Satish Patel wrote:
Hi Rob,
Thank you for helping me out with this. Little confused here so let me
ask you. you are saying I don't have "ipabaserid:" attribute set on two
ranges and that is what I need to set, correct?
Yes.
Curious why this is
happening now and not before? I am running this ldap last 5 years and
had no issues. Do you think this is a new version of freeIPA issue?
Yes. All users require a SID now in order to mitigate a security issue.
Do you have any command to set that for others to range? and what
number
should I use?
It's all in the referenced e-mail threads. There are more, in fact, in
the freeipa-users archives if you want.
rob
On Fri, May 10, 2024 at 11:40 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Satish Patel wrote:
> Hi Rob,
>
> You are saying I have "3 ranges matched" but technically we only
need "1
> range". Sorry I am little new to freeIPA terms and not sure about what
> to do to fix this issue?
You have two ranges without a RID base. You need to set one for at least
EXAMPLE.COM_id_range and likely for the other as well once you upgrade
to RHEL 9.
rob
>
> On Fri, May 10, 2024 at 8:42 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Folks,
> >
> > I am migrating CentOS7 to RockyLinux 8.3. I have my master
running on
> > CentOS7 and trying to add replica of RockyLinux 8.3
> >
> > I am stuck here and not sure what it's actually trying to
say and
> how to
> > fix it?
> >
> > [1/4]: Generating ipa-custodia config file
> >
> > [2/4]: Generating ipa-custodia keys
> >
> > [3/4]: starting ipa-custodia
> >
> > [4/4]: configuring ipa-custodia to start on boot
> >
> > Done configuring ipa-custodia.
> >
> > Configuring certificate server (pki-tomcatd)
> >
> > [1/2]: configure certmonger for renewals
> >
> > [2/2]: Importing RA key
> >
> > Done configuring certificate server (pki-tomcatd).
> >
> > Configuring Kerberos KDC (krb5kdc)
> >
> > [1/1]: installing X509 Certificate for PKINIT
> >
> > PKINIT certificate request failed: Certificate issuance failed
> > (CA_UNREACHABLE: Server at
> >
https://ldap-vx-010103-2.site5.example.com/ipa/json failed
> request, will
> > retry: 4035 (Request failed with status 400: Non-2xx
response from CA
> > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
> >
> > Failed to configure PKINIT
> >
> > Full PKINIT configuration did not succeed
> >
> > The setup will only install bits essential to the server
functionality
> >
> > You can enable PKINIT after the setup completed using
> 'ipa-pkinit-manage'
> >
> > Done configuring Kerberos KDC (krb5kdc).
> >
> > Applying LDAP updates
> >
> > Upgrading IPA:. Estimated time: 1 minute 30 seconds
> >
> > [1/10]: stopping directory server
> >
> > [2/10]: saving configuration
> >
> > [3/10]: disabling listeners
> >
> > [4/10]: enabling DS global lock
> >
> > [5/10]: disabling Schema Compat
> >
> > [6/10]: starting directory server
> >
> > [7/10]: upgrading server
> >
> > Could not get dnaHostname entries in 60 seconds
> >
> > [8/10]: stopping directory server
> >
> > [9/10]: restoring configuration
> >
> > [10/10]: starting directory server
> >
> > Done.
> >
> > Finalize replication settings
> >
> > Restarting the KDC
> >
> > Configuring SID generation
> >
> > [1/7]: creating samba domain object
> >
> > [2/7]: adding admin(group) SIDs
> >
> > [3/7]: adding RID bases
> >
> > Found more than one local domain ID range with no RID base set.
> >
> > [error] RuntimeError: Too many ID ranges
> >
> >
> > Your system may be partly configured.
> >
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> >
> > Too many ID ranges
> >
> >
> > The ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for more information
> >
> >
> >
> >
> >
> > # ipa idrange-find --all --raw
> >
> > ----------------
> >
> > 3 ranges matched
> >
> > ----------------
> >
> > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE.COM_id_range
> >
> > ipabaseid: 1000
> >
> > ipaidrangesize: 200000
> >
> > iparangetype: ipa-local
> >
> > objectclass: top
> >
> > objectclass: ipaIDrange
> >
> > objectclass: ipaDomainIDRange
> >
> >
> > dn:
cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE.COM_subid_range
> >
> > ipabaseid: 2147483648
> >
> > ipaidrangesize: 2147352576
> >
> > ipabaserid: 2147283648
> >
> > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
> >
> > iparangetype: ipa-ad-trust
> >
> > objectclass: top
> >
> > objectclass: ipaIDrange
> >
> > objectclass: ipaTrustedADDomainRange
> >
> >
> > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE_OLD_USERS
> >
> > ipabaseid: 500
> >
> > ipaidrangesize: 500
> >
> > iparangetype: ipa-local
> >
> > objectclass: ipadomainidrange
> >
> > objectclass: ipaIDrange
> >
> > ----------------------------
> >
> > Number of entries returned 3
> >
> > ----------------------------
>
> Only one range without a RID base is allowed. See
> https://pagure.io/freeipa/issue/9076
>
> rob
>
>