Hi,

the local domain range that is visible with ipa idrange-find shows the IDs that IPA should use when it creates new users / new groups. That configuration is set for the whole topology, stored in the LDAP tree that is replicated across the servers (below cn=ranges,cn=etc,$BASEDN)
If there are n servers, they need to agree on a split of the existing range, so that server1 and server2 do not create new entities with conflicting ids.
At the server level, each server assigns new IDs based on its local configuration stored in cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config (=not replicated). This setting is called the DNA range (Distributed Numeric Assignment) and can be seen globally with the command ipa-replica-manage dnarange-show. The DNA ranges configured on each server must remain inside the local domain range, and must not overlap between the servers.

What is your current DNA range setting? It looks like one of your servers has a DNA range outside of the domain local range.

flo



On Thu, Oct 7, 2021 at 10:56 AM lejeczek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> I create new users - goes error-free seemingly - and
> integrated Samba does not see those. "Old" users are fine
> and one obvious, easy to spot thing is that new users lack
> 'ipantuserattrs'
> An old user:
>   objectclass: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount,
>                krbprincipalaux, krbticketpolicyaux,
> ipaobject, ipasshuser,
>                ipaSshGroupOfPubKeys, mepOriginEntry,
> ipantuserattrs
> a new one:
>   objectclass: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount,
>                krbprincipalaux, krbticketpolicyaux,
> ipaobject, ipasshuser,
>                ipaSshGroupOfPubKeys, mepOriginEntry
>
> is Samba integrations broken and if yes then how to check
> and fix it?
>
>
One another thing I noticed that from range:
-> $ ipa idrange-find
---------------
1 range matched
---------------
   Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range
   First Posix ID of the range: 57400000
   Number of IDs in the range: 200000
   First RID of the corresponding RID range: 1000
   First RID of the secondary RID range: 100000000
   Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------

and a newly created user ends up with:
   UID: 1107
   GID: 1107

If I manually set 'uid' at creation time, to something from
that 'Posix' range then 'ipantuserattrs' is present.
Can someone shed more light on what is happening there?

many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure