On 4/30/19 2:00 PM, Alexander Bokovoy wrote:
On ti, 30 huhti 2019, Orion Poplawski via FreeIPA-users wrote:
> We're seeing some strange gid assignment behavior. When I run ipa group-add
> on one ipa client I get gids in the expected range for my domain (8000-10000).
> But when it is run on one of our IPA servers we get numbers like 108500 or
> 58500.
>
> ipa idrange-find reports what I would expect everywhere:
>
> # ipa idrange-find
> ----------------
> 3 ranges matched
> ----------------
> Range name: AD.NWRA.COM_id_range
> First Posix ID of the range: 20000
> Number of IDs in the range: 20000
> First RID of the corresponding RID range: 0
> Domain SID of the trusted domain: S-1-5-21-XXXX
> Range type: Active Directory domain range
>
> Range name: legacy
> First Posix ID of the range: 1000
> Number of IDs in the range: 100
> First RID of the corresponding RID range: 10000
> First RID of the secondary RID range: 100010000
> Range type: local domain range
>
> Range name: NWRA.COM_id_range
> First Posix ID of the range: 8000
> Number of IDs in the range: 2000
> First RID of the corresponding RID range: 1000
> First RID of the secondary RID range: 100000000
> Range type: local domain range
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
> ipa-client-4.6.4-10.el7.centos.3.x86_64
>
>
> No idea what else to look at.
What about
ipa-replica-manage dnarange-show
ipa-replica-manage dnanextrange-show
?
'ipa idrange-*' commands are mostly for trusted AD domains' ranges and
local ranges there are simply to allow SSSD to protect the space for IPA
users/groups. When DNA plugin in IPA LDAP generates new IDs, it uses the
data you can see with 'ipa-replica-manage dna*' commands.
Ah, thanks. Yeah, that is different:
#1.nwra.com: 8043-58499
#2.nwra.com: 58501-108499
#3.nwra.com: 108502-207999
#4.nwra.com: No range set
#5.nwra.com: No range set
So I guess I need to read up on that. Interesting that it is different
everywhere. I'm assuming that it should match the NWRA.COM_id_range above.
We seem to be seeing issues with group membership for AD trust users in HBAC
groups via external group membership not propagating out to clients, and I
guessed that the issue might have been the gid range of the group. I still
think it is an issue.
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/