On 25/11/16 12:02, Martin Babinsky wrote:
On 11/25/2016 12:48 PM, lejeczek wrote:
On 25/11/16 07:52, Martin Babinsky wrote:
On 11/24/2016 07:30 PM, lejeczek wrote:
On 24/11/16 17:14, lejeczek wrote:
hi
I see this:
2 ranges matched
----------------
Range name: xx.id_range
First Posix ID of the range: 1952400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 0
Domain SID of the trusted domain:
S-1-5-21-1144915091-2252175215-702530032
Range type: Active Directory domain range
Range name: xx.xx.xx.xx.x_id_range
First Posix ID of the range: 1875000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
some time ago when I first set up IPA I migrated users
from samba3's
ldap backend. Since then until today there was no new
users I needed
to add but now I do.
First on the list range I think it is a remnant of AD
trust which does
not exists any more (should it be removed?).
I'm not sure how to read those ranges info, one thing
I notice is that
UIDs from migration are probably between 500 & 2000
and now if I
supply uid manually to user-add and gid (which is old
Samba's domain
users group) then creation of new user succeeds.
Is this normal, expected?
mthx,
L
ok, solution(ldapmodify) to the problem:
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
but could some experts shed more light on it - I see
that some time
ago(after migration/import) I actually created manually
a user:
$ id netdevadmin
uid=1875000006(netdevadmin) gid=1875000006(netdevadmin)
groups=1875000006(netdevadmin)
today, after ldapmodify I create a new user but uids
seem to come from
(what?) a different range??
$ id appmgr
uid=3501(appmgr) gid=3501(appmgr) groups=3501(appmgr)
what's is happening?
regards
L
You are seeing this because you probably set s too low
(5000 or so)
and, as tha name of the attribute implies, it sets the
maximum UID/GID
for the range assigned by the plugin.
By default, the local IPA ID ranges are set to huge
numbers (on my
test VMs I have dnaMaxValue 241799999) to aviod
collisions with
UIDs/GIDs of local users which are typically in the
range of
thousands/tens of thousands).
However, the changes done directly in the DNA plugin
configuration are
not reflected in ID range objects, that's why you may
observe the
disparity between ID range characteristics and actual
UIDs/GIDs
provisioned.
can you guess what changed those dnaMaxValue after initial
setup/installation (soon after I created
1875000006(netdevadmin), UID
was assigned by IPA)? It certainly was not me.
Well, you wrote:
> ok, solution(ldapmodify) to the problem:
>
https://www.redhat.com/archives/freeipa-users/2014-February/msg00246.html
so I guess you indeed changed the value by running
ldapmodify?
well, I did but only now, hoping to fix:
ipa: ERROR: Operations error: Allocation of a new value for
range cn=posix ids,cn=distributed numeric assignment
plugin,cn=plugins,cn=config failed! Unable to proceed.
and before I did, those values were:
# Posix IDs, Distributed Numeric Assignment Plugin, plugins,
config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaMaxValue: 1100
dnaNextValue: 1101
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
Should I worry about these disparities? Should I be setting
dnaMaxValue(and any relavent) to correspond to idrange(s)?
I general, I would not meddle with DNA plugin settings
unless something is seriously wrong (like a replica that
did not receive any DNA range block before the master was
decomissioned, se [1]), and even then I would be extra
careful to set the DNA plugin ranges to correspond to the
actual IPA ID ranges to avoid any UID/GID collisions
(which can get nasty very quickly).
so, would you say what should be the value of dnaMaxValue in
case of that rage my IPA shows?
Lastly, I see my IPA has two ranges, one is from AD trust
which has been
removed, is it ok to leave/keep that range?
The leftover range from AD does no harm, you can safely
remove it just to avoid confusion.
mthx,
L.
[1] http://www.freeipa.org/page/V3/Recover_DNA_Ranges
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
