[Freeipa-users] cannot add posix group or user
Rob Crittenden
rcritten at redhat.com
Wed Apr 19 20:26:51 UTC 2017
Cox, Jason wrote:
> Hi all,
>
>
>
> I had to reinstall my IPA setup, so I’m using 4.4 and am learning the
> newer domain levels and topology features.
>
> I’ve installed 3 servers.
>
> I promoted one of the replicas to master and demoted the original master
> to replica according to the documentation.
According to what documentation?
Note that they are all masters, some may just run different services and
only one has a few duties (like CRL generation).
> I ran into an issue with the original master no longer replicating, so I
> performed an ipa-server-install –uninstall and removed the host/server
> from IPA.
This is the where the problem started.
>
> I re-setup the replica using ipa-client-install and then
> ipa-replica-install, and had no errors reported in the output.
>
> I then went into Web UI and setup replication agreements using the
> topology graph page between the new replica and the previous replica
> (the master/new replica agreements being setup by the replica install
> script).
>
>
>
> I then attempted to add a posix group account and got an operational
> error message. This caused ldap to crash on the server I was interfacing
> with.
If you are getting a core it would be very enlightening to get a stack
trace from that (you'll need to install the debuginfo package to get any
really useful data out of it).
>
> I performed an ‘ipactl restart’ on the affected server and attempted
> again with the same issue.
>
> I tried adding a non-posix group and it was successful.
>
>
>
> I found the dirsrv logs and see the error ‘dna-plugin - dna_pre_op: no
> more values available!!’ which lead me to
> https://www.redhat.com/archives/freeipa-users/2014-February/msg00247.html
>
>
>
> Performing the ldapserch I see:
>
> dnaMaxValue is 1100
>
> dnaNextValue is 1101
>
> dnaThreshold is 500
Right. A master only gets a range when it needs one. In this case it
needed one after the master holding the entire range went away.
> I also did ‘ipa idrange-find’, which shows:
>
>
>
> ---------------
>
> 1 range matched
>
> ---------------
>
> Range name: MYDOMAIN.COM_id_range
>
> First Posix ID of the range: 1946000000
>
> Number of IDs in the range: 200000
>
> Range type: local domain range
>
> ----------------------------
>
> Number of entries returned 1
>
> ----------------------------
>
>
>
>
>
> So now my question is what do I need to change to fix the issue?
>
> I can do the ldapmodify to adjust the dnaMaxValue, but I don’t know what
> I should be adjusting the idrange to?
>
> I’d like to keep the idrange the same and just adjust the dnaMaxValue,
> so would I need to change dnaMaxValue to 200000?
See https://blog-rcritten.rhcloud.com/?p=50
rob
More information about the Freeipa-users
mailing list