On 2/3/21 6:18 PM, Friedrich Schäuffelhut wrote:
We would like to fix this without reinstalling FreeIPA.
We have already a number of hosts, users and certificates enrolled.
I am now looking for a way to move the FreeIPA UID range to
a different area, e.g. 10.000 - 20.000.
We run 3 replicas connected to each other.
I found the ipa comands 'idrange-add' and 'idrange-del' and
wonder if I could use those to
1. add a new range at 10.000
2. Update UIDs of existing users
3. remove the old range at 100.000.
If I understand correctly moving your IPA range may be problematic
since you are actively using the uids.
Do you have substantial podman usage?
If not, move the podman ranges away. They are automatically allocated
according to SUB_UID_MIN et al. (man adduser): change those vars
and reassign ranges for the existing users.
Personally, I find the 100000+uid*65536 default rule terrible since
it gives you unreadable final numbers.
My rule is to rebuild everything from scratch after adding a new user
with:
while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo "$a:$[100000*c]:65536";done
</etc/passwd >/etc/subuid
while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo "$a:$[100000*c]:65536";done
</etc/group >/etc/subgid
which gives me 400015 for subuser 15 of user 4.
(note that root=0 is problematic and I collapse it into bin=1,
both starting at 100000)
Regards.
--
Roberto Ragusa mail at robertoragusa.it
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
