There can be multiple ranges set if the first one was depleted or for example there are users migrated from previous IdM solution. We should support that.
# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: IDM.LAB.BOS.REDHAT.COM_id_range First Posix ID of the range: 694000000 Number of IDs in the range: 200000 Range type: local domain range Range name: local_range First Posix ID of the range: 1200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- # ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the FreeIPA Server. This includes: * Configure Samba * Add trust related objects to FreeIPA LDAP server To accept the default shown in brackets, press the Enter key. IPA generated smb.conf detected. Overwrite smb.conf? [no]: y Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: WARNING: 2 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. Do you want to run the ipa-sidgen task? [no]: y The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/19]: stopping smbd [2/19]: creating samba domain object Samba domain object already exists [3/19]: creating samba config registry [4/19]: writing samba config file [5/19]: adding cifs Kerberos principal [6/19]: adding cifs principal to S4U2Proxy targets cifs principal already targeted, nothing to do. [7/19]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [8/19]: adding RID bases ipa : CRITICAL Found more than one ID range for the local domain. Too many ID ranges
Sumit's suggestions for ipa-adtrust-install RID generation:
ipa-adtrust-install
If there are multiple ranges there are different ways to set the RID-ranges. E.g. you can pick the idrange with the lowest POSIX ID and assign the lowest RID range to it. Then take the one with the next lowest and so on. Alternatively the lowest RID range is assigned to the oldest idrange, and so on.
maybe the logic can be like: lookup idranges, check if RID bases must be added, return if not, check if RID ranges must be added for more than one range, fail if yes, check if the given RID bases are not in conflict with existing ones, fail if yes, add RID ranges.
with this we fail only if RID bases must be added for more than one range, which can be fixed separately.
master: 7310395[[BR]] ipa-3-2: 3613e92
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.3 - 2013/05
Login to comment on this ticket.