Hi Rob,

Thank you for helping me out with this. Little confused here so let me ask you. you are saying I don't have "ipabaserid:" attribute set on two ranges and that is what I need to set, correct?  Curious why this is happening now and not before? I am running this ldap last 5 years and had no issues. Do you think this is a new version of freeIPA issue? 

Do you have any command to set that for others to range? and what number should I use?





On Fri, May 10, 2024 at 11:40 AM Rob Crittenden <rcritten@redhat.com> wrote:
Satish Patel wrote:
> Hi Rob,
>
> You are saying I have "3 ranges matched" but technically we only need "1
> range". Sorry I am little new to freeIPA terms and not sure about what
> to do to fix this issue?

You have two ranges without a RID base. You need to set one for at least
EXAMPLE.COM_id_range and likely for the other as well once you upgrade
to RHEL 9.

rob

>
> On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten@redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
>     Satish Patel via FreeIPA-users wrote:
>     > Folks,
>     >
>     > I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
>     > CentOS7 and trying to add replica of RockyLinux 8.3 
>     >
>     > I am stuck here and not sure what it's actually trying to say and
>     how to
>     > fix it?
>     >
>     > [1/4]: Generating ipa-custodia config file
>     >
>     >   [2/4]: Generating ipa-custodia keys
>     >
>     >   [3/4]: starting ipa-custodia
>     >
>     >   [4/4]: configuring ipa-custodia to start on boot
>     >
>     > Done configuring ipa-custodia.
>     >
>     > Configuring certificate server (pki-tomcatd)
>     >
>     >   [1/2]: configure certmonger for renewals
>     >
>     >   [2/2]: Importing RA key
>     >
>     > Done configuring certificate server (pki-tomcatd).
>     >
>     > Configuring Kerberos KDC (krb5kdc)
>     >
>     >   [1/1]: installing X509 Certificate for PKINIT
>     >
>     > PKINIT certificate request failed: Certificate issuance failed
>     > (CA_UNREACHABLE: Server at
>     > https://ldap-vx-010103-2.site5.example.com/ipa/json failed
>     request, will
>     > retry: 4035 (Request failed with status 400: Non-2xx response from CA
>     > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
>     >
>     > Failed to configure PKINIT
>     >
>     > Full PKINIT configuration did not succeed
>     >
>     > The setup will only install bits essential to the server functionality
>     >
>     > You can enable PKINIT after the setup completed using
>     'ipa-pkinit-manage'
>     >
>     > Done configuring Kerberos KDC (krb5kdc).
>     >
>     > Applying LDAP updates
>     >
>     > Upgrading IPA:. Estimated time: 1 minute 30 seconds
>     >
>     >   [1/10]: stopping directory server
>     >
>     >   [2/10]: saving configuration
>     >
>     >   [3/10]: disabling listeners
>     >
>     >   [4/10]: enabling DS global lock
>     >
>     >   [5/10]: disabling Schema Compat
>     >
>     >   [6/10]: starting directory server
>     >
>     >   [7/10]: upgrading server
>     >
>     > Could not get dnaHostname entries in 60 seconds
>     >
>     >   [8/10]: stopping directory server
>     >
>     >   [9/10]: restoring configuration
>     >
>     >   [10/10]: starting directory server
>     >
>     > Done.
>     >
>     > Finalize replication settings
>     >
>     > Restarting the KDC
>     >
>     > Configuring SID generation
>     >
>     >   [1/7]: creating samba domain object
>     >
>     >   [2/7]: adding admin(group) SIDs
>     >
>     >   [3/7]: adding RID bases
>     >
>     > Found more than one local domain ID range with no RID base set.
>     >
>     >   [error] RuntimeError: Too many ID ranges
>     >
>     >
>     > Your system may be partly configured.
>     >
>     > Run /usr/sbin/ipa-server-install --uninstall to clean up.
>     >
>     >
>     > Too many ID ranges
>     >
>     >
>     > The ipa-replica-install command failed. See
>     > /var/log/ipareplica-install.log for more information
>     >
>     >
>     >
>     >
>     >
>     > # ipa idrange-find --all --raw
>     >
>     > ----------------
>     >
>     > 3 ranges matched
>     >
>     > ----------------
>     >
>     >   dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
>     >
>     >   cn: EXAMPLE.COM_id_range
>     >
>     >   ipabaseid: 1000
>     >
>     >   ipaidrangesize: 200000
>     >
>     >   iparangetype: ipa-local
>     >
>     >   objectclass: top
>     >
>     >   objectclass: ipaIDrange
>     >
>     >   objectclass: ipaDomainIDRange
>     >
>     >
>     >   dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
>     >
>     >   cn: EXAMPLE.COM_subid_range
>     >
>     >   ipabaseid: 2147483648
>     >
>     >   ipaidrangesize: 2147352576
>     >
>     >   ipabaserid: 2147283648
>     >
>     >   ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
>     >
>     >   iparangetype: ipa-ad-trust
>     >
>     >   objectclass: top
>     >
>     >   objectclass: ipaIDrange
>     >
>     >   objectclass: ipaTrustedADDomainRange
>     >
>     >
>     >   dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
>     >
>     >   cn: EXAMPLE_OLD_USERS
>     >
>     >   ipabaseid: 500
>     >
>     >   ipaidrangesize: 500
>     >
>     >   iparangetype: ipa-local
>     >
>     >   objectclass: ipadomainidrange
>     >
>     >   objectclass: ipaIDrange
>     >
>     > ----------------------------
>     >
>     > Number of entries returned 3
>     >
>     > ----------------------------
>
>     Only one range without a RID base is allowed. See
>     https://pagure.io/freeipa/issue/9076
>
>     rob
>
>