Hi Rob,

You are saying I have "3 ranges matched" but technically we only need "1 range". Sorry I am little new to freeIPA terms and not sure about what to do to fix this issue? 

On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten@redhat.com> wrote:
Satish Patel via FreeIPA-users wrote:
> Folks,
>
> I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
> CentOS7 and trying to add replica of RockyLinux 8.3 
>
> I am stuck here and not sure what it's actually trying to say and how to
> fix it?
>
> [1/4]: Generating ipa-custodia config file
>
>   [2/4]: Generating ipa-custodia keys
>
>   [3/4]: starting ipa-custodia
>
>   [4/4]: configuring ipa-custodia to start on boot
>
> Done configuring ipa-custodia.
>
> Configuring certificate server (pki-tomcatd)
>
>   [1/2]: configure certmonger for renewals
>
>   [2/2]: Importing RA key
>
> Done configuring certificate server (pki-tomcatd).
>
> Configuring Kerberos KDC (krb5kdc)
>
>   [1/1]: installing X509 Certificate for PKINIT
>
> PKINIT certificate request failed: Certificate issuance failed
> (CA_UNREACHABLE: Server at
> https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will
> retry: 4035 (Request failed with status 400: Non-2xx response from CA
> REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
>
> Failed to configure PKINIT
>
> Full PKINIT configuration did not succeed
>
> The setup will only install bits essential to the server functionality
>
> You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
>
> Done configuring Kerberos KDC (krb5kdc).
>
> Applying LDAP updates
>
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>
>   [1/10]: stopping directory server
>
>   [2/10]: saving configuration
>
>   [3/10]: disabling listeners
>
>   [4/10]: enabling DS global lock
>
>   [5/10]: disabling Schema Compat
>
>   [6/10]: starting directory server
>
>   [7/10]: upgrading server
>
> Could not get dnaHostname entries in 60 seconds
>
>   [8/10]: stopping directory server
>
>   [9/10]: restoring configuration
>
>   [10/10]: starting directory server
>
> Done.
>
> Finalize replication settings
>
> Restarting the KDC
>
> Configuring SID generation
>
>   [1/7]: creating samba domain object
>
>   [2/7]: adding admin(group) SIDs
>
>   [3/7]: adding RID bases
>
> Found more than one local domain ID range with no RID base set.
>
>   [error] RuntimeError: Too many ID ranges
>
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> Too many ID ranges
>
>
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
>
>
>
> # ipa idrange-find --all --raw
>
> ----------------
>
> 3 ranges matched
>
> ----------------
>
>   dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
>
>   cn: EXAMPLE.COM_id_range
>
>   ipabaseid: 1000
>
>   ipaidrangesize: 200000
>
>   iparangetype: ipa-local
>
>   objectclass: top
>
>   objectclass: ipaIDrange
>
>   objectclass: ipaDomainIDRange
>
>
>   dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
>
>   cn: EXAMPLE.COM_subid_range
>
>   ipabaseid: 2147483648
>
>   ipaidrangesize: 2147352576
>
>   ipabaserid: 2147283648
>
>   ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
>
>   iparangetype: ipa-ad-trust
>
>   objectclass: top
>
>   objectclass: ipaIDrange
>
>   objectclass: ipaTrustedADDomainRange
>
>
>   dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
>
>   cn: EXAMPLE_OLD_USERS
>
>   ipabaseid: 500
>
>   ipaidrangesize: 500
>
>   iparangetype: ipa-local
>
>   objectclass: ipadomainidrange
>
>   objectclass: ipaIDrange
>
> ----------------------------
>
> Number of entries returned 3
>
> ----------------------------

Only one range without a RID base is allowed. See
https://pagure.io/freeipa/issue/9076

rob