We are facing an issue that, when creating a user on our replica, it looks for then dnaNextValue. However this is 1101 in stead of one in our ID range 4174000xx.
I followed the solution of this thread but that just creates the user with uid 1101.
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
Some output:
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' SASL/GSSAPI authentication started SASL username: aairey@CORP.DOMAIN.COM SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaMaxValue: 5000 dnaNextValue: 1102 dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject # search result search: 4 result: 0 Success # numResponses: 2 # numEntries: 1
$ sudo ipa idrange-find --------------- 1 range matched --------------- Range name: CORP.DOMAIN.COM_id_range First Posix ID of the range: 417400000 Number of IDs in the range: 200000 Range type: local domain range ---------------------------- Number of entries returned 1 ----------------------------
Could you please check configuration using commands from following guide?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/display-id-range.html
It appears it is not set:
$ sudo ipa-replica-manage dnarange-show ipa01.corp.domain.com: 417400040-417599999 ipa02.corp.domain.com: No range set doma42.corp.domain.com: No range set doma01.corp.domain.com: 1102-5000 doma02.corp.domain.com: No range set $ sudo ipa-replica-manage dnanextrange-show Directory Manager password: ipa01.corp.domain.com: No on-deck range set ipa02.corp.domain.com: No on-deck range set doma42.corp.domain.com: No on-deck range set doma01.corp.domain.com: No on-deck range set doma02.corp.domain.com: No on-deck range set
What am I supposed to do? Create non-overlapping ranges as described here?
No range set means that UID/GID was never used on replica => no user has been created on that particular replica.
No range set
If I understand correctly, users created on doma01.corp.domain.com replica has ID between 1000 and 5000, and you want from that replica to assign ID >417400000
doma01.corp.domain.com
Please follow official documentation: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/man-set-extend-id-ranges.html
and set non-overlapping dnarangefor doma01.corp.domain.com
dnarange
Btw, replica usually get half of master's range. But might not happen in cases when replica cannot contact the master (e.g. because master no longer exists) on creation of first user on the replica.
Yes, we are actually in a transition fase.
The ipa01 and ipa02 machines are on a conflicting subnet with doma01 and doma02. doma42 is in a "transit subnet". So all ipa servers can reach doma42.
However we are migrating away from ipa01 and ipa02, so new users will be create on doma01 and doma02. If I create a user on doma42, the idrange will be set correctly? And afterwards I can just create users on doma01 and doma02 because it can see the idrange of doma42?
This is not a bug, or at least I don't see any bug. Therefore closing.
Whether the ID range will be set correctly on a replica depends on the fact if original master has an ID range and if it can be reached from the replica.
Metadata Update from @pvoborni: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.