Hi guys.
I create new users - goes error-free seemingly - and integrated Samba does not see those. "Old" users are fine and one obvious, easy to spot thing is that new users lack 'ipantuserattrs' An old user: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs a new one: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
is Samba integrations broken and if yes then how to check and fix it?
many thanks, L.
On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote:
Hi guys.
I create new users - goes error-free seemingly - and integrated Samba does not see those. "Old" users are fine and one obvious, easy to spot thing is that new users lack 'ipantuserattrs' An old user: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs a new one: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
is Samba integrations broken and if yes then how to check and fix it?
One another thing I noticed that from range: -> $ ipa idrange-find --------------- 1 range matched --------------- Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range First Posix ID of the range: 57400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ----------------------------
and a newly created user ends up with: UID: 1107 GID: 1107
If I manually set 'uid' at creation time, to something from that 'Posix' range then 'ipantuserattrs' is present. Can someone shed more light on what is happening there?
many thanks, L.
Hi,
the local domain range that is visible with *ipa idrange-find* shows the IDs that IPA should use when it creates new users / new groups. That configuration is set for the whole topology, stored in the LDAP tree that is replicated across the servers (below *cn=ranges,cn=etc,$BASEDN*) If there are n servers, they need to agree on a split of the existing range, so that server1 and server2 do not create new entities with conflicting ids. At the server level, each server assigns new IDs based on its local configuration stored in *cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config* (=not replicated). This setting is called the DNA range (Distributed Numeric Assignment) and can be seen globally with the command *ipa-replica-manage dnarange-show*. The DNA ranges configured on each server must remain inside the local domain range, and must not overlap between the servers.
What is your current DNA range setting? It looks like one of your servers has a DNA range outside of the domain local range.
flo
On Thu, Oct 7, 2021 at 10:56 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote:
Hi guys.
I create new users - goes error-free seemingly - and integrated Samba does not see those. "Old" users are fine and one obvious, easy to spot thing is that new users lack 'ipantuserattrs' An old user: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs a new one: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
is Samba integrations broken and if yes then how to check and fix it?
One another thing I noticed that from range:
-> $ ipa idrange-find
1 range matched
Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range First Posix ID of the range: 57400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Number of entries returned 1
and a newly created user ends up with: UID: 1107 GID: 1107
If I manually set 'uid' at creation time, to something from that 'Posix' range then 'ipantuserattrs' is present. Can someone shed more light on what is happening there?
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On to, 07 loka 2021, Florence Renaud via FreeIPA-users wrote:
Hi,
the local domain range that is visible with *ipa idrange-find* shows the IDs that IPA should use when it creates new users / new groups. That configuration is set for the whole topology, stored in the LDAP tree that is replicated across the servers (below *cn=ranges,cn=etc,$BASEDN*) If there are n servers, they need to agree on a split of the existing range, so that server1 and server2 do not create new entities with conflicting ids. At the server level, each server assigns new IDs based on its local configuration stored in *cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config* (=not replicated). This setting is called the DNA range (Distributed Numeric Assignment) and can be seen globally with the command *ipa-replica-manage dnarange-show*. The DNA ranges configured on each server must remain inside the local domain range, and must not overlap between the servers.
What is your current DNA range setting? It looks like one of your servers has a DNA range outside of the domain local range.
I have written a script some time ago that allows to visualize differences between DNA ranges, ID ranges, and user/group objects.
See https://gist.github.com/abbra/33f5ac59c5cae750ecdb3974978d9cec for details. Here is how to run it on IPA server:
# kinit admin # ipa -e in_server=True console sync-ranges.py
It works with python3-based FreeIPA 4.8+.
flo
On Thu, Oct 7, 2021 at 10:56 AM lejeczek via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote:
Hi guys.
I create new users - goes error-free seemingly - and integrated Samba does not see those. "Old" users are fine and one obvious, easy to spot thing is that new users lack 'ipantuserattrs' An old user: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry, ipantuserattrs a new one: objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, ipasshuser, ipaSshGroupOfPubKeys, mepOriginEntry
is Samba integrations broken and if yes then how to check and fix it?
One another thing I noticed that from range:
-> $ ipa idrange-find
1 range matched
Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range First Posix ID of the range: 57400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Number of entries returned 1
and a newly created user ends up with: UID: 1107 GID: 1107
If I manually set 'uid' at creation time, to something from that 'Posix' range then 'ipantuserattrs' is present. Can someone shed more light on what is happening there?
many thanks, L. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On 07/10/2021 13:06, Florence Renaud wrote:
Hi,
the local domain range that is visible with /ipa idrange-find/ shows the IDs that IPA should use when it creates new users / new groups. That configuration is set for the whole topology, stored in the LDAP tree that is replicated across the servers (below /cn=ranges,cn=etc,$BASEDN/) If there are n servers, they need to agree on a split of the existing range, so that server1 and server2 do not create new entities with conflicting ids. At the server level, each server assigns new IDs based on its local configuration stored in /cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config/ (=not replicated). This setting is called the DNA range (Distributed Numeric Assignment) and can be seen globally with the command /ipa-replica-manage dnarange-show/. The DNA ranges configured on each server must remain inside the local domain range, and must not overlap between the servers.
What is your current DNA range setting? It looks like one of your servers has a DNA range outside of the domain local range.
flo
On Thu, Oct 7, 2021 at 10:56 AM lejeczek via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
On 07/10/2021 08:54, lejeczek via FreeIPA-users wrote: > Hi guys. > > I create new users - goes error-free seemingly - and > integrated Samba does not see those. "Old" users are fine > and one obvious, easy to spot thing is that new users lack > 'ipantuserattrs' > An old user: > objectclass: top, person, organizationalperson, > inetorgperson, inetuser, posixaccount, > krbprincipalaux, krbticketpolicyaux, > ipaobject, ipasshuser, > ipaSshGroupOfPubKeys, mepOriginEntry, > ipantuserattrs > a new one: > objectclass: top, person, organizationalperson, > inetorgperson, inetuser, posixaccount, > krbprincipalaux, krbticketpolicyaux, > ipaobject, ipasshuser, > ipaSshGroupOfPubKeys, mepOriginEntry > > is Samba integrations broken and if yes then how to check > and fix it? > > One another thing I noticed that from range: -> $ ipa idrange-find --------------- 1 range matched --------------- Range name: CCNR.CEB.PRIVATE.CAM.AC.UK_id_range First Posix ID of the range: 57400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ---------------------------- and a newly created user ends up with: UID: 1107 GID: 1107 If I manually set 'uid' at creation time, to something from that 'Posix' range then 'ipantuserattrs' is present. Can someone shed more light on what is happening there? many thanks, L.
Seems like something is not healthy between three masters. -> $ ipa-replica-manage dnarange-show 1: 1108-2000 2: No range set 3: No range set
Is next safe step to set those ranges manually with 'ipa-replica-manage' for each master?
many thanks, L.
On to, 07 loka 2021, lejeczek via FreeIPA-users wrote:
Seems like something is not healthy between three masters. -> $ ipa-replica-manage dnarange-show 1: 1108-2000 2: No range set 3: No range set
Is next safe step to set those ranges manually with 'ipa-replica-manage' for each master?
Looks like something you did caused DNA range to be set to a wrong value compared to ID range for this deployment. You need to fix the DNA range on the first replica to be consistent with your ID range.
You can also add a separate local ID range to cover 1108-2000 so that IDs already issued would fit it and then SIDs could be generated for those users.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Florence Renaud -
lejeczek