On ma, 21 joulu 2020, Mikhail Kiselev via FreeIPA-users wrote:
I'm not add range:
Yes, you cannot because you are not following explanation in
'ipa help idrange' and what I suggested. You need to design it
carefully.
[root@ipa ~]# ipa idrange-add --base-id=1000 --range-size=1000 --rid-base=1000
--secondary-rid-base=1000000 magrated_range
You are attempting to create an ID range from 1000 to 2000.
ipa: ERROR: Constraint violation: New base range overlaps with
existing base range.
[root@ipa ~]# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: E2E4.LOCAL_id_range
First Posix ID of the range: 5
Number of IDs in the range: 100000
Domain SID of the trusted domain: S-1-5-21-585446347-204204591-2842534922
Range type: Active Directory trust range with POSIX attributes
The range from 5 to 100000 has been already occupied by this ID range.
You cannot create an overlapping ID range object.
Range name: OPENTECH.LOCAL_id_range
First Posix ID of the range: 346600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------
[root@ipa ~]# ipa idrange-del E2E4.LOCAL_id_range
ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects
with ID out of the defined range is not allowed
You can manually check which IDs are in that range by looking at the
query in the directory server's access log and re-running it manually as
directory manager. When you run 'ipa idrange-del <range>', we do a check
that uses the range's values like this:
[21/Dec/2020:09:07:05.563137207 +0200] conn=345 op=4 SRCH
base="cn=accounts,dc=ipa1,dc=test" scope=2
filter="(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDObject))(|(&(uidNumber>=775400000)(uidNumber<=775599999))(&(gidNumber>=775400000)(gidNumber<=775599999))))"
attrs="uid cn"
so in your case it would be something like
(&(|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ipaIDObject))(|(&(uidNumber>=5)(uidNumber<=100005))(&(gidNumber>=5)(gidNumber<=100005))))
Obvisouly, since you already migrated your old users/groups which have
UID/GID values in the range of (1000,2000), they would match the very
same LDAP filter and would be counted as belonging to the ID range you
are trying to remove, thus preventing you from removing the object.
[root@ipa ~]# ipa trust-find
----------------
0 trusts matched
----------------
----------------------------
Number of entries returned 0
----------------------------
If you already don't have the trust in place, you can remove the ID
object for E2E4.LOCAL_id_range with ldapdelete as cn=Directory Manager.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland