For a few weeks now I've been seeing a problem getting authenticated to my ipa domain.  I can get command line and web UI stuff done by using the admin user but if I get a ticket using my account which is in the admins group I get the following on the web UI:

Your session has expired. Please log in again.

On the command line any ipa commands I've tried so far give me:

ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credential cache is empty)

Getting a ticket as admin on command line lets me run ipa commands with no problem. I think I've got all pertinent certificates loaded up properly.  Gonna try a reboot on one of the servers shortly.  I have 4 servers on r different vlans, replication between seems to be working properly.

I think the problem is most of the user ID's we use on this domain are not in the ID range configured.  We let the install choose a default range when we first set this up.  Most of our users have a UID based on their EDIPI # which is a 32-bit ID assigned when a user first gets a DoD CAC.  They're usually 10 digits long. 

For instance the lowest EDIPI based UID we have currently is something like 1004201873 and the largest is 1658224121.  (I made those but they're close to the actual UIDs.)

ipa idrange-find show me this, (did some masking of the info):

  Range name: domain_id_range
  First Posix ID of the range: 824xxx000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 100000000

  Range name: domain_subid_range
  First Posix ID of the range: 214xxx3648
  Number of IDs in the range: 214xxx2576
  First RID of the corresponding RID range: 214xxx3648
  Domain SID of the trusted domain: S-1-5-21-xxxxxx-83xx66-82xxx729
  Range type: Active Directory domain range

Should I adjust the range that's already there or add a third that encompasses the likely range of numbers I'm gonna see in the future?  I started to add a range with appropriate values but when it wanted the primary and secondary RID base values I was not sure how to figure that out or estimate.
 
-- 
//-        Fixer of that which is broke        -//
//-        Home = sberg@mississippi.com        -//
//- Sinners can repent, but stupid is forever. -//