6:17 p.m.
Folks,
I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
CentOS7 and trying to add replica of RockyLinux 8.3
I am stuck here and not sure what it's actually trying to say and how to
fix it?
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed
(CA_UNREACHABLE: Server at
https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will
retry: 4035 (Request failed with status 400: Non-2xx response from CA REST
API: 400. Profile KDCs_PKINIT_Certs Not Found).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
Could not get dnaHostname entries in 60 seconds
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring SID generation
[1/7]: creating samba domain object
[2/7]: adding admin(group) SIDs
[3/7]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See /var/log/ipareplica-install.log
for more information
# ipa idrange-find --all --raw
----------------
3 ranges matched
----------------
dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_id_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE_OLD_USERS
ipabaseid: 500
ipaidrangesize: 500
iparangetype: ipa-local
objectclass: ipadomainidrange
objectclass: ipaIDrange
----------------------------
Number of entries returned 3
----------------------------
7:41 a.m.
Satish Patel via FreeIPA-users wrote:
Folks,
I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
CentOS7 and trying to add replica of RockyLinux 8.3
I am stuck here and not sure what it's actually trying to say and how to
fix it?
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
PKINIT certificate request failed: Certificate issuance failed
(CA_UNREACHABLE: Server at
https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will
retry: 4035 (Request failed with status 400: Non-2xx response from CA
REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
Failed to configure PKINIT
Full PKINIT configuration did not succeed
The setup will only install bits essential to the server functionality
You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
Could not get dnaHostname entries in 60 seconds
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
Configuring SID generation
[1/7]: creating samba domain object
[2/7]: adding admin(group) SIDs
[3/7]: adding RID bases
Found more than one local domain ID range with no RID base set.
[error] RuntimeError: Too many ID ranges
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
Too many ID ranges
The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
# ipa idrange-find --all --raw
----------------
3 ranges matched
----------------
dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_id_range
ipabaseid: 1000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE.COM_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
cn: EXAMPLE_OLD_USERS
ipabaseid: 500
ipaidrangesize: 500
iparangetype: ipa-local
objectclass: ipadomainidrange
objectclass: ipaIDrange
----------------------------
Number of entries returned 3
----------------------------
Only one range without a RID base is allowed. See
https://pagure.io/freeipa/issue/9076
rob
9:09 a.m.
Hi Rob,
You are saying I have "3 ranges matched" but technically we only need "1
range". Sorry I am little new to freeIPA terms and not sure about what to
do to fix this issue?
On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
Satish Patel via FreeIPA-users wrote:
> Folks,
>
> I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
> CentOS7 and trying to add replica of RockyLinux 8.3
>
> I am stuck here and not sure what it's actually trying to say and how to
> fix it?
>
> [1/4]: Generating ipa-custodia config file
>
> [2/4]: Generating ipa-custodia keys
>
> [3/4]: starting ipa-custodia
>
> [4/4]: configuring ipa-custodia to start on boot
>
> Done configuring ipa-custodia.
>
> Configuring certificate server (pki-tomcatd)
>
> [1/2]: configure certmonger for renewals
>
> [2/2]: Importing RA key
>
> Done configuring certificate server (pki-tomcatd).
>
> Configuring Kerberos KDC (krb5kdc)
>
> [1/1]: installing X509 Certificate for PKINIT
>
> PKINIT certificate request failed: Certificate issuance failed
> (CA_UNREACHABLE: Server at
> https://ldap-vx-010103-2.site5.example.com/ipa/json failed request, will
> retry: 4035 (Request failed with status 400: Non-2xx response from CA
> REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
>
> Failed to configure PKINIT
>
> Full PKINIT configuration did not succeed
>
> The setup will only install bits essential to the server functionality
>
> You can enable PKINIT after the setup completed using 'ipa-pkinit-manage'
>
> Done configuring Kerberos KDC (krb5kdc).
>
> Applying LDAP updates
>
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>
> [1/10]: stopping directory server
>
> [2/10]: saving configuration
>
> [3/10]: disabling listeners
>
> [4/10]: enabling DS global lock
>
> [5/10]: disabling Schema Compat
>
> [6/10]: starting directory server
>
> [7/10]: upgrading server
>
> Could not get dnaHostname entries in 60 seconds
>
> [8/10]: stopping directory server
>
> [9/10]: restoring configuration
>
> [10/10]: starting directory server
>
> Done.
>
> Finalize replication settings
>
> Restarting the KDC
>
> Configuring SID generation
>
> [1/7]: creating samba domain object
>
> [2/7]: adding admin(group) SIDs
>
> [3/7]: adding RID bases
>
> Found more than one local domain ID range with no RID base set.
>
> [error] RuntimeError: Too many ID ranges
>
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> Too many ID ranges
>
>
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
>
>
>
> # ipa idrange-find --all --raw
>
> ----------------
>
> 3 ranges matched
>
> ----------------
>
> dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
>
> cn: EXAMPLE.COM_id_range
>
> ipabaseid: 1000
>
> ipaidrangesize: 200000
>
> iparangetype: ipa-local
>
> objectclass: top
>
> objectclass: ipaIDrange
>
> objectclass: ipaDomainIDRange
>
>
> dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
>
> cn: EXAMPLE.COM_subid_range
>
> ipabaseid: 2147483648
>
> ipaidrangesize: 2147352576
>
> ipabaserid: 2147283648
>
> ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
>
> iparangetype: ipa-ad-trust
>
> objectclass: top
>
> objectclass: ipaIDrange
>
> objectclass: ipaTrustedADDomainRange
>
>
> dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
>
> cn: EXAMPLE_OLD_USERS
>
> ipabaseid: 500
>
> ipaidrangesize: 500
>
> iparangetype: ipa-local
>
> objectclass: ipadomainidrange
>
> objectclass: ipaIDrange
>
> ----------------------------
>
> Number of entries returned 3
>
> ----------------------------
Only one range without a RID base is allowed. See
https://pagure.io/freeipa/issue/9076
rob
10:40 a.m.
Satish Patel wrote:
Hi Rob,
You are saying I have "3 ranges matched" but technically we only need "1
range". Sorry I am little new to freeIPA terms and not sure about what
to do to fix this issue?
You have two ranges without a RID base. You need to set one for at least
EXAMPLE.COM_id_range and likely for the other as well once you upgrade
to RHEL 9.
rob
On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Satish Patel via FreeIPA-users wrote:
> Folks,
>
> I am migrating CentOS7 to RockyLinux 8.3. I have my master running on
> CentOS7 and trying to add replica of RockyLinux 8.3
>
> I am stuck here and not sure what it's actually trying to say and
how to
> fix it?
>
> [1/4]: Generating ipa-custodia config file
>
> [2/4]: Generating ipa-custodia keys
>
> [3/4]: starting ipa-custodia
>
> [4/4]: configuring ipa-custodia to start on boot
>
> Done configuring ipa-custodia.
>
> Configuring certificate server (pki-tomcatd)
>
> [1/2]: configure certmonger for renewals
>
> [2/2]: Importing RA key
>
> Done configuring certificate server (pki-tomcatd).
>
> Configuring Kerberos KDC (krb5kdc)
>
> [1/1]: installing X509 Certificate for PKINIT
>
> PKINIT certificate request failed: Certificate issuance failed
> (CA_UNREACHABLE: Server at
> https://ldap-vx-010103-2.site5.example.com/ipa/json failed
request, will
> retry: 4035 (Request failed with status 400: Non-2xx response from CA
> REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
>
> Failed to configure PKINIT
>
> Full PKINIT configuration did not succeed
>
> The setup will only install bits essential to the server functionality
>
> You can enable PKINIT after the setup completed using
'ipa-pkinit-manage'
>
> Done configuring Kerberos KDC (krb5kdc).
>
> Applying LDAP updates
>
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
>
> [1/10]: stopping directory server
>
> [2/10]: saving configuration
>
> [3/10]: disabling listeners
>
> [4/10]: enabling DS global lock
>
> [5/10]: disabling Schema Compat
>
> [6/10]: starting directory server
>
> [7/10]: upgrading server
>
> Could not get dnaHostname entries in 60 seconds
>
> [8/10]: stopping directory server
>
> [9/10]: restoring configuration
>
> [10/10]: starting directory server
>
> Done.
>
> Finalize replication settings
>
> Restarting the KDC
>
> Configuring SID generation
>
> [1/7]: creating samba domain object
>
> [2/7]: adding admin(group) SIDs
>
> [3/7]: adding RID bases
>
> Found more than one local domain ID range with no RID base set.
>
> [error] RuntimeError: Too many ID ranges
>
>
> Your system may be partly configured.
>
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
>
> Too many ID ranges
>
>
> The ipa-replica-install command failed. See
> /var/log/ipareplica-install.log for more information
>
>
>
>
>
> # ipa idrange-find --all --raw
>
> ----------------
>
> 3 ranges matched
>
> ----------------
>
> dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
>
> cn: EXAMPLE.COM_id_range
>
> ipabaseid: 1000
>
> ipaidrangesize: 200000
>
> iparangetype: ipa-local
>
> objectclass: top
>
> objectclass: ipaIDrange
>
> objectclass: ipaDomainIDRange
>
>
> dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
>
> cn: EXAMPLE.COM_subid_range
>
> ipabaseid: 2147483648
>
> ipaidrangesize: 2147352576
>
> ipabaserid: 2147283648
>
> ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
>
> iparangetype: ipa-ad-trust
>
> objectclass: top
>
> objectclass: ipaIDrange
>
> objectclass: ipaTrustedADDomainRange
>
>
> dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
>
> cn: EXAMPLE_OLD_USERS
>
> ipabaseid: 500
>
> ipaidrangesize: 500
>
> iparangetype: ipa-local
>
> objectclass: ipadomainidrange
>
> objectclass: ipaIDrange
>
> ----------------------------
>
> Number of entries returned 3
>
> ----------------------------
Only one range without a RID base is allowed. See
https://pagure.io/freeipa/issue/9076
rob
11:18 a.m.
Hi Rob,
Thank you for helping me out with this. Little confused here so let me ask
you. you are saying I don't have "ipabaserid:" attribute set on two ranges
and that is what I need to set, correct? Curious why this is happening now
and not before? I am running this ldap last 5 years and had no issues. Do
you think this is a new version of freeIPA issue?
Do you have any command to set that for others to range? and what number
should I use?
On Fri, May 10, 2024 at 11:40 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
Satish Patel wrote:
> Hi Rob,
>
> You are saying I have "3 ranges matched" but technically we only need
"1
> range". Sorry I am little new to freeIPA terms and not sure about what
> to do to fix this issue?
You have two ranges without a RID base. You need to set one for at least
EXAMPLE.COM_id_range and likely for the other as well once you upgrade
to RHEL 9.
rob
>
> On Fri, May 10, 2024 at 8:42 AM Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Folks,
> >
> > I am migrating CentOS7 to RockyLinux 8.3. I have my master running
on
> > CentOS7 and trying to add replica of RockyLinux 8.3
> >
> > I am stuck here and not sure what it's actually trying to say and
> how to
> > fix it?
> >
> > [1/4]: Generating ipa-custodia config file
> >
> > [2/4]: Generating ipa-custodia keys
> >
> > [3/4]: starting ipa-custodia
> >
> > [4/4]: configuring ipa-custodia to start on boot
> >
> > Done configuring ipa-custodia.
> >
> > Configuring certificate server (pki-tomcatd)
> >
> > [1/2]: configure certmonger for renewals
> >
> > [2/2]: Importing RA key
> >
> > Done configuring certificate server (pki-tomcatd).
> >
> > Configuring Kerberos KDC (krb5kdc)
> >
> > [1/1]: installing X509 Certificate for PKINIT
> >
> > PKINIT certificate request failed: Certificate issuance failed
> > (CA_UNREACHABLE: Server at
> > https://ldap-vx-010103-2.site5.example.com/ipa/json failed
> request, will
> > retry: 4035 (Request failed with status 400: Non-2xx response from
CA
> > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
> >
> > Failed to configure PKINIT
> >
> > Full PKINIT configuration did not succeed
> >
> > The setup will only install bits essential to the server
functionality
> >
> > You can enable PKINIT after the setup completed using
> 'ipa-pkinit-manage'
> >
> > Done configuring Kerberos KDC (krb5kdc).
> >
> > Applying LDAP updates
> >
> > Upgrading IPA:. Estimated time: 1 minute 30 seconds
> >
> > [1/10]: stopping directory server
> >
> > [2/10]: saving configuration
> >
> > [3/10]: disabling listeners
> >
> > [4/10]: enabling DS global lock
> >
> > [5/10]: disabling Schema Compat
> >
> > [6/10]: starting directory server
> >
> > [7/10]: upgrading server
> >
> > Could not get dnaHostname entries in 60 seconds
> >
> > [8/10]: stopping directory server
> >
> > [9/10]: restoring configuration
> >
> > [10/10]: starting directory server
> >
> > Done.
> >
> > Finalize replication settings
> >
> > Restarting the KDC
> >
> > Configuring SID generation
> >
> > [1/7]: creating samba domain object
> >
> > [2/7]: adding admin(group) SIDs
> >
> > [3/7]: adding RID bases
> >
> > Found more than one local domain ID range with no RID base set.
> >
> > [error] RuntimeError: Too many ID ranges
> >
> >
> > Your system may be partly configured.
> >
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> >
> > Too many ID ranges
> >
> >
> > The ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for more information
> >
> >
> >
> >
> >
> > # ipa idrange-find --all --raw
> >
> > ----------------
> >
> > 3 ranges matched
> >
> > ----------------
> >
> > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE.COM_id_range
> >
> > ipabaseid: 1000
> >
> > ipaidrangesize: 200000
> >
> > iparangetype: ipa-local
> >
> > objectclass: top
> >
> > objectclass: ipaIDrange
> >
> > objectclass: ipaDomainIDRange
> >
> >
> > dn: cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE.COM_subid_range
> >
> > ipabaseid: 2147483648
> >
> > ipaidrangesize: 2147352576
> >
> > ipabaserid: 2147283648
> >
> > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
> >
> > iparangetype: ipa-ad-trust
> >
> > objectclass: top
> >
> > objectclass: ipaIDrange
> >
> > objectclass: ipaTrustedADDomainRange
> >
> >
> > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE_OLD_USERS
> >
> > ipabaseid: 500
> >
> > ipaidrangesize: 500
> >
> > iparangetype: ipa-local
> >
> > objectclass: ipadomainidrange
> >
> > objectclass: ipaIDrange
> >
> > ----------------------------
> >
> > Number of entries returned 3
> >
> > ----------------------------
>
> Only one range without a RID base is allowed. See
> https://pagure.io/freeipa/issue/9076
>
> rob
>
>
1:29 p.m.
Satish Patel wrote:
Hi Rob,
Thank you for helping me out with this. Little confused here so let me
ask you. you are saying I don't have "ipabaserid:" attribute set on two
ranges and that is what I need to set, correct?
Yes.
Curious why this is
happening now and not before? I am running this ldap last 5 years and
had no issues. Do you think this is a new version of freeIPA issue?
Yes. All users require a SID now in order to mitigate a security issue.
Do you have any command to set that for others to range? and what
number
should I use?
It's all in the referenced e-mail threads. There are more, in fact, in
the freeipa-users archives if you want.
rob
On Fri, May 10, 2024 at 11:40 AM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
Satish Patel wrote:
> Hi Rob,
>
> You are saying I have "3 ranges matched" but technically we only
need "1
> range". Sorry I am little new to freeIPA terms and not sure about what
> to do to fix this issue?
You have two ranges without a RID base. You need to set one for at least
EXAMPLE.COM_id_range and likely for the other as well once you upgrade
to RHEL 9.
rob
>
> On Fri, May 10, 2024 at 8:42 AM Rob Crittenden
<rcritten(a)redhat.com <mailto:rcritten@redhat.com>
> <mailto:rcritten@redhat.com <mailto:rcritten@redhat.com>>>
wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Folks,
> >
> > I am migrating CentOS7 to RockyLinux 8.3. I have my master
running on
> > CentOS7 and trying to add replica of RockyLinux 8.3
> >
> > I am stuck here and not sure what it's actually trying to
say and
> how to
> > fix it?
> >
> > [1/4]: Generating ipa-custodia config file
> >
> > [2/4]: Generating ipa-custodia keys
> >
> > [3/4]: starting ipa-custodia
> >
> > [4/4]: configuring ipa-custodia to start on boot
> >
> > Done configuring ipa-custodia.
> >
> > Configuring certificate server (pki-tomcatd)
> >
> > [1/2]: configure certmonger for renewals
> >
> > [2/2]: Importing RA key
> >
> > Done configuring certificate server (pki-tomcatd).
> >
> > Configuring Kerberos KDC (krb5kdc)
> >
> > [1/1]: installing X509 Certificate for PKINIT
> >
> > PKINIT certificate request failed: Certificate issuance failed
> > (CA_UNREACHABLE: Server at
> > https://ldap-vx-010103-2.site5.example.com/ipa/json failed
> request, will
> > retry: 4035 (Request failed with status 400: Non-2xx
response from CA
> > REST API: 400. Profile KDCs_PKINIT_Certs Not Found).)
> >
> > Failed to configure PKINIT
> >
> > Full PKINIT configuration did not succeed
> >
> > The setup will only install bits essential to the server
functionality
> >
> > You can enable PKINIT after the setup completed using
> 'ipa-pkinit-manage'
> >
> > Done configuring Kerberos KDC (krb5kdc).
> >
> > Applying LDAP updates
> >
> > Upgrading IPA:. Estimated time: 1 minute 30 seconds
> >
> > [1/10]: stopping directory server
> >
> > [2/10]: saving configuration
> >
> > [3/10]: disabling listeners
> >
> > [4/10]: enabling DS global lock
> >
> > [5/10]: disabling Schema Compat
> >
> > [6/10]: starting directory server
> >
> > [7/10]: upgrading server
> >
> > Could not get dnaHostname entries in 60 seconds
> >
> > [8/10]: stopping directory server
> >
> > [9/10]: restoring configuration
> >
> > [10/10]: starting directory server
> >
> > Done.
> >
> > Finalize replication settings
> >
> > Restarting the KDC
> >
> > Configuring SID generation
> >
> > [1/7]: creating samba domain object
> >
> > [2/7]: adding admin(group) SIDs
> >
> > [3/7]: adding RID bases
> >
> > Found more than one local domain ID range with no RID base set.
> >
> > [error] RuntimeError: Too many ID ranges
> >
> >
> > Your system may be partly configured.
> >
> > Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> >
> > Too many ID ranges
> >
> >
> > The ipa-replica-install command failed. See
> > /var/log/ipareplica-install.log for more information
> >
> >
> >
> >
> >
> > # ipa idrange-find --all --raw
> >
> > ----------------
> >
> > 3 ranges matched
> >
> > ----------------
> >
> > dn: cn=EXAMPLE.COM_id_range,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE.COM_id_range
> >
> > ipabaseid: 1000
> >
> > ipaidrangesize: 200000
> >
> > iparangetype: ipa-local
> >
> > objectclass: top
> >
> > objectclass: ipaIDrange
> >
> > objectclass: ipaDomainIDRange
> >
> >
> > dn:
cn=EXAMPLE.COM_subid_range,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE.COM_subid_range
> >
> > ipabaseid: 2147483648
> >
> > ipaidrangesize: 2147352576
> >
> > ipabaserid: 2147283648
> >
> > ipanttrusteddomainsid: S-1-5-21-738065-838566-3614142254
> >
> > iparangetype: ipa-ad-trust
> >
> > objectclass: top
> >
> > objectclass: ipaIDrange
> >
> > objectclass: ipaTrustedADDomainRange
> >
> >
> > dn: cn=EXAMPLE_OLD_USERS,cn=ranges,cn=etc,dc=example,dc=com
> >
> > cn: EXAMPLE_OLD_USERS
> >
> > ipabaseid: 500
> >
> > ipaidrangesize: 500
> >
> > iparangetype: ipa-local
> >
> > objectclass: ipadomainidrange
> >
> > objectclass: ipaIDrange
> >
> > ----------------------------
> >
> > Number of entries returned 3
> >
> > ----------------------------
>
> Only one range without a RID base is allowed. See
> https://pagure.io/freeipa/issue/9076
>
> rob
>
>
43
days inactive
47
days old
freeipa-users@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Rob Crittenden -
Satish Patel