Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> writes:
As discussions on this mailing list show, there are plenty of edge
cases, mostly around 'legacy' UID/GIDs and missing ID ranges that would
have covered those IDs. Or ID ranges missing SID-specific attributes
(base RID and secondary base RID) that prevent use of those ranges to
generate SIDs. KCS
https://access.redhat.com/articles/7027037
describes a lot of those
details, so I would recommend reading through it and investigating your
ID range configuration based on those details.
Would it be helpful to have ipa-healthcheck or checkipaconsistency warn
about that? During ipa-server-upgrade is too late and it runs most of
the time in the background...
Jochen "I also needed to fix my id ranges"
--
This space is intentionally left blank.