#9558 ipa idrange-add should display a warning that 389ds restart is required
Closed: fixed 10 months ago by frenaud. Opened 10 months ago by frenaud.

The creation of a new idrange requires a restart of 389ds on all servers. Otherwise the sidgen plugin is not aware of the new range and the creation of a user with a uid/gid inside the new range fails to create a SID for the new user.

Example:

# ipa idrange-add testrange --base-id=10000 --range-size=10000 --rid-base=300000 --secondary-rid-base=400000
--------------------------
Added ID range "testrange"
--------------------------
  Range name: testrange
  First Posix ID of the range: 10000
  Number of IDs in the range: 10000
  First RID of the corresponding RID range: 300000
  First RID of the secondary RID range: 400000
  Range type: local domain range
# ipa user-add testsiduser --first=test --last=test --uid=10001 --gid=10001
------------------------
Added user "testsiduser"
------------------------
  User login: testsiduser
  First name: test
  Last name: test
  Full name: test test
  Display name: test test
  Initials: tt
  Home directory: /home/testsiduser
  GECOS: test test
  Login shell: /bin/sh
  Principal name: testsiduser@IPA.TEST
  Principal alias: testsiduser@IPA.TEST
  Email address: testsiduser@ipa.test
  UID: 10001
  GID: 10001
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
# ipa user-show testsiduser --all --raw
  dn: uid=testsiduser,cn=users,cn=accounts,dc=ipa,dc=test
  uid: testsiduser
  givenname: test
  sn: test
  cn: test test
  initials: tt
  homedirectory: /home/testsiduser
  gecos: test test
  loginshell: /bin/sh
  krbcanonicalname: testsiduser@IPA.TEST
  krbprincipalname: testsiduser@IPA.TEST
  mail: testsiduser@ipa.test
  uidnumber: 10001
  gidnumber: 10001
  nsaccountlock: FALSE
  has_password: FALSE
  has_keytab: FALSE
  displayName: test test
  ipaUniqueID: 97630ea8-e519-11ee-bf56-fa163ef95a1e
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=testsiduser,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry

The user does not contain any SID.

Now restart 389ds and add a new user in the range:

# systemctl restart dirsrv@IPA-TEST.service
# ipa user-add testsiduser2 --first=test --last=test2 --uid=10002 --gid=10002
-------------------------
Added user "testsiduser2"
-------------------------
  User login: testsiduser2
  First name: test
  Last name: test2
  Full name: test test2
  Display name: test test2
  Initials: tt
  Home directory: /home/testsiduser2
  GECOS: test test2
  Login shell: /bin/sh
  Principal name: testsiduser2@IPA.TEST
  Principal alias: testsiduser2@IPA.TEST
  Email address: testsiduser2@ipa.test
  UID: 10002
  GID: 10002
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
# ipa user-show testsiduser2 --all --raw
  dn: uid=testsiduser2,cn=users,cn=accounts,dc=ipa,dc=test
  uid: testsiduser2
  givenname: test
  sn: test2
  cn: test test2
  initials: tt
  homedirectory: /home/testsiduser2
  gecos: test test2
  loginshell: /bin/sh
  krbcanonicalname: testsiduser2@IPA.TEST
  krbprincipalname: testsiduser2@IPA.TEST
  mail: testsiduser2@ipa.test
  uidnumber: 10002
  gidnumber: 10002
  nsaccountlock: FALSE
  has_password: FALSE
  has_keytab: FALSE
  displayName: test test2
  ipaNTSecurityIdentifier: S-1-5-21-2108868118-1605462213-3012850021-300002
  ipaUniqueID: b98d817a-e519-11ee-96a2-fa163ef95a1e
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=testsiduser2,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: top
  objectClass: person
  objectClass: organizationalperson
  objectClass: inetorgperson
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: krbprincipalaux
  objectClass: krbticketpolicyaux
  objectClass: ipaobject
  objectClass: ipasshuser
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
#  

The user contains a SID.


Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-28996

10 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7274

10 months ago

master:

  • 64861a0 idrange-add: add a warning because 389ds restart is required

Forgot to add: this change only needed for the local ID range because only these ranges will be used for SID generation. This means the warning message should be scoped to the type of the range. More fixes are needed.

ipa-4-11:

  • 1a64b27 idrange-add: add a warning because 389ds restart is required

ipa-4-10:

  • ae45076 idrange-add: add a warning because 389ds restart is required

ipa-4-9:

  • 0a08382 idrange-add: add a warning because 389ds restart is required

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Reopen as we need to condition the warning to local range only.

Metadata Update from @abbra:
- Issue status updated to: Open (was: Closed)

10 months ago

master:

  • a57b665 idrange: only issue warning to restart services for a local range
  • 6cc668f xmlrpc: adapt range plugin test

ipa-4-11:

  • 12b4feb idrange: only issue warning to restart services for a local range
  • 0290632 xmlrpc: adapt range plugin test

ipa-4-10:

  • 5f16a2f idrange: only issue warning to restart services for a local range
  • 4fced81 xmlrpc: adapt range plugin test

ipa-4-9:

  • f28932b idrange: only issue warning to restart services for a local range
  • 2fcdaf1 xmlrpc: adapt range plugin test

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Metadata Update from @abbra:
- Custom field changelog adjusted to When new local ID range is added, ipa idrange-add now displays a warning asking for restart of LDAP server to allow SID generation plugin to pick up the changes.

8 months ago

Log in to comment on this ticket.

Metadata