Satish Patel wrote:
Hi Rob,
Thank you for helping me out with this. Little confused here so let me ask you. you are saying I don't have "ipabaserid:" attribute set on two ranges and that is what I need to set, correct?
Yes.
Curious why this is happening now and not before? I am running this ldap last 5 years and had no issues. Do you think this is a new version of freeIPA issue?
Yes. All users require a SID now in order to mitigate a security issue.
Do you have any command to set that for others to range? and what number should I use?
It's all in the referenced e-mail threads. There are more, in fact, in the freeipa-users archives if you want.
rob
On Fri, May 10, 2024 at 11:40 AM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Satish Patel wrote: > Hi Rob, > > You are saying I have "3 ranges matched" but technically we only need "1 > range". Sorry I am little new to freeIPA terms and not sure about what > to do to fix this issue? You have two ranges without a RID base. You need to set one for at least EXAMPLE.COM_id_range and likely for the other as well once you upgrade to RHEL 9. rob > > On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten@redhat.com <mailto:rcritten@redhat.com> > <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>> wrote: > > Satish Patel via FreeIPA-users wrote: > > Folks, > > > > I am migrating CentOS7 to RockyLinux 8.3. I have my master running on > > CentOS7 and trying to add replica of RockyLinux 8.3 > > > > I am stuck here and not sure what it's actually trying to say and > how to > > fix it? > > > > [1/4]: Generating ipa-custodia config file > > > > [2/4]: Generating ipa-custodia keys > > > > [3/4]: starting ipa-custodia > > > > [4/4]: configuring ipa-custodia to start on boot > > > > Done configuring ipa-custodia. > > > > Configuring certificate server (pki-tomcatd) > > > > [1/2]: configure certmonger for renewals > > > > [2/2]: Importing RA key > > > > Done configuring certificate server (pki-tomcatd). > > > > Configuring Kerberos KDC (krb5kdc) > > > > [1/1]: installing X509 Certificate for PKINIT > > > > PKINIT certificate request failed: Certificate issuance failed > > (CA_UNREACHABLE: Server at > > https://ldap-vx-010103-2.site5.example.com/ipa/json failed > request, will > > retry: 4035 (Request failed with status 400: Non-2xx response from CA > > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).) > > > > Failed to configure PKINIT > > > > Full PKINIT configuration did not succeed > > > > The setup will only install bits essential to the server functionality > > > > You can enable PKINIT after the setup completed using > 'ipa-pkinit-manage' > > > > Done configuring Kerberos KDC (krb5kdc). > > > > Applying LDAP updates > > > > Upgrading IPA:. Estimated time: 1 minute 30 seconds > > > > [1/10]: stopping directory server > > > > [2/10]: saving configuration > > > > [3/10]: disabling listeners > > > > [4/10]: enabling DS global lock > > > > [5/10]: disabling Schema Compat > > > > [6/10]: starting directory server > > > > [7/10]: upgrading server > > > > Could not get dnaHostname entries in 60 seconds > > > > [8/10]: stopping directory server > > > > [9/10]: restoring configuration > > > > [10/10]: starting directory server > > > > Done. > > > > Finalize replication settings > > > > Restarting the KDC > > > > Configuring SID generation > > > > [1/7]: creating samba domain object > > > > [2/7]: adding admin(group) SIDs > > > > [3/7]: adding RID bases > > > > Found more than one local domain ID range with no RID base set. > > > > [error] RuntimeError: Too many ID ranges > > > > > > Your system may be partly configured. > > > > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > > > > > Too many ID ranges > > > > > > The ipa-replica-install command failed. See > > /var/log/ipareplica-install.log for more information > > > > > > > > > > > > # ipa idrange-find --all --raw > > > > ---------------- > > > > 3 ranges matched > > > > ---------------- > > > > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com > > > > cn: EXAMPLE.COM_id_range > > > > ipabaseid: 1000 > > > > ipaidrangesize: 200000 > > > > iparangetype: ipa-local > > > > objectclass: top > > > > objectclass: ipaIDrange > > > > objectclass: ipaDomainIDRange > > > > > > dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com > > > > cn: EXAMPLE.COM_subid_range > > > > ipabaseid: 2147483648 > > > > ipaidrangesize: 2147352576 > > > > ipabaserid: 2147283648 > > > > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254 > > > > iparangetype: ipa-ad-trust > > > > objectclass: top > > > > objectclass: ipaIDrange > > > > objectclass: ipaTrustedADDomainRange > > > > > > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com > > > > cn: EXAMPLE_OLD_USERS > > > > ipabaseid: 500 > > > > ipaidrangesize: 500 > > > > iparangetype: ipa-local > > > > objectclass: ipadomainidrange > > > > objectclass: ipaIDrange > > > > ---------------------------- > > > > Number of entries returned 3 > > > > ---------------------------- > > Only one range without a RID base is allowed. See > https://pagure.io/freeipa/issue/9076 > > rob > >