Top-posting since this was so long (a good thing, lots of necessary details).
I think that ipa-replica-manage is failing because you have a Kerberos ticket and setting the value requires Directory Manager authentication. Run `kdestroy -A` and try to set the next range again. I'd probably set it to 0 0 (remove it) rather than guess a proper range.
Your ranges are configured VERY strangely which is probably the root of the issue. You're missing like 98% of your total range because it isn't included in any of the existing DNA ranges.
I'd start by setting the range of serverC to 104608142-104799999. That plus dropping the bogus next range will likely fix things for you. I picked C since it contains the highest value of the ranges. Ideally you might divide the remaining range in thirds and assign a non-overlapping set to each server but you'd want to poke at all your uid/gid values to figure out where each range should start. Normally the first replica gets half the range. Then subsequent replicas get half of that, and so on.
This may fix your replica install issue. If not you can try pre-creating the missing group on an existing server, replacing $SUFFIX in an LDIF with yours. I'm using dc=example,dc=test in this case:
# sed 's/$SUFFIX/dc=example,dc=test/' < /usr/share/ipa/default-smb-group.ldif > /tmp//default-smb-group.ldif # ldapmodify -x -D 'cn=Directory Manager' -W -f /tmp//default-smb-group.ldif
This way the replica won't try to create one itself and it may install. Of course you'd still need to get it a range somehow.
rob
Khurrum Maqb via FreeIPA-users wrote:
Hi all,
I'm moving from Centos 7 running FreeIPA Server 4.6.8-5 to Rocky Linux 8 running FreeIPA Server 4.9.10-6, and I am having some issues apparently with idranges and dnaranges when creating a replica on RL8. There are 3xCentos 7 systems (ServerA, ServerB, ServerC) and 1xRockyLinux8 (ServerRL).
This domain has been around since the Centos 6 days.
The main issue - when I try to create a replica on RL8, there is a failure at the [7/7]: adding fallback group Operations Error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignments plugin,cn=plugins,cn=config failed! Unable to proceed.
When I check the available idranges, they are not depleted
The main oddity that I'm seeing is that some of the earliest UIDs and GIDs are in the range 100710000 + 200000. And ServerA has a dnaNextRange set to 1007111507-1007111999. This is in a non-existent idrange.
When I try to set it manually, all I get is Updating Next Range Failed.
See logs:
####### On ServerRL (New RL 8 server) ####### # ipa-replica-install --setup-ca --setup-dns --forwarder <IP> --forwarder <IP>
[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [7/7]: adding fallback group Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Failed to add fallback group. [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
And in the ipareplica-install.log I see:
2023-01-25T16:33:28Z DEBUG step duration: SID generation __restart_dirsrv 8.81 sec 2023-01-25T16:33:28Z DEBUG [7/7]: adding fallback group 2023-01-25T16:33:28Z DEBUG flushing ldapi://%2Frun%2Fslapd-mydomain3-COM.socket from SchemaCache 2023-01-25T16:33:28Z DEBUG retrieving schema for SchemaCache url=ldapi://%2Frun%2Fslapd-mydomain3-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fc8a1020278> 2023-01-25T16:33:29Z DEBUG Starting external process 2023-01-25T16:33:29Z DEBUG args=['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] 2023-01-25T16:33:39Z DEBUG Process finished, return code=1 2023-01-25T16:33:39Z DEBUG stdout=add cn: Default SMB Group add description: Fallback group for primary group RID, do not add users to this group add gidnumber: -1 add objectclass: top ipaobject posixgroup adding new entry "cn=Default SMB Group,cn=groups,cn=accounts,dc=mydomain3,dc=com"
2023-01-25T16:33:39Z DEBUG stderr=ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 ldap_add: Operations error (1) additional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
2023-01-25T16:33:39Z CRITICAL Failed to load default-smb-group.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z DEBUG Failed to add fallback group. 2023-01-25T16:33:39Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1085, in error_handler yield File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1585, in find_entries raise e File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1545, in find_entries result = self.conn.result3(id, 0) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in result3 resp_ctrl_classes=resp_ctrl_classes File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in result4 ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop) File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in _ldap_call reraise(exc_type, exc_value, exc_traceback) File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in reraise raise exc_value File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in _ldap_call result = func(*args,**kwargs) ldap.NO_SUCH_OBJECT: {'msgtype': 101, 'msgid': 4, 'result': 32, 'desc': 'No such object', 'ctrls': [], 'matched': 'cn=groups,cn=accounts,dc=mydomain3,dc=com'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 327, in __add_fallback_group api.Backend.ldap2.get_entry(fb_group_dn) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1941, in get_entry dn, attrs_list, time_limit, size_limit, get_effective_rights File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1642, in get_entry size_limit=size_limit, get_effective_rights=get_effective_rights, File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1454, in get_entries **kwargs) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1592, in find_entries break File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__ self.gen.throw(type, value, traceback) File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1095, in error_handler raise errors.NotFound(reason=arg_desc or 'no such entry') ipalib.errors.NotFound: no such entry
