Top-posting since this was so long (a good thing, lots of necessary
details).
I think that ipa-replica-manage is failing because you have a Kerberos
ticket and setting the value requires Directory Manager authentication.
Run `kdestroy -A` and try to set the next range again. I'd probably set
it to 0 0 (remove it) rather than guess a proper range.
Your ranges are configured VERY strangely which is probably the root of
the issue. You're missing like 98% of your total range because it isn't
included in any of the existing DNA ranges.
I'd start by setting the range of serverC to 104608142-104799999. That
plus dropping the bogus next range will likely fix things for you. I
picked C since it contains the highest value of the ranges. Ideally you
might divide the remaining range in thirds and assign a non-overlapping
set to each server but you'd want to poke at all your uid/gid values to
figure out where each range should start. Normally the first replica
gets half the range. Then subsequent replicas get half of that, and so on.
This may fix your replica install issue. If not you can try pre-creating
the missing group on an existing server, replacing $SUFFIX in an LDIF
with yours. I'm using dc=example,dc=test in this case:
# sed 's/$SUFFIX/dc=example,dc=test/' <
/usr/share/ipa/default-smb-group.ldif > /tmp//default-smb-group.ldif
# ldapmodify -x -D 'cn=Directory Manager' -W -f /tmp//default-smb-group.ldif
This way the replica won't try to create one itself and it may install.
Of course you'd still need to get it a range somehow.
rob
Khurrum Maqb via FreeIPA-users wrote:
Hi all,
I'm moving from Centos 7 running FreeIPA Server 4.6.8-5 to Rocky Linux 8 running
FreeIPA Server 4.9.10-6, and I am having some issues apparently with idranges and
dnaranges when creating a replica on RL8. There are 3xCentos 7 systems (ServerA, ServerB,
ServerC) and 1xRockyLinux8 (ServerRL).
This domain has been around since the Centos 6 days.
The main issue - when I try to create a replica on RL8, there is a failure at the [7/7]:
adding fallback group
Operations Error: Allocation of a new value for range cn=posix ids,cn=distributed numeric
assignments plugin,cn=plugins,cn=config failed! Unable to proceed.
When I check the available idranges, they are not depleted
The main oddity that I'm seeing is that some of the earliest UIDs and GIDs are in the
range 100710000 + 200000. And ServerA has a dnaNextRange set to 1007111507-1007111999.
This is in a non-existent idrange.
When I try to set it manually, all I get is Updating Next Range Failed.
See logs:
####### On ServerRL (New RL 8 server) #######
# ipa-replica-install --setup-ca --setup-dns --forwarder <IP> --forwarder
<IP>
[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/7]: adding fallback group
Failed to load default-smb-group.ldif: CalledProcessError(Command
['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5',
'-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y',
'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
Failed to add fallback group.
[error] CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify',
'-v', '-f', '/tmp/tmpls6pt4a5', '-H',
'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f',
'/tmp/tmpls6pt4a5', '-H',
'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more
information
And in the ipareplica-install.log I see:
2023-01-25T16:33:28Z DEBUG step duration: SID generation __restart_dirsrv 8.81 sec
2023-01-25T16:33:28Z DEBUG [7/7]: adding fallback group
2023-01-25T16:33:28Z DEBUG flushing ldapi://%2Frun%2Fslapd-mydomain3-COM.socket from
SchemaCache
2023-01-25T16:33:28Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2Frun%2Fslapd-mydomain3-COM.socket conn=<ldap.ldapobject.SimpleLDAPObject
object at 0x7fc8a1020278>
2023-01-25T16:33:29Z DEBUG Starting external process
2023-01-25T16:33:29Z DEBUG args=['/usr/bin/ldapmodify', '-v',
'-f', '/tmp/tmpls6pt4a5', '-H',
'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL']
2023-01-25T16:33:39Z DEBUG Process finished, return code=1
2023-01-25T16:33:39Z DEBUG stdout=add cn:
Default SMB Group
add description:
Fallback group for primary group RID, do not add users to this group
add gidnumber:
-1
add objectclass:
top
ipaobject
posixgroup
adding new entry "cn=Default SMB
Group,cn=groups,cn=accounts,dc=mydomain3,dc=com"
2023-01-25T16:33:39Z DEBUG stderr=ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
ldap_add: Operations error (1)
additional info: Allocation of a new value for range cn=posix ids,cn=distributed
numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.
2023-01-25T16:33:39Z CRITICAL Failed to load default-smb-group.ldif:
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f',
'/tmp/tmpls6pt4a5', '-H',
'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
2023-01-25T16:33:39Z DEBUG Failed to add fallback group.
2023-01-25T16:33:39Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1085, in
error_handler
yield
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1585, in
find_entries
raise e
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1545, in
find_entries
result = self.conn.result3(id, 0)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 767, in
result3
resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 774, in
result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 340, in
_ldap_call
reraise(exc_type, exc_value, exc_traceback)
File "/usr/lib64/python3.6/site-packages/ldap/compat.py", line 46, in
reraise
raise exc_value
File "/usr/lib64/python3.6/site-packages/ldap/ldapobject.py", line 324, in
_ldap_call
result = func(*args,**kwargs)
ldap.NO_SUCH_OBJECT: {'msgtype': 101, 'msgid': 4, 'result': 32,
'desc': 'No such object', 'ctrls': [], 'matched':
'cn=groups,cn=accounts,dc=mydomain3,dc=com'}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 327, in __add_fallback_group
api.Backend.ldap2.get_entry(fb_group_dn)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1941, in
get_entry
dn, attrs_list, time_limit, size_limit, get_effective_rights
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1642, in
get_entry
size_limit=size_limit, get_effective_rights=get_effective_rights,
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1454, in
get_entries
**kwargs)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1592, in
find_entries
break
File "/usr/lib64/python3.6/contextlib.py", line 99, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python3.6/site-packages/ipapython/ipaldap.py", line 1095, in
error_handler
raise errors.NotFound(reason=arg_desc or 'no such entry')
ipalib.errors.NotFound: no such entry
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 333, in __add_fallback_group
raise e
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 330, in __add_fallback_group
self._ldap_mod('default-smb-group.ldif', self.sub_dict)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
399, in _ldap_mod
ipautil.run(args, nolog=nologlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in
run
p.returncode, arg_string, output_log, error_log
ipapython.ipautil.CalledProcessError: CalledProcessError(Command
['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5',
'-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y',
'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
2023-01-25T16:33:39Z DEBUG [error] CalledProcessError: CalledProcessError(Command
['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpls6pt4a5',
'-H', 'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y',
'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
2023-01-25T16:33:39Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 344,
in run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418,
in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81,
in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59,
in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65,
in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py",
line 599, in main
replica_install(self)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
func(installer)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
line 1371, in install
adtrust.install(False, options, fstore, api)
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line
483, in install
smb.create_instance()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 913, in create_instance
self.start_creation(show_service_name=False)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 333, in __add_fallback_group
raise e
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 330, in __add_fallback_group
self._ldap_mod('default-smb-group.ldif', self.sub_dict)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
399, in _ldap_mod
ipautil.run(args, nolog=nologlist)
File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 600, in
run
p.returncode, arg_string, output_log, error_log
2023-01-25T16:33:39Z DEBUG The ipa-replica-install command failed, exception:
CalledProcessError: CalledProcessError(Command ['/usr/bin/ldapmodify',
'-v', '-f', '/tmp/tmpls6pt4a5', '-H',
'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
2023-01-25T16:33:39Z ERROR CalledProcessError(Command ['/usr/bin/ldapmodify',
'-v', '-f', '/tmp/tmpls6pt4a5', '-H',
'ldapi://%2Frun%2Fslapd-mydomain3-COM.socket', '-Y', 'EXTERNAL']
returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-mydomain3-COM.socket/??base )\nSASL/EXTERNAL authentication
started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new value for range
cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable
to proceed.\n')
2023-01-25T16:33:39Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
####### ON serverA #######
Last login: Wed Jan 25 10:44:37 2023 from
client.sub.mydomain3.com
[root@serverA ~]# ipa-replica-manage list
serverRL.sub.mydomain3.com: master
serverC.mydomain3.com: master
serverB.sub.mydomain3.com: master
serverA.sub.mydomain3.com: master
[root@serverA ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: mydomain3.COM_id_range
First Posix ID of the range: 104600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: mydomain3.COM_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
[root@serverA ~]# ipa-replica-manage dnarange-show
serverA.sub.mydomain3.com: 104605010-104605500
serverB.sub.mydomain3.com: 104605502-104606000
serverC.mydomain3.com: 104608142-104608500
serverRL.sub.mydomain3.com: No range set
[root@serverA ~]# ipa-replica-manage dnanextrange-show
serverA.sub.mydomain3.com: 1007111507-1007111999
serverB.sub.mydomain3.com: 104606003-104606500
serverC.mydomain3.com: 104606519-104606600
serverRL.sub.mydomain3.com: No on-deck range set
[root@serverA ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 104605500
dnaNextRange: 1007111507-1007111999
dnaNextValue: 104605010
dnaScope: dc=mydomain3,dc=com
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@serverA ~]#
####### ON serverB #######
Last login: Wed Jan 25 10:44:16 2023 from
client.sub.mydomain3.com
[root@serverB ~]# ipa-replica-manage list
serverRL.sub.mydomain3.com: master
serverC.mydomain3.com: master
serverB.sub.mydomain3.com: master
serverA.sub.mydomain3.com: master
[root@serverB ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: mydomain3.COM_id_range
First Posix ID of the range: 104600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: mydomain3.COM_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
[root@serverB ~]# ipa-replica-manage dnarange-show
serverA.sub.mydomain3.com: 104605010-104605500
serverB.sub.mydomain3.com: 104605502-104606000
serverC.mydomain3.com: 104608142-104608500
serverRL.sub.mydomain3.com: No range set
[root@serverB ~]# ipa-replica-manage dnanextrange-show
serverA.sub.mydomain3.com: 1007111507-1007111999
serverB.sub.mydomain3.com: 104606003-104606500
serverC.mydomain3.com: 104606519-104606600
serverRL.sub.mydomain3.com: No on-deck range set
[root@serverB ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 104606000
dnaNextRange: 104606003-104606500
dnaNextValue: 104605502
dnaScope: dc=mydomain3,dc=com
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@serverB ~]#
####### ON serverC #######
Last login: Wed Jan 25 10:44:51 2023 from
client.sub.mydomain3.com
[root@serverC ~]# ipa-replica-manage list
Directory Manager password:
serverRL.sub.mydomain3.com: master
serverC.mydomain3.com: master
serverB.sub.mydomain3.com: master
serverA.sub.mydomain3.com: master
[root@serverC ~]# ipa idrange-find
ipa: ERROR: did not receive Kerberos credentials
[root@serverC ~]# kinit kmaqbool
Password for kmaqbool(a)mydomain3.COM:
[root@serverC ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: mydomain3.COM_id_range
First Posix ID of the range: 104600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: mydomain3.COM_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
[root@serverC ~]# ipa-replica-manage dnarange-show
serverA.sub.mydomain3.com: 104605010-104605500
serverB.sub.mydomain3.com: 104605502-104606000
serverC.mydomain3.com: 104608142-104608500
serverRL.sub.mydomain3.com: No range set
[root@serverC ~]# ipa-replica-manage dnanextrange-show
serverA.sub.mydomain3.com: 1007111507-1007111999
serverB.sub.mydomain3.com: 104606003-104606500
serverC.mydomain3.com: 104606519-104606600
serverRL.sub.mydomain3.com: No on-deck range set
[root@serverC ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 104608500
dnaNextRange: 104606519-104606600
dnaNextValue: 104608142
dnaScope: dc=mydomain3,dc=com
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@serverC ~]#
####### ON serverRL #######
root(a)192.168.162.6's password:
Last login: Wed Jan 25 10:55:08 2023 from
client.sub.mydomain3.com
[root@serverRL ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: mydomain3.COM_id_range
First Posix ID of the range: 104600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: mydomain3.COM_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-1826781690
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
[root@serverRL ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=mydomain3,dc=com
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=mydomain3,dc=com
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=mydomain3,dc=com
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@serverRL ~]# ipa-replica-manage dnarange-show
Re-run /usr/sbin/ipa-replica-manage with --verbose option to get more information
Unexpected error: IPA is not configured on this system.
####### ON serverA #######
Attempting to change dnaNextRange
[root@serverA ~]# ipa-replica-manage dnanextrange-set -d
serverA.sub.mydomain3.com
104607000-104607500
ipa: DEBUG: importing all plugin modules in ipaserver.plugins...
ipa: DEBUG: importing plugin module ipaserver.plugins.aci
ipa: DEBUG: importing plugin module ipaserver.plugins.automember
ipa: DEBUG: importing plugin module ipaserver.plugins.automount
ipa: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipa: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipa: DEBUG: importing plugin module ipaserver.plugins.batch
ipa: DEBUG: importing plugin module ipaserver.plugins.ca
ipa: DEBUG: importing plugin module ipaserver.plugins.caacl
ipa: DEBUG: importing plugin module ipaserver.plugins.cert
ipa: DEBUG: importing plugin module ipaserver.plugins.certmap
ipa: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipa: DEBUG: importing plugin module ipaserver.plugins.config
ipa: DEBUG: importing plugin module ipaserver.plugins.delegation
ipa: DEBUG: importing plugin module ipaserver.plugins.dns
ipa: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipa: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipa: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipa: DEBUG: importing plugin module ipaserver.plugins.group
ipa: DEBUG: importing plugin module ipaserver.plugins.hbac
ipa: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipa: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipa: DEBUG: importing plugin module ipaserver.plugins.host
ipa: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.idrange
ipa: DEBUG: importing plugin module ipaserver.plugins.idviews
ipa: DEBUG: importing plugin module ipaserver.plugins.internal
ipa: DEBUG: importing plugin module ipaserver.plugins.join
ipa: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipa: DEBUG: importing plugin module ipaserver.plugins.location
ipa: DEBUG: importing plugin module ipaserver.plugins.migration
ipa: DEBUG: importing plugin module ipaserver.plugins.misc
ipa: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.otp
ipa: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipa: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipa: DEBUG: importing plugin module ipaserver.plugins.passwd
ipa: DEBUG: importing plugin module ipaserver.plugins.permission
ipa: DEBUG: importing plugin module ipaserver.plugins.ping
ipa: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipa: DEBUG: importing plugin module ipaserver.plugins.privilege
ipa: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipa: DEBUG: importing plugin module ipaserver.plugins.rabase
ipa: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipa: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipa: DEBUG: importing plugin module ipaserver.plugins.role
ipa: DEBUG: importing plugin module ipaserver.plugins.schema
ipa: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipa: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipa: DEBUG: importing plugin module ipaserver.plugins.server
ipa: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipa: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipa: DEBUG: importing plugin module ipaserver.plugins.service
ipa: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipa: DEBUG: importing plugin module ipaserver.plugins.session
ipa: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipa: DEBUG: importing plugin module ipaserver.plugins.sudo
ipa: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipa: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipa: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipa: DEBUG: importing plugin module ipaserver.plugins.topology
ipa: DEBUG: importing plugin module ipaserver.plugins.trust
ipa: DEBUG: importing plugin module ipaserver.plugins.user
ipa: DEBUG: importing plugin module ipaserver.plugins.vault
ipa: DEBUG: importing plugin module ipaserver.plugins.virtual
ipa: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipa: DEBUG: importing plugin module ipaserver.plugins.whoami
ipa: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipa: DEBUG: found 1 A records for serverA.sub.mydomain3.com.: 192.168.162.11
ipa: DEBUG: The DNS response does not contain an answer to the question:
serverA.sub.mydomain3.com. IN AAAA
ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverA.sub.mydomain3.com:636
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0818d6b1b8>
ipa: DEBUG: Created connection context.ldap2_139672798648528
ipa: DEBUG: found 1 A records for serverA.sub.mydomain3.com.: 192.168.162.11
ipa: DEBUG: The DNS response does not contain an answer to the question:
serverA.sub.mydomain3.com. IN AAAA
ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverB.sub.mydomain3.com:636
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0818d8be60>
ipa: DEBUG: retrieving schema for SchemaCache url=ldaps://serverC.mydomain3.com:636
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f0815752bd8>
Updating next range failed
Any help would be MUCH appreciated.
Thank you,
Khurrum
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue