Orion Poplawski via FreeIPA-users wrote:
On 4/30/19 2:00 PM, Alexander Bokovoy wrote:
> On ti, 30 huhti 2019, Orion Poplawski via FreeIPA-users wrote:
>> We're seeing some strange gid assignment behavior. When I run ipa group-add
>> on one ipa client I get gids in the expected range for my domain (8000-10000).
>> But when it is run on one of our IPA servers we get numbers like 108500 or
>> 58500.
>>
>> ipa idrange-find reports what I would expect everywhere:
>>
>> # ipa idrange-find
>> ----------------
>> 3 ranges matched
>> ----------------
>> Range name: AD.NWRA.COM_id_range
>> First Posix ID of the range: 20000
>> Number of IDs in the range: 20000
>> First RID of the corresponding RID range: 0
>> Domain SID of the trusted domain: S-1-5-21-XXXX
>> Range type: Active Directory domain range
>>
>> Range name: legacy
>> First Posix ID of the range: 1000
>> Number of IDs in the range: 100
>> First RID of the corresponding RID range: 10000
>> First RID of the secondary RID range: 100010000
>> Range type: local domain range
>>
>> Range name: NWRA.COM_id_range
>> First Posix ID of the range: 8000
>> Number of IDs in the range: 2000
>> First RID of the corresponding RID range: 1000
>> First RID of the secondary RID range: 100000000
>> Range type: local domain range
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>> ipa-client-4.6.4-10.el7.centos.3.x86_64
>>
>>
>> No idea what else to look at.
> What about
> ipa-replica-manage dnarange-show
> ipa-replica-manage dnanextrange-show
>
> ?
>
> 'ipa idrange-*' commands are mostly for trusted AD domains' ranges and
> local ranges there are simply to allow SSSD to protect the space for IPA
> users/groups. When DNA plugin in IPA LDAP generates new IDs, it uses the
> data you can see with 'ipa-replica-manage dna*' commands.
Ah, thanks. Yeah, that is different:
#1.nwra.com: 8043-58499
#2.nwra.com: 58501-108499
#3.nwra.com: 108502-207999
#4.nwra.com: No range set
#5.nwra.com: No range set
So I guess I need to read up on that. Interesting that it is different
everywhere. I'm assuming that it should match the NWRA.COM_id_range above.
We seem to be seeing issues with group membership for AD trust users in HBAC
groups via external group membership not propagating out to clients, and I
guessed that the issue might have been the gid range of the group. I still
think it is an issue.
The IPA domain range by default is 200k IIRC and is (should be)
immutable post-install. Did you really set only 2k entries when you
initially installed IPA?
Note that 207999 - 8000 = 199999 (not inclusive), so this actually looks ok.
It also isn't a major problem that masters 4 and 5 don't have a range,
is just means that users and groups haven't been added there for them to
require a range. It would only make a difference if masters 1-3 died
sudden deaths.
rob