Am Wed, Nov 17, 2021 at 03:06:16PM -0500 schrieb Rob Crittenden via FreeIPA-users:
Andrei Neagoe via FreeIPA-users wrote:
> Hey Rob,
>
> Yes, it was an attempt to see if I can "fix" the issue. The problem was
there even before I added the new range. We have only a handful of users, most of them
managed independently UID/GID wise.
> A bit more information below, if it helps:
>
> [root@equator ~]# ipa idrange-find
> ----------------
> 2 ranges matched
> ----------------
> Range name: REDACTED-DOMAIN.COM_id_range
> First Posix ID of the range: 1138400000
> Number of IDs in the range: 200000
> Range type: local domain range
>
> Range name: REDACTED-DOMAIN.COM_new_range
> First Posix ID of the range: 1138700000
> Number of IDs in the range: 20000
> Range type: local domain range
Hi,
the idranges are needed to allow IPA to generate SIDs for IPA users and
groups which are required for working with Active Directory. Fir this 2
additional values are needed. E.g. a typical output for a 'local domain
range' should look like:
Range name: IPA.VM_id_range
First Posix ID of the range: 167800000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
You can try to set those values with 'ipa idrange-mod' and the options
'--rid-base' and '--secondary-rid-base'. Please note that after changing
the idranges you have to restart SSSD with removing the cache because
SSSD will not update the cached idrange data automatically to avoid
unexpected changes of UIDs and GIDs of active users. If you have sssctl
install you can call
sssctl cache-remove -ops
otherwise
systemctl stop sssd ; rm -rf /var/lib/sss/db/* ; systemctl start sssd
bye,
Sumit
> ----------------------------
> Number of entries returned 2
> ----------------------------
> [root@equator ~]# ipa-replica-manage dnarange-show
>
exact.redacted-domain.com: 1138400006-1138400010
>
alien.redacted-domain.com: 1138500000-1138599999
>
mentor.redacted-domain.com: No range set
>
equator.redacted-domain.com: 1138400011-1138499999
>
bingo.redacted-domain.com: No range set
>
> I've no idea what's wrong actually... I split the initial range across a few
members since I will be removing server "exact" next (via dnarange-set).
This is not related to DNA ranges.
I'm still not sure what the purpose of REDACTED-DOMAIN.COM_new_range is.
Let's wait for one of the SSSD devs to chime in.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure