Sent from my iPhone
On Feb 26, 2019, at 12:50 AM, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
> On ma, 25 helmi 2019, TomK via FreeIPA-users wrote:
> Hey All,
>
> Given that I have two separate IPA clusters on the same subnet but two different
domains, is there any chance that the IPA servers can issue identical UID / GID numbers
thereby causing conflicts on the setup? When setting up the IPA servers, is there a change
the same ID range can be given to each separate IPA cluster?
>
> The two IPA clusters are independent of each other (not replicas of each other) and
are only authoritative for their two separate domains.
There is always a chance to get an overlap, of course. In practice I
don't think you'll get that too often. In your example the ranges aren't
overlapping at all.
Thanks Alex. Guessing then on install, a new set of clusters could conceivably randomly
select an Id range belonging to another cluster? For ad servers, does it use any logic
to consistently select the same range for the same ad dc and a different range for a
different set of dc’s?
Curious what to expect.
>
> Example ID ranges of off the primaries of the two clusters:
>
>
>
> Cluster A [ ipa01 / 02 ]
>
> # ipa idrange-find
> ----------------
> 2 ranges matched
> ----------------
> Range name: ABC.123_id_range
> First Posix ID of the range: 155600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 155600000
> Domain SID of the trusted domain: S-1-5-21-1803828911-4163023034-2461700517
> Range type: Active Directory domain range
>
> Range name: A.ABC.123_id_range
> First Posix ID of the range: 1746600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> ----------------------------
> Number of entries returned 2
> ----------------------------
> #
>
>
>
>
> Cluster B [ ipa03 / 04 ]
>
> # ipa idrange-find
> ----------------
> 2 ranges matched
> ----------------
> Range name: ABC.123_id_range
> First Posix ID of the range: 155600000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-1803828911-4163023034-2461700517
> Range type: Active Directory domain range
>
> Range name: B.ABC.123_id_range
> First Posix ID of the range: 1163400000
> Number of IDs in the range: 200000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> ----------------------------
> Number of entries returned 2
> ----------------------------
> #
>
>
> --
> Cheers,
> Tom K.
>
-------------------------------------------------------------------------------------
>
> Living on earth is expensive, but it includes a free trip around the sun.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...