On Пят, 06 кас 2023, Jeremy Tourville via FreeIPA-users wrote:
We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed"
Any suggestions to troubleshoot and remove this range?
This means you still have references to UID/GIDs from this range in, for example, ID overrides.
You can try a script from https://gist.github.com/abbra/33f5ac59c5cae750ecdb3974978d9cec to see what objects reference these IDs and then might decide to remove or modify them.