[Freeipa-users] cannot add posix group or user

Wed Apr 19 20:26:51 UTC 2017

Cox, Jason wrote:
> Hi all,
> 
>  
> 
> I had to reinstall my IPA setup, so I’m using 4.4 and am learning the
> newer domain levels and topology features.
> 
> I’ve installed 3 servers.
> 
> I promoted one of the replicas to master and demoted the original master
> to replica according to the documentation.

According to what documentation?

Note that they are all masters, some may just run different services and
only one has a few duties (like CRL generation).

> I ran into an issue with the original master no longer replicating, so I
> performed an ipa-server-install –uninstall and removed the host/server
> from IPA.

This is the where the problem started.

> 
> I re-setup the replica using ipa-client-install and then
> ipa-replica-install, and had no errors reported in the output.
> 
> I then went into Web UI and setup replication agreements using the
> topology graph page between the new replica and the previous replica
> (the master/new replica agreements being setup by the replica install
> script).
> 
>  
> 
> I then attempted to add a posix group account and got an operational
> error message. This caused ldap to crash on the server I was interfacing
> with.

If you are getting a core it would be very enlightening to get a stack
trace from that (you'll need to install the debuginfo package to get any
really useful data out of it).

> 
> I performed an ‘ipactl restart’ on the affected server and attempted
> again with the same issue.
> 
> I tried adding a non-posix group and it was successful.
> 
>  
> 
> I found the dirsrv logs and see the error ‘dna-plugin - dna_pre_op: no
> more values available!!’ which lead me to
> https://www.redhat.com/archives/freeipa-users/2014-February/msg00247.html
> 
>  
> 
> Performing the ldapserch I see:
> 
>   dnaMaxValue is 1100
> 
>   dnaNextValue is 1101
> 
>   dnaThreshold is 500

Right. A master only gets a range when it needs one. In this case it
needed one after the master holding the entire range went away.

> I also did ‘ipa idrange-find’, which shows:
> 
>  
> 
> ---------------
> 
> 1 range matched
> 
> ---------------
> 
>   Range name: MYDOMAIN.COM_id_range
> 
>   First Posix ID of the range: 1946000000
> 
>   Number of IDs in the range: 200000
> 
>   Range type: local domain range
> 
> ----------------------------
> 
> Number of entries returned 1
> 
> ----------------------------
> 
>  
> 
>  
> 
> So now my question is what do I need to change to fix the issue?
> 
> I can do the ldapmodify to adjust the dnaMaxValue, but I don’t know what
> I should be adjusting the idrange to?
> 
> I’d like to keep the idrange the same and just adjust the dnaMaxValue,
> so would I need to change dnaMaxValue to 200000?

See https://blog-rcritten.rhcloud.com/?p=50

rob