We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed"
Any suggestions to troubleshoot and remove this range?
On Пят, 06 кас 2023, Jeremy Tourville via FreeIPA-users wrote:
We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed"
Any suggestions to troubleshoot and remove this range?
This means you still have references to UID/GIDs from this range in, for example, ID overrides.
You can try a script from https://gist.github.com/abbra/33f5ac59c5cae750ecdb3974978d9cec to see what objects reference these IDs and then might decide to remove or modify them.
Hi.
I'm getting this error also, but the suggested script in the GH gist is not working any more:
r = replication.ReplicationManager(api.env.realm, api.env.host, starttls=True, port=389) NameError: name 'api' is not defined
FWIW, I tried to create a range for a single system-POSIX-UID that I need to be able to get a ticket for:
Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
But I'm getting complaints that it has an RID overlap or somesuch. So I just want to remove it and re-add it with an RID range. But when I try to remove it I get an error:
# ipa idrange-del asterisk_system_user ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
Cheers, b.
Hi
On Thu, Oct 9, 2025 at 12:52 AM Brian J. Murrell via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi.
I'm getting this error also, but the suggested script in the GH gist is not working any more:
r = replication.ReplicationManager(api.env.realm, api.env.host,starttls=True, port=389) NameError: name 'api' is not defined
FWIW, I tried to create a range for a single system-POSIX-UID that I need to be able to get a ticket for:
Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
But I'm getting complaints that it has an RID overlap or somesuch. So I just want to remove it and re-add it with an RID range. But when I try to remove it I get an error:
# ipa idrange-del asterisk_system_user ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
What is the output of ipa idrange-find
Based on the values already used we may be able to modify your new range with proper primary and secondary rid base. flo
Cheers, b. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Thu, 2025-10-09 at 10:56 +0200, Florence Blanc-Renaud via FreeIPA- users wrote:
Hi
Hello!
What is the output of ipa idrange-find
---------------- 4 ranges matched ---------------- Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
Range name: EXAMPLE.COM_id_range First Posix ID of the range: 396000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: EXAMPLE.COM_id_range_001 First Posix ID of the range: 1000 Number of IDs in the range: 39000 First RID of the corresponding RID range: 301000 First RID of the secondary RID range: 100300000 Range type: local domain range
Range name: EXAMPLE.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-2194680828 Range type: Active Directory domain range ---------------------------- Number of entries returned 4 ----------------------------
Based on the values already used we may be able to modify your new range with proper primary and secondary rid base.
That would work also. :-)
Cheers, b.
On Thu, 2025-10-09 at 11:27 -0400, Brian J. Murrell via FreeIPA-users wrote:
On Thu, 2025-10-09 at 10:56 +0200, Florence Blanc-Renaud via FreeIPA- users wrote:
Hi
Hello!
What is the output of ipa idrange-find
---------------- 4 ranges matched ---------------- Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range Range name: EXAMPLE.COM_id_range First Posix ID of the range: 396000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: EXAMPLE.COM_id_range_001 First Posix ID of the range: 1000 Number of IDs in the range: 39000 First RID of the corresponding RID range: 301000 First RID of the secondary RID range: 100300000 Range type: local domain range
Range name: EXAMPLE.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-2194680828 Range type: Active Directory domain range
Number of entries returned 4
Based on the values already used we may be able to modify your new range with proper primary and secondary rid base.
That would work also. :-)
Any additional help available to either delete this range so that I can re-add it with RIDs or modify it to have some valid RIDs? I think this is the last impediment to me being able to deal with https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... and get my IPA installation functional again.
Cheers, b.
Hi,
I really have no idea if the wheel group will cause any issue as it is defined in IPA and probably also locally. Usually wheel is used to define the set of users allowed to perform su but in IPA the proper way is to create sudo rules and add members.
If you feel ok to keep the wheel group in IPA (but once again, hum...), the idrange needs to have primary and secondary rid bases. Currently you have the following: Size POSIX ids start POSIX ids end RIDs start RIDs end 2nd RIDs start 2nd RIDs end 200,000 396,000,000 396,200,000 1,000 201,000 100,000,000 100,200,000 39,000 1,000 40,000 301,000 340,000 100,300,000 100,339,000 1 112 113
The following RIDs are already taken: [1,000-201,000] [301,000-340,000], [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any value outside of those ranges and it won't complain about overlaps.
On the other hand, if you decide to remove the idrange, you need to do it manually with ldapdelete: ldapdelete -D "cn=Directory manager" -W cn=asterisk_system_user ,cn=ranges,cn=etc,dc=example,dc=com
and then restart ipa.
Sorry I'm not able to provide a definite answer, but it's hard to know if removing your wheel group from IPA would break anything. Maybe you have applications that rely on it, maybe it was added un-intentionally. Without clear understanding I can't really advise.
flo
On Sun, Oct 12, 2025 at 6:38 PM Brian J. Murrell via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Thu, 2025-10-09 at 11:27 -0400, Brian J. Murrell via FreeIPA-users wrote:
On Thu, 2025-10-09 at 10:56 +0200, Florence Blanc-Renaud via FreeIPA- users wrote:
Hi
Hello!
What is the output of ipa idrange-find
4 ranges matched
Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
Range name: EXAMPLE.COM_id_range First Posix ID of the range: 396000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range
Range name: EXAMPLE.COM_id_range_001 First Posix ID of the range: 1000 Number of IDs in the range: 39000 First RID of the corresponding RID range: 301000 First RID of the secondary RID range: 100300000 Range type: local domain range
Range name: EXAMPLE.COM_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-2194680828 Range type: Active Directory domain range
Number of entries returned 4
Based on the values already used we may be able to modify your new range with proper primary and secondary rid base.
That would work also. :-)
Any additional help available to either delete this range so that I can re-add it with RIDs or modify it to have some valid RIDs? I think this is the last impediment to me being able to deal with
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost... and get my IPA installation functional again.
Cheers, b. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Mon, 2025-10-13 at 10:54 +0200, Florence Blanc-Renaud wrote:
Hi,
Hi.
I really have no idea if the wheel group will cause any issue as it is defined in IPA and probably also locally.
Indeed. Apologies for the confusion. I have already dealt with the wheel group. I removed the one defined in IPA with the really low GID. So I think that issue is resolved.
What I have left is a low UID (112) system account that I do need to be in IPA as it needs to have a Kerberos credential. I figured the simplest thing to do was to give 112 it's own ID range since it's the only low UID I have a need for. Thus I (incorrectly it seems) created:
Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
But as you can see it has no RID ranges and I was getting an error about RID overlap or somesuch. So I tried to add them but was told I could not modify that range name. So I tried to delete it to recreate it but was told I could not delete it:
# ipa idrange-del asterisk_system_user ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
You subsequently suggested that the existing range might be fixable, which is also a reasonable solution. So that's where we are now. The total of all ranges is currently:
the idrange needs to have primary and secondary rid bases.
Right. I think I tried to add those but was given an error about not being able to modify that range.
The following RIDs are already taken: [1,000-201,000] [301,000- 340,000], [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any value outside of those ranges and it won't complain about overlaps.
Right. So what is the command that will allow me to add new RIDs to that range?
Sorry I'm not able to provide a definite answer, but it's hard to know if removing your wheel group from IPA would break anything. Maybe you have applications that rely on it, maybe it was added un-intentionally. Without clear understanding I can't really advise.
So yeah. It's not really about the wheel group at this point. It's just about being able to add the RIDs to that range that does not have them. Not sure how to go about doing that.
Cheers, b.
On 13/10/2025 15:49, Brian J. Murrell via FreeIPA-users wrote:
What I have left is a low UID (112) system account that I do need to be in IPA as it needs to have a Kerberos credential. I figured the simplest thing to do was to give 112 it's own ID range since it's the only low UID I have a need for.
FYI, you might be able to avoid needing to create an 'asterisk' user in your directory entirely.
You can map arbitrary Kerberos principal names to local usernames in krb5.conf:
[realms] EXAMPLE.COM = { auth_to_local_names = { ipa-asterisk = asterisk asterisk/myhost.example.com = asterisk } }
Now the principals for the IPA user 'ipa-asterisk' will be mapped to the local username 'asterisk'. Same for the IPA service 'asterisk/myhost.example.com'.
(One caveat, if you trust other realms then this will map principals in those realms as well. The fix is to use auth_to_local instead, which can accomplish the same job but with more verbose/annoying syntax.)
This was covered in this thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi,
you can use ldapmodify to update the range:
ldapmodify -D "cn=directory manager" -w $PWD dn: cn=asterisk_system_user,cn=ranges,cn=etc,dc=example,dc=test changetype: modify add: ipabaserid ipabaserid: xxx - add: ipasecondarybaserid ipasecondarybaserid: yyy
Don't forget to replace dc=example,dc=test with your suffix and pick proper values for ipabaserid and ipasecondarybaserid. The directory server must be restarted after this ldapmodify operation.
flo
On Mon, Oct 13, 2025 at 4:49 PM Brian J. Murrell via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Mon, 2025-10-13 at 10:54 +0200, Florence Blanc-Renaud wrote:
Hi,
Hi.
I really have no idea if the wheel group will cause any issue as it is defined in IPA and probably also locally.
Indeed. Apologies for the confusion. I have already dealt with the wheel group. I removed the one defined in IPA with the really low GID. So I think that issue is resolved.
What I have left is a low UID (112) system account that I do need to be in IPA as it needs to have a Kerberos credential. I figured the simplest thing to do was to give 112 it's own ID range since it's the only low UID I have a need for. Thus I (incorrectly it seems) created:
Range name: asterisk_system_user First Posix ID of the range: 112 Number of IDs in the range: 1 Range type: local domain range
But as you can see it has no RID ranges and I was getting an error about RID overlap or somesuch. So I tried to add them but was told I could not modify that range name. So I tried to delete it to recreate it but was told I could not delete it:
# ipa idrange-del asterisk_system_user ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed
You subsequently suggested that the existing range might be fixable, which is also a reasonable solution. So that's where we are now. The total of all ranges is currently:
the idrange needs to have primary and secondary rid bases.
Right. I think I tried to add those but was given an error about not being able to modify that range.
The following RIDs are already taken: [1,000-201,000] [301,000- 340,000], [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any value outside of those ranges and it won't complain about overlaps.
Right. So what is the command that will allow me to add new RIDs to that range?
Sorry I'm not able to provide a definite answer, but it's hard to know if removing your wheel group from IPA would break anything. Maybe you have applications that rely on it, maybe it was added un-intentionally. Without clear understanding I can't really advise.
So yeah. It's not really about the wheel group at this point. It's just about being able to add the RIDs to that range that does not have them. Not sure how to go about doing that.
Cheers, b. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Brian J. Murrell -
Florence Blanc-Renaud -
Jeremy Tourville -
Sam Morris