Hi,
On Thu, Feb 1, 2024 at 12:51 PM Steve Berg via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Still not working. I do not have any trust set up with any active directory currently, we have a AD running on the network but that and my ipa domain don't trust each other in any way.
Got two idranges setup:
Range name: domain_id_range First Posix ID of the range: 824400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: EDIPIs_id_range First Posix ID of the range: 1009210100 Number of IDs in the range: 619332697 Range type: local domain range
The above range is missing RID base and secondary rid base. You can refer to this KCS: https://access.redhat.com/solutions/7052703 especially section *3. **Fixing ID range issues*. You will have to add ipabaserid and ipasecondarybaserid to the range. RID Values from 1,000-200,999 and 100,000,000-100,199,999 are already taken by the id range domain_id_range, you can pick any values not overlapping. flo
And dnarange/dnanextrange is setup also. The dnanext ranges match up to the EDIPIs range.
[root@ipa02 ~]# ipa-replica-manage dnarange-show ipa25.domain: 824400015-824425499 ipa08.domain: 824550503-824599999 ipa22.domain: 824450504-824500499 ipa02.domain: 824425523-824450499 [root@ipa02 ~]# ipa-replica-manage dnanextrange-show ipa25.domain: 1464499522-1619332666 ipa08.domain: 1154833194-1309666338 ipa22.domain: 1309666348-1464499502 ipa02.domain: 1009210100-1154833174
Tried running the add-sids process and it errors out. There's nothing in the error log
[root@ipa02 ~]# ipa -vv config-mod --enable-sid --add-sids ipa: INFO: Request: { "id": 0, "method": "config_mod/1", "params": [ [], { "add_sids": true, "enable_sid": true, "version": "2.251" } ] } ipa: INFO: Response: { "error": { "code": 4000, "data": {}, "message": "Configuration of SID failed. See details in the error log", "name": "ExecutionError" }, "id": 0, "principal": "admin@domain", "result": null, "version": "4.9.12" } ipa: ERROR: Configuration of SID failed. See details in the error log
There's nothing in /var/log/dirsrv/slapd-DOMAIN/errors about the failure. So I'm at a roadblock right now. Can't do what I need to do and can't figure out why.
On 2/1/24 02:13, Giulio Casella via FreeIPA-users wrote:
Ok, maybe you are missing some id range... Let's check this page, just to point in the right direction:
https://www.linuxsysadmins.com/ipa-error-4203-databaseerror/
(I had that error, after a couple of migration: CentOS 7 -> CentOS 8 stream -> RHEL 9).
Briefly:
- "ipa idrange-find" should give id range (and subid range, but ignore
it for now): write down "First Posix ID..." and "Number of IDs..."
- "ipa-replica-manage dnarange-show" should give current dna ranges
(maybe you have no dna range right now)
- create dna ranges with "ipa-replica-manage dnarange-set
server1.ipa.example.com 10000-20000" for every domain controller (range should be different for every server and included in range got from idrange-find)
If you manage to have correct ID ranges (and DNA ranges), don't forget to fire the sids creation command at end.
This procedure helped me to solve, I don't know if this is the correct way to go. Maybe some list guru out there can correct me.
Good luck.
-- //- Fixer of that which is broke -// //- Home = sberg@mississippi.com -// //- Sinners can repent, but stupid is forever. -//
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue