By default, the local IPA ID ranges are set to huge 
>>> numbers (on my
>>> test VMs I have dnaMaxValue 241799999) to aviod 
>>> collisions with
>>> UIDs/GIDs of local users which are typically in the 
>>> range of
>>> thousands/tens of thousands).
>>>
>>> However, the changes done directly in the DNA plugin 
>>> configuration are
>>> not reflected in ID range objects, that's why you may 
>>> observe the
>>> disparity between ID range characteristics and actual 
>>> UIDs/GIDs
>>> provisioned.
>>>
>> can you guess what changed those dnaMaxValue after initial
>> setup/installation (soon after I created 
>> 1875000006(netdevadmin), UID
>> was assigned by IPA)? It certainly was not me.
> Well, you wrote:
>
> > ok, solution(ldapmodify) to the problem:
> > 
> https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
>
> so I guess you indeed changed the value by running 
> ldapmodify?
well, I did but only now, hoping to fix:

ipa: ERROR: Operations error: Allocation of a new value for 
range cn=posix ids,cn=distributed numeric assignment 
plugin,cn=plugins,cn=config failed! Unable to proceed.

and before I did, those values were:

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, 
config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment 
Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaMaxValue: 1100
dnaNextValue: 1101
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

>> Should I worry about these disparities? Should I be setting
>> dnaMaxValue(and any relavent) to correspond to idrange(s)?
> I general, I would not meddle with DNA plugin settings 
> unless something is seriously wrong (like a replica that 
> did not receive any DNA range block before the master was 
> decomissioned, se [1]), and even then I would be extra 
> careful to set the DNA plugin ranges to correspond to the 
> actual IPA ID ranges to avoid any UID/GID collisions 
> (which can get nasty very quickly).
>
so, would you say what should be the value of dnaMaxValue in 
case of that rage my IPA shows?

>> Lastly, I see my IPA has two ranges, one is from AD trust 
>> which has been
>> removed, is it ok to leave/keep that range?
>>
>
> The leftover range from AD does no harm, you can safely 
> remove it just to avoid confusion.
>> mthx,
>> L.
>>
>>
>
>
> [1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges

More information about the Freeipa-users mailing list