Hi,

I really have no idea if the wheel group will cause any issue as it is defined in IPA and probably also locally. Usually wheel is used to define the set of users allowed to perform su but in IPA the proper way is to create sudo rules and add members.

If you feel ok to keep the wheel group in IPA (but once again, hum...), the idrange needs to have primary and secondary rid bases.
Currently you have the following:
SizePOSIX ids startPOSIX ids endRIDs startRIDs end2nd RIDs start2nd RIDs end
200,000396,000,000396,200,0001,000201,000100,000,000100,200,000
39,0001,00040,000301,000340,000100,300,000100,339,000
1112113




The following RIDs are already taken: [1,000-201,000] [301,000-340,000], [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any value outside of those ranges and it won't complain about overlaps.

On the other hand, if you decide to remove the idrange, you need to do it manually with ldapdelete:
ldapdelete -D "cn=Directory manager" -W cn=asterisk_system_user,cn=ranges,cn=etc,dc=example,dc=com

and then restart ipa.

Sorry I'm not able to provide a definite answer, but it's hard to know if removing your wheel group from IPA would break anything. Maybe you have applications that rely on it, maybe it was added un-intentionally. Without clear understanding I can't really advise.

flo

On Sun, Oct 12, 2025 at 6:38 PM Brian J. Murrell via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On Thu, 2025-10-09 at 11:27 -0400, Brian J. Murrell via FreeIPA-users
wrote:
> On Thu, 2025-10-09 at 10:56 +0200, Florence Blanc-Renaud via FreeIPA-
> users wrote:
> > Hi
>
> Hello!
>
> > What is the output of
> > ipa idrange-find
>
> ----------------                    
> 4 ranges matched                        
> ----------------                       
>   Range name: asterisk_system_user                   
>   First Posix ID of the range: 112                                  
>   Number of IDs in the range: 1           
>   Range type: local domain range
>                            
>   Range name: EXAMPLE.COM_id_range
>   First Posix ID of the range: 396000000
>   Number of IDs in the range: 200000
>   First RID of the corresponding RID range: 1000
>   First RID of the secondary RID range: 100000000
>   Range type: local domain range
>
>   Range name: EXAMPLE.COM_id_range_001
>   First Posix ID of the range: 1000
>   Number of IDs in the range: 39000
>   First RID of the corresponding RID range: 301000
>   First RID of the secondary RID range: 100300000
>   Range type: local domain range
>
>   Range name: EXAMPLE.COM_subid_range
>   First Posix ID of the range: 2147483648
>   Number of IDs in the range: 2147352576
>   First RID of the corresponding RID range: 2147283648
>   Domain SID of the trusted domain: S-1-5-21-738065-838566-2194680828
>   Range type: Active Directory domain range
> ----------------------------
> Number of entries returned 4
> ----------------------------
>
> > Based on the values already used we may be able to modify your new
> > range
> > with proper primary and secondary rid base.
>
> That would work also.  :-)

Any additional help available to either delete this range so that I can
re-add it with RIDs or modify it to have some valid RIDs?  I think this
is the last impediment to me being able to deal with
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/EMVNTCDSAIWTR736BZK5CQ5LGDMTWTXD/
and get my IPA installation functional again.

Cheers,
b.
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue