On 07/10/2021 13:06, Florence Renaud wrote:
Hi,
the local domain range that is visible with /ipa
idrange-find/ shows the IDs that IPA should use when it
creates new users / new groups. That configuration is set
for the whole topology, stored in the LDAP tree that is
replicated across the servers (below
/cn=ranges,cn=etc,$BASEDN/)
If there are n servers, they need to agree on a split of
the existing range, so that server1 and server2 do not
create new entities with conflicting ids.
At the server level, each server assigns new IDs based on
its local configuration stored in /cn=Posix
IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config/ (=not replicated). This
setting is called the DNA range (Distributed Numeric
Assignment) and can be seen globally with the command
/ipa-replica-manage dnarange-show/. The DNA ranges
configured on each server must remain inside the local
domain range, and must not overlap between the servers.
What is your current DNA range setting? It looks like one
of your servers has a DNA range outside of the domain
local range.
flo
On Thu, Oct 7, 2021 at 10:56 AM lejeczek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> I create new users - goes error-free seemingly - and
> integrated Samba does not see those. "Old" users are
fine
> and one obvious, easy to spot thing is that new
users lack
> 'ipantuserattrs'
> An old user:
> objectclass: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount,
> krbprincipalaux, krbticketpolicyaux,
> ipaobject, ipasshuser,
> ipaSshGroupOfPubKeys, mepOriginEntry,
> ipantuserattrs
> a new one:
> objectclass: top, person, organizationalperson,
> inetorgperson, inetuser, posixaccount,
> krbprincipalaux, krbticketpolicyaux,
> ipaobject, ipasshuser,
> ipaSshGroupOfPubKeys, mepOriginEntry
>
> is Samba integrations broken and if yes then how to
check
> and fix it?
>
>
One another thing I noticed that from range:
-> $ ipa idrange-find
---------------
1 range matched
---------------
Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range
First Posix ID of the range: 57400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------
and a newly created user ends up with:
UID: 1107
GID: 1107
If I manually set 'uid' at creation time, to something
from
that 'Posix' range then 'ipantuserattrs' is present.
Can someone shed more light on what is happening there?
many thanks, L.
Seems like something is not healthy between three masters.
-> $ ipa-replica-manage dnarange-show
1: 1108-2000
2: No range set
3: No range set
Is next safe step to set those ranges manually with
'ipa-replica-manage' for each master?
many thanks, L.