#3498 ipa-adtrust-install crashes with multiple local ranges
Closed: Fixed None Opened 9 years ago by mkosek.

There can be multiple ranges set if the first one was depleted or for example there are users migrated from previous IdM solution. We should support that.

# ipa idrange-find
2 ranges matched
  Range name: IDM.LAB.BOS.REDHAT.COM_id_range
  First Posix ID of the range: 694000000
  Number of IDs in the range: 200000
  Range type: local domain range

  Range name: local_range
  First Posix ID of the range: 1200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1000000
  Range type: local domain range
Number of entries returned 2
# ipa-adtrust-install

The log file for this installation can be found in /var/log/ipaserver-install.log
This program will setup components needed to establish trust to AD domains for
the FreeIPA Server.

This includes:
  * Configure Samba
  * Add trust related objects to FreeIPA LDAP server

To accept the default shown in brackets, press the Enter key.

IPA generated smb.conf detected.
Overwrite smb.conf? [no]: y
Configuring cross-realm trusts for IPA server requires password for user 'admin'.
This user is a regular system account used for IPA server administration.

admin password:

WARNING: 2 existing users or groups do not have a SID identifier assigned.
Installer can run a task to have ipa-sidgen Directory Server plugin generate
the SID identifier for all these users. Please note, the in case of a high
number of users and groups, the operation might lead to high replication
traffic and performance degradation. Refer to ipa-adtrust-install(1) man page
for details.

Do you want to run the ipa-sidgen task? [no]: y

The following operations may take some minutes to complete.
Please wait until the prompt is returned.

Configuring CIFS
  [1/19]: stopping smbd
  [2/19]: creating samba domain object
Samba domain object already exists
  [3/19]: creating samba config registry
  [4/19]: writing samba config file
  [5/19]: adding cifs Kerberos principal
  [6/19]: adding cifs principal to S4U2Proxy targets
cifs principal already targeted, nothing to do.
  [7/19]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do
  [8/19]: adding RID bases
ipa         : CRITICAL Found more than one ID range for the local domain.
Too many ID ranges

Sumit's suggestions for ipa-adtrust-install RID generation:

If there are multiple ranges there are different ways to set the RID-ranges. E.g. you can pick the idrange with the lowest POSIX ID and assign the lowest RID range to it. Then take the one with the next lowest and so on. Alternatively the lowest RID range is assigned to the oldest idrange, and so on.

maybe the logic can be like: lookup idranges, check if RID bases must be added, return if not, check if RID ranges must be added for more than one range, fail if yes, check if the given RID bases are not in conflict with existing ones, fail if yes, add RID ranges.

with this we fail only if RID bases must be added for more than one range, which can be fixed separately.

Rename "trusts" component to "Trusts" to achieve correct sorting.

Metadata Update from @mkosek:
- Issue assigned to tbabej
- Issue set to the milestone: FreeIPA 3.3 - 2013/05

5 years ago

Login to comment on this ticket.