The creation of a new idrange requires a restart of 389ds on all servers. Otherwise the sidgen plugin is not aware of the new range and the creation of a user with a uid/gid inside the new range fails to create a SID for the new user.
Example:
# ipa idrange-add testrange --base-id=10000 --range-size=10000 --rid-base=300000 --secondary-rid-base=400000 -------------------------- Added ID range "testrange" -------------------------- Range name: testrange First Posix ID of the range: 10000 Number of IDs in the range: 10000 First RID of the corresponding RID range: 300000 First RID of the secondary RID range: 400000 Range type: local domain range # ipa user-add testsiduser --first=test --last=test --uid=10001 --gid=10001 ------------------------ Added user "testsiduser" ------------------------ User login: testsiduser First name: test Last name: test Full name: test test Display name: test test Initials: tt Home directory: /home/testsiduser GECOS: test test Login shell: /bin/sh Principal name: testsiduser@IPA.TEST Principal alias: testsiduser@IPA.TEST Email address: testsiduser@ipa.test UID: 10001 GID: 10001 Password: False Member of groups: ipausers Kerberos keys available: False # ipa user-show testsiduser --all --raw dn: uid=testsiduser,cn=users,cn=accounts,dc=ipa,dc=test uid: testsiduser givenname: test sn: test cn: test test initials: tt homedirectory: /home/testsiduser gecos: test test loginshell: /bin/sh krbcanonicalname: testsiduser@IPA.TEST krbprincipalname: testsiduser@IPA.TEST mail: testsiduser@ipa.test uidnumber: 10001 gidnumber: 10001 nsaccountlock: FALSE has_password: FALSE has_keytab: FALSE displayName: test test ipaUniqueID: 97630ea8-e519-11ee-bf56-fa163ef95a1e memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test mepManagedEntry: cn=testsiduser,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry
The user does not contain any SID.
Now restart 389ds and add a new user in the range:
# systemctl restart dirsrv@IPA-TEST.service # ipa user-add testsiduser2 --first=test --last=test2 --uid=10002 --gid=10002 ------------------------- Added user "testsiduser2" ------------------------- User login: testsiduser2 First name: test Last name: test2 Full name: test test2 Display name: test test2 Initials: tt Home directory: /home/testsiduser2 GECOS: test test2 Login shell: /bin/sh Principal name: testsiduser2@IPA.TEST Principal alias: testsiduser2@IPA.TEST Email address: testsiduser2@ipa.test UID: 10002 GID: 10002 Password: False Member of groups: ipausers Kerberos keys available: False # ipa user-show testsiduser2 --all --raw dn: uid=testsiduser2,cn=users,cn=accounts,dc=ipa,dc=test uid: testsiduser2 givenname: test sn: test2 cn: test test2 initials: tt homedirectory: /home/testsiduser2 gecos: test test2 loginshell: /bin/sh krbcanonicalname: testsiduser2@IPA.TEST krbprincipalname: testsiduser2@IPA.TEST mail: testsiduser2@ipa.test uidnumber: 10002 gidnumber: 10002 nsaccountlock: FALSE has_password: FALSE has_keytab: FALSE displayName: test test2 ipaNTSecurityIdentifier: S-1-5-21-2108868118-1605462213-3012850021-300002 ipaUniqueID: b98d817a-e519-11ee-96a2-fa163ef95a1e memberof: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test mepManagedEntry: cn=testsiduser2,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs #
The user contains a SID.
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-28996
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7274
master:
Forgot to add: this change only needed for the local ID range because only these ranges will be used for SID generation. This means the warning message should be scoped to the type of the range. More fixes are needed.
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-28996, https://issues.redhat.com/browse/RHEL-29762 (was: https://issues.redhat.com/browse/RHEL-28996)
ipa-4-11:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Reopen as we need to condition the warning to local range only.
Metadata Update from @abbra: - Issue status updated to: Open (was: Closed)
New PR: https://github.com/freeipa/freeipa/pull/7284
Metadata Update from @abbra: - Custom field changelog adjusted to When new local ID range is added, ipa idrange-add now displays a warning asking for restart of LDAP server to allow SID generation plugin to pick up the changes.
ipa idrange-add
Log in to comment on this ticket.