[Freeipa-users] "Invalid range" authentication errors after failed replica install / upgrade

Hi all, I recently attempted to add a replica running FreeIPA v4.9.6 to our domain, which consists of two servers running FreeIPA v4.9.2. I was prompted to set a NetBIOS domain name. The installation then failed with the error “Too many ID ranges.” In order to avoid needing to delete ID ranges to accommodate the new replica, I removed the replica from FreeIPA and reinstalled it with an earlier version (v4.9.2). Since then, users have been unable to perform password-based authentication (tested with ssh & sudo). "Preauthentication failed" errors have also been appearing in /var/log/sssd/krb5_child.log on the server I've been attempting to login to via ssh. Does anyone know the root cause of this issue and/or a possible solution? Repeated message in /var/log/sssd/sssd_example.org.log of the server I’ve been attempting to ssh to: (2022-04-12 8:29:34): [be[example.org]] [sysdb_range_create] (0x0040): Invalid range, skipping. Expected that either the secondary base RID or the SID of the trusted domain is set, but not both or none of them. Our ID ranges: [root@ipaserver ~]$ ipa idrange-find --all --raw ---------------- 2 ranges matched ---------------- dn: cn=example-freeipa-service-accounts,cn=ranges,cn=etc,dc=example,dc=org cn: example-freeipa-service-accounts ipabaseid: 900000 ipaidrangesize: 99999 iparangetype: ipa-local objectclass: ipaIDrange objectclass: ipadomainidrange dn: cn=EXAMPLE.ORG_id_range,cn=ranges,cn=etc,dc=example,dc=org cn: EXAMPLE.ORG_id_range ipabaseid: 1014000 ipaidrangesize: 200000 iparangetype: ipa-local objectclass: top objectclass: ipaIDrange objectclass: ipaDomainIDRange ---------------------------- Number of entries returned 2 ---------------------------- [root@ipaserver ~]$ Last ~100 lines from /var/log/ipareplica-install.log: 2022-04-01T16:55:16Z DEBUG Configuring SID generation 2022-04-01T16:55:16Z DEBUG [1/7]: creating samba domain object 2022-04-01T16:55:16Z DEBUG step duration: SID generation __create_samba_domain_object 0.02 sec 2022-04-01T16:55:16Z DEBUG [2/7]: adding admin(group) SIDs 2022-04-01T16:55:16Z DEBUG step duration: SID generation __add_admin_sids 0.01 sec 2022-04-01T16:55:16Z DEBUG [3/7]: adding RID bases 2022-04-01T16:55:16Z CRITICAL Found more than one local domain ID range with no RID base set. 2022-04-01T16:55:16Z DEBUG Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases raise RuntimeError("Too many ID ranges\n") RuntimeError: Too many ID ranges 2022-04-01T16:55:16Z DEBUG [error] RuntimeError: Too many ID ranges 2022-04-01T16:55:16Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in run return cfgr.run() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360, in run return self.execute() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise raise value File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65, in _install for unused in self._installer(self.parent): File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py", line 603, in main replica_install(self) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 401, in decorated func(installer) File "/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py", line 1371, in install adtrust.install(False, options, fstore, api) File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line 483, in install smb.create_instance() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 895, in create_instance self.start_creation(show_service_name=False) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 635, in start_creation run_step(full_msg, method) File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 621, in run_step method() File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py", line 380, in __add_rid_bases raise RuntimeError("Too many ID ranges\n") 2022-04-01T16:55:16Z DEBUG The ipa-replica-install command failed, exception: RuntimeError: Too many ID ranges 2022-04-01T16:55:16Z ERROR Too many ID ranges 2022-04-01T16:55:16Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information