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log ipapython.ipautil.CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n')
2023-01-25T16:33:39Z DEBUG [error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 599, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install adtrust.install(False, options, fstore, api) File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install smb.create_instance() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 913, in create_instance self.start_creation(show_service_name=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 333, in __add_fallback_group raise e File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 330, in __add_fallback_group self._ldap_mod('default-smb-group.ldif', self.sub_dict) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 399, in _ldap_mod ipautil.run(args, nolog=nologlist) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in run p.returncode, arg_string, output_log, error_log
2023-01-25T16:33:39Z DEBUG The ipa-replica-install command failed, exception: CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z ERROR CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5', '-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n') 2023-01-25T16:33:39Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
####### ON serverA #######
Last login: Wed Jan 25 10:44:37 2023 from client.sub.mydomain3.com [root@serverA ~]# ipa-replica-manage list serverRL.sub.mydomain3.com: master serverC.mydomain3.com: master serverB.sub.mydomain3.com: master serverA.sub.mydomain3.com: master [root@serverA ~]# ipa idrange-find
2 ranges matched
Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range
Number of entries returned 2
[root@serverA ~]# ipa-replica-manage dnarange-show serverA.sub.mydomain3.com: 104605010-104605500 serverB.sub.mydomain3.com: 104605502-104606000 serverC.mydomain3.com: 104608142-104608500 serverRL.sub.mydomain3.com: No range set [root@serverA ~]# ipa-replica-manage dnanextrange-show serverA.sub.mydomain3.com: 1007111507-1007111999 serverB.sub.mydomain3.com: 104606003-104606500 serverC.mydomain3.com: 104606519-104606600 serverRL.sub.mydomain3.com: No on-deck range set [root@serverA ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 104605500 dnaNextRange: 1007111507-1007111999 dnaNextValue: 104605010 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@serverA ~]#
####### ON serverB #######
Last login: Wed Jan 25 10:44:16 2023 from client.sub.mydomain3.com [root@serverB ~]# ipa-replica-manage list serverRL.sub.mydomain3.com: master serverC.mydomain3.com: master serverB.sub.mydomain3.com: master serverA.sub.mydomain3.com: master [root@serverB ~]# ipa idrange-find
2 ranges matched
Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range
Number of entries returned 2
[root@serverB ~]# ipa-replica-manage dnarange-show serverA.sub.mydomain3.com: 104605010-104605500 serverB.sub.mydomain3.com: 104605502-104606000 serverC.mydomain3.com: 104608142-104608500 serverRL.sub.mydomain3.com: No range set [root@serverB ~]# ipa-replica-manage dnanextrange-show serverA.sub.mydomain3.com: 1007111507-1007111999 serverB.sub.mydomain3.com: 104606003-104606500 serverC.mydomain3.com: 104606519-104606600 serverRL.sub.mydomain3.com: No on-deck range set [root@serverB ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 104606000 dnaNextRange: 104606003-104606500 dnaNextValue: 104605502 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@serverB ~]#
####### ON serverC #######
Last login: Wed Jan 25 10:44:51 2023 from client.sub.mydomain3.com [root@serverC ~]# ipa-replica-manage list Directory Manager password:
serverRL.sub.mydomain3.com: master serverC.mydomain3.com: master serverB.sub.mydomain3.com: master serverA.sub.mydomain3.com: master [root@serverC ~]# ipa idrange-find ipa: ERROR: did not receive Kerberos credentials [root@serverC ~]# kinit kmaqbool Password for kmaqbool@mydomain3.COM: [root@serverC ~]# ipa idrange-find
2 ranges matched
Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range
Number of entries returned 2
[root@serverC ~]# ipa-replica-manage dnarange-show serverA.sub.mydomain3.com: 104605010-104605500 serverB.sub.mydomain3.com: 104605502-104606000 serverC.mydomain3.com: 104608142-104608500 serverRL.sub.mydomain3.com: No range set [root@serverC ~]# ipa-replica-manage dnanextrange-show serverA.sub.mydomain3.com: 1007111507-1007111999 serverB.sub.mydomain3.com: 104606003-104606500 serverC.mydomain3.com: 104606519-104606600 serverRL.sub.mydomain3.com: No on-deck range set [root@serverC ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 104608500 dnaNextRange: 104606519-104606600 dnaNextValue: 104608142 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@serverC ~]#
####### ON serverRL #######
root@192.168.162.6's password: Last login: Wed Jan 25 10:55:08 2023 from client.sub.mydomain3.com [root@serverRL ~]# ipa idrange-find
2 ranges matched
Range name: mydomain3.COM_id_range First Posix ID of the range: 104600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: mydomain3.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690 Range type: Active Directory domain range
Number of entries returned 2
[root@serverRL ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config cn: Posix IDs dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip aIDobject)) dnaMagicRegen: -1 dnaMaxValue: 1100 dnaNextValue: 1101 dnaScope: dc=mydomain3,dc=com dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com dnaThreshold: 500 dnaType: uidNumber dnaType: gidNumber objectClass: top objectClass: extensibleObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@serverRL ~]# ipa-replica-manage dnarange-show Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information Unexpected error: IPA is not configured on this system.
####### ON serverA #######
Attempting to change dnaNextRange
[root@serverA ~]# ipa-replica-manage dnanextrange-set -d serverA.sub.mydomain3.com 104607000-104607500 ipa: DEBUG: importing all plugin modules in ipaserver.plugins... ipa: DEBUG: importing plugin module ipaserver.plugins.aci ipa: DEBUG: importing plugin module ipaserver.plugins.automember ipa: DEBUG: importing plugin module ipaserver.plugins.automount ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser ipa: DEBUG: importing plugin module ipaserver.plugins.batch ipa: DEBUG: importing plugin module ipaserver.plugins.ca ipa: DEBUG: importing plugin module ipaserver.plugins.caacl ipa: DEBUG: importing plugin module ipaserver.plugins.cert ipa: DEBUG: importing plugin module ipaserver.plugins.certmap ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile ipa: DEBUG: importing plugin module ipaserver.plugins.config ipa: DEBUG: importing plugin module ipaserver.plugins.delegation ipa: DEBUG: importing plugin module ipaserver.plugins.dns ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipa: DEBUG: importing plugin module ipaserver.plugins.group ipa: DEBUG: importing plugin module ipaserver.plugins.hbac ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest ipa: DEBUG: importing plugin module ipaserver.plugins.host ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipa: DEBUG: importing plugin module ipaserver.plugins.idrange ipa: DEBUG: importing plugin module ipaserver.plugins.idviews ipa: DEBUG: importing plugin module ipaserver.plugins.internal ipa: DEBUG: importing plugin module ipaserver.plugins.join ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipa: DEBUG: importing plugin module ipaserver.plugins.location ipa: DEBUG: importing plugin module ipaserver.plugins.migration ipa: DEBUG: importing plugin module ipaserver.plugins.misc ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup ipa: DEBUG: importing plugin module ipaserver.plugins.otp ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken ipa: DEBUG: importing plugin module ipaserver.plugins.passwd ipa: DEBUG: importing plugin module ipaserver.plugins.permission ipa: DEBUG: importing plugin module ipaserver.plugins.ping ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit ipa: DEBUG: importing plugin module ipaserver.plugins.privilege ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipa: DEBUG: importing plugin module ipaserver.plugins.rabase ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipa: DEBUG: importing plugin module ipaserver.plugins.role ipa: DEBUG: importing plugin module ipaserver.plugins.schema ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipa: DEBUG: importing plugin module ipaserver.plugins.server ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles ipa: DEBUG: importing plugin module ipaserver.plugins.service ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipa: DEBUG: importing plugin module ipaserver.plugins.session ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser ipa: DEBUG: importing plugin module ipaserver.plugins.sudo ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule ipa: DEBUG: importing plugin module ipaserver.plugins.topology ipa: DEBUG: importing plugin module ipaserver.plugins.trust ipa: DEBUG: importing plugin module ipaserver.plugins.user ipa: DEBUG: importing plugin module ipaserver.plugins.vault ipa: DEBUG: importing plugin module ipaserver.plugins.virtual ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipa: DEBUG: importing plugin module ipaserver.plugins.whoami ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipa: DEBUG: found 1 A records for serverA.sub.mydomain3.com.: 192.168.162.11 ipa: DEBUG: The DNS response does not contain an answer to the question: serverA.sub.mydomain3.com. IN AAAA ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverA.sub.mydomain3.com:636 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0818d6b1b8> ipa: DEBUG: Created connection context.ldap2_139672798648528 ipa: DEBUG: found 1 A records for serverA.sub.mydomain3.com.: 192.168.162.11 ipa: DEBUG: The DNS response does not contain an answer to the question: serverA.sub.mydomain3.com. IN AAAA ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverB.sub.mydomain3.com:636 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0818d8be60> ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverC.mydomain3.com:636 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0815752bd8> Updating next range failed
Any help would be MUCH appreciated.
Thank you, Khurrum _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue