Hi folks,
still trying to migrate from Centos7 to 8 I get an error message from ipa-replica-install on the first CentOS 8 host saying
: Finalize replication settings Restarting the KDC Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases Found more than one local domain ID range with no RID base set. [error] RuntimeError: Too many ID ranges
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
The existing servers running CentOS 7 show a huge set of irritating error messages in their ipareplica-install.log, e.g.
[01/Jul/2023:14:28:21.640127492 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:21.643664115 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:28.521873989 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:28.533330535 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:28.586507750 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [01/Jul/2023:14:28:28.592028265 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:28.596813608 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:28.634530928 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:28:29.734133911 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meToipaca8.example.com" (ipaca8:389)". [01/Jul/2023:14:28:29.879962503 +0200] - ERR - NSMMReplicationPlugin - check_flow_control_tot_init - agmt="cn=meToipaca8.example.com" (ipaca8:389) - Total update flow control gives time (2000 msec) to the consumer before sending more entries [ msgid sent: 1273, rcv: 272]) If total update fails you can try to increase nsds5ReplicaFlowControlPause and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement configuration [01/Jul/2023:14:28:37.172991476 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished total update of replica "agmt="cn=meToipaca8.example.com" (ipaca8:389)". Sent 2450 entries. [01/Jul/2023:14:28:37.184680247 +0200] - ERR - NSMMReplicationPlugin - agmt="cn=meToipaca8.example.com" (ipaca8:389): Total update flow control triggered 2 times You may increase nsds5ReplicaFlowControlPause and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement configuration [01/Jul/2023:14:28:39.292861041 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:42.238638987 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:45.252557867 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:48.099823076 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:51.115124375 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:54.569369909 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:55.372406568 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:55.375939992 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:55.401821331 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:55.405166233 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:57.163613285 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:29:00.163149244 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:29:03.169779479 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:29:06.194564448 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:29:12.781739365 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:29:15.828272021 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:29:22.331677615 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:22.336648109 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:22.381929587 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:22.385856628 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:39.014631450 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:39.018564522 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:39.060413149 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:39.063778450 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:57.610268113 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:57.641460597 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:57.646901146 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:57.650273580 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:57.966813928 +0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=caToipaca8.example.com" (ipaca8:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jul/2023:14:29:58.254056287 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=caToipaca8.example.com" (ipaca8:389)". [01/Jul/2023:14:30:07.529903162 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished total update of replica "agmt="cn=caToipaca8.example.com" (ipaca8:389)". Sent 812 entries. [01/Jul/2023:14:30:21.240947781 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:30:21.258555098 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:30:21.265646281 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:30:21.269315594 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:30:30.822736296 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:30:30.826194504 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:31:23.431259302 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:31:23.434660242 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:31:23.460663707 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:31:23.463998899 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:31:27.728622122 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:31:27.731885674 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:32:21.101350084 +0200] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -1 (Can't contact LDAP server) [01/Jul/2023:14:32:24.721580643 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:32:36.926940968 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=caToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:32:37.826884159 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:32:37.832202241 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:32:37.849761419 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:32:37.853061285 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:32:43.233314167 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:33:00.770698631 +0200] - ERR - repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: "20100614120000" remote server: "(null)". [01/Jul/2023:14:33:01.189340299 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:33:21.446637163 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed
Looking at this I don't have the impression that FreeIPA 4.6.8 (CentOS7) and 4.9.11 (CentOS8) work very well together. Esp I am concerned about the "Failed to convert LDAP entry to range struct". That seems to be exactly the item causing all that trouble.
Just to be sure, I had increased the domainlevel to 1, as recommended in the migration gitelines:
[root@ipa1 ~]# ipa domainlevel-get ----------------------- Current domain level: 1 -----------------------
Trying to manually set the base RID on CentOS7 I get:
[root@ipa1 ~]# ipa idrange-find --raw ---------------- 3 ranges matched ---------------- cn: EXAMPLE.COM_id_range ipabaseid: 379400000 ipaidrangesize: 200000 iparangetype: ipa-local
cn: EXAMPLE.COM_posix ipabaseid: 1000 ipaidrangesize: 99000 iparangetype: ipa-local
cn: EXAMPLE.COM_subid_range ipabaseid: 2147483648 ipaidrangesize: 2147352576 ipabaserid: 2147283648 ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194 iparangetype: ipa-ad-trust ---------------------------- Number of entries returned 3 ----------------------------
[root@ipa1 ~]# ipa idrange-mod --rid-base=1000 EXAMPLE.COM_posix ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. Run `ipa help idrange` for more information
Some doc on the net recommended to try setting the missing Base RID using ldapmodify. Won't that put my existing CentOS 7 hosts at risk?
How can I get out of this nightmare? Every helpful comment is highly appreciated
Harri
PS: Of course it is Rocky8.
Am Sat, Jul 01, 2023 at 03:08:51PM +0200 schrieb Harald Dunkel via FreeIPA-users:
Hi folks,
still trying to migrate from Centos7 to 8 I get an error message from ipa-replica-install on the first CentOS 8 host saying
: Finalize replication settings Restarting the KDC Configuring SID generation [1/7]: creating samba domain object Samba domain object already exists [2/7]: adding admin(group) SIDs Admin SID already set, nothing to do Admin group SID already set, nothing to do [3/7]: adding RID bases Found more than one local domain ID range with no RID base set. [error] RuntimeError: Too many ID ranges
Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
The existing servers running CentOS 7 show a huge set of irritating error messages in their ipareplica-install.log, e.g.
[01/Jul/2023:14:28:21.640127492 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:21.643664115 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:28.521873989 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:28.533330535 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:28.586507750 +0200] - ERR - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389) - Replication bind with GSSAPI auth failed: LDAP error 49 (Invalid credentials) () [01/Jul/2023:14:28:28.592028265 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:28.596813608 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:28.634530928 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:28:29.734133911 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=meToipaca8.example.com" (ipaca8:389)". [01/Jul/2023:14:28:29.879962503 +0200] - ERR - NSMMReplicationPlugin - check_flow_control_tot_init - agmt="cn=meToipaca8.example.com" (ipaca8:389) - Total update flow control gives time (2000 msec) to the consumer before sending more entries [ msgid sent: 1273, rcv: 272]) If total update fails you can try to increase nsds5ReplicaFlowControlPause and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement configuration [01/Jul/2023:14:28:37.172991476 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished total update of replica "agmt="cn=meToipaca8.example.com" (ipaca8:389)". Sent 2450 entries. [01/Jul/2023:14:28:37.184680247 +0200] - ERR - NSMMReplicationPlugin - agmt="cn=meToipaca8.example.com" (ipaca8:389): Total update flow control triggered 2 times You may increase nsds5ReplicaFlowControlPause and/or decrease nsds5ReplicaFlowControlWindow in the replica agreement configuration [01/Jul/2023:14:28:39.292861041 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:42.238638987 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:45.252557867 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:48.099823076 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:51.115124375 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:54.569369909 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:28:55.372406568 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:55.375939992 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:55.401821331 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:28:55.405166233 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:28:57.163613285 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:29:00.163149244 +0200] - ERR - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to acquire replica: permission denied. The bind dn "" does not have permission to supply replication updates to the replica. Will retry later. [01/Jul/2023:14:29:03.169779479 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:29:06.194564448 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:29:12.781739365 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:29:15.828272021 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:29:22.331677615 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:22.336648109 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:22.381929587 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:22.385856628 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:39.014631450 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:39.018564522 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:39.060413149 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:39.063778450 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:57.610268113 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:57.641460597 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:29:57.646901146 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:57.650273580 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:29:57.966813928 +0200] - WARN - NSMMReplicationPlugin - repl5_inc_run - agmt="cn=caToipaca8.example.com" (ipaca8:389): The remote replica has a different database generation ID than the local database. You may have to reinitialize the remote replica, or the local replica. [01/Jul/2023:14:29:58.254056287 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Beginning total update of replica "agmt="cn=caToipaca8.example.com" (ipaca8:389)". [01/Jul/2023:14:30:07.529903162 +0200] - INFO - NSMMReplicationPlugin - repl5_tot_run - Finished total update of replica "agmt="cn=caToipaca8.example.com" (ipaca8:389)". Sent 812 entries. [01/Jul/2023:14:30:21.240947781 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:30:21.258555098 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:30:21.265646281 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:30:21.269315594 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:30:30.822736296 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:30:30.826194504 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:31:23.431259302 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:31:23.434660242 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:31:23.460663707 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:31:23.463998899 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:31:27.728622122 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:31:27.731885674 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:32:21.101350084 +0200] - ERR - NSMMReplicationPlugin - release_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Attempting to release replica, but unable to receive endReplication extended operation response from the replica. Error -1 (Can't contact LDAP server) [01/Jul/2023:14:32:24.721580643 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:32:36.926940968 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=caToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:32:37.826884159 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:32:37.832202241 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:32:37.849761419 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. [01/Jul/2023:14:32:37.853061285 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges. [01/Jul/2023:14:32:43.233314167 +0200] - WARN - NSMMReplicationPlugin - acquire_replica - agmt="cn=meToipaca8.example.com" (ipaca8:389): Unable to receive the response for a startReplication extended operation to consumer (Can't contact LDAP server). Will retry later. [01/Jul/2023:14:33:00.770698631 +0200] - ERR - repl_version_plugin_recv_acquire_cb - [file ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing replication. This server: "20100614120000" remote server: "(null)". [01/Jul/2023:14:33:01.189340299 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=meToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed [01/Jul/2023:14:33:21.446637163 +0200] - INFO - NSMMReplicationPlugin - bind_and_check_pwp - agmt="cn=caToipaca8.example.com" (ipaca8:389): Replication bind with GSSAPI auth resumed
Looking at this I don't have the impression that FreeIPA 4.6.8 (CentOS7) and 4.9.11 (CentOS8) work very well together. Esp I am concerned about the "Failed to convert LDAP entry to range struct". That seems to be exactly the item causing all that trouble.
Hi,
those error are most probably caused by the missing RID bases.
Just to be sure, I had increased the domainlevel to 1, as recommended in the migration gitelines:
[root@ipa1 ~]# ipa domainlevel-get
Current domain level: 1
Trying to manually set the base RID on CentOS7 I get:
[root@ipa1 ~]# ipa idrange-find --raw
3 ranges matched
cn: EXAMPLE.COM_id_range ipabaseid: 379400000 ipaidrangesize: 200000 iparangetype: ipa-local cn: EXAMPLE.COM_posix ipabaseid: 1000 ipaidrangesize: 99000 iparangetype: ipa-local cn: EXAMPLE.COM_subid_range ipabaseid: 2147483648 ipaidrangesize: 2147352576 ipabaserid: 2147283648 ipanttrusteddomainsid: S-1-5-21-738065-838566-194929194 iparangetype: ipa-ad-trust
Number of entries returned 3
[root@ipa1 ~]# ipa idrange-mod --rid-base=1000 EXAMPLE.COM_posix ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. Run `ipa help idrange` for more information
Some doc on the net recommended to try setting the missing Base RID using ldapmodify. Won't that put my existing CentOS 7 hosts at risk?
A proper backup is always recommended when doing such kind of operations. Adding the RID bases with ldapmodify should for a start have no additional effects. Only when you start to add new users the sidgen plugin might now start to add a SID to the new users.
For the existing users you have to start a sidgen task manually. This might even be required for the migration because recent version of IPA require a SID for IPA users even if there is no trust to AD.
bye, Sumit
How can I get out of this nightmare? Every helpful comment is highly appreciated
Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hi Sumit,
On 2023-07-03 09:57:53, Sumit Bose via FreeIPA-users wrote:
A proper backup is always recommended when doing such kind of operations. Adding the RID bases with ldapmodify should for a start have no additional effects. Only when you start to add new users the sidgen plugin might now start to add a SID to the new users.
For the existing users you have to start a sidgen task manually. This might even be required for the migration because recent version of IPA require a SID for IPA users even if there is no trust to AD.
Would you recommend to run this sidgen task on CentOS 7 using old FreeIPA 4.6.8-5, as a preparation for the migration? I'd love to move all obstacles out of the way before connecting a newer FreeIPA replica based on Rocky 8.
Regards
Harri
freeipa-users@lists.fedorahosted.org