Hi. I'm having problems adding a replica. I think it's related to id
ranges not being set correctly on the existing server.
Some context that isn't strictly related to the error but I think is
relevant.
Initially there used to be 2 servers, ipa1 and ipa2, both CentOS 7,
fully up to date. Some time last year replication fell and I tried to
fix it but was unable to. Since the error was in the ipa2-to-ipa1
direction I tried to reinit ipa1 but that failed and left ipa1 in a
deconfigured, non-working state (I could give you more details but I
don't think it's necessary at this time). I thus uninstalled ipa1 and
went to try to salvage the still working ipa2 server. After making both
a backup of the VM and a full ipa-backup, I went through the process of
adding a new replica, which I decided to install on Rocky Linux 8 in
order to start the upgrade process at the same time (with a goal to get
to Rocky 9 later).
First I hit the "SASL encrypted packet length exceeds maximum allowed
limit" error which I solved by increasing nsslapd-maxsasliosize and
nsslapd-sasl-max-buffer-size on ipa2 and setting those values in
ipa-replica-install --dirsrv-config-file.
After that I hit this "Failed to add fallback group." error. I found
two existing threads on this mailing list, one from 2017 and one from
just a couple days ago, and a Red Hat KB page that I can't view. [1]
I understand the fix may be to modify/set ID ranges but I'm not exactly
sure how so I'm asking for your help.
Below are logs of the error and current state of range settings.
### ipa-replica-install error on ipa3
full log is here:
https://0x0.st/oFDg.txt
Configuring SID generation
[1/7]: creating samba domain object
[2/7]: adding admin(group) SIDs
[3/7]: adding RID bases
[4/7]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.
[5/7]: activating sidgen task
[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/7]: adding fallback group
Failed to load default-smb-group.ldif: CalledProcessError(Command
['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmpbg9tdvpw',
'-H', 'ld
api://%2Frun%2Fslapd-ABAK-SI.socket', '-Y', 'EXTERNAL'] returned
non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-A
BAK-SI.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=aut
h\nSASL SSF: 0\nldap_add: Operations error (1)\n\tadditional info: Allocation of a new
value for range cn=posix ids,cn=distributed
numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.\n')
Failed to add fallback group.
### range settings
[jernej@ipa2 ~]$ sudo ipa-replica-manage dnarange-show
ipa2.abak.si: No range set
ipa3.abak.si: No range set
[jernej@ipa2 ~]$ ipa idrange-find
----------------
2 ranges matched
----------------
Range name: ABAK.SI_id_range
First Posix ID of the range: 792600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: ABAK.SI_subid_range
First Posix ID of the range: 2147483648
Number of IDs in the range: 2147352576
First RID of the corresponding RID range: 2147283648
Domain SID of the trusted domain: S-1-5-21-738065-838566-3187085368
Range type: Active Directory domain range
----------------------------
Number of entries returned 2
----------------------------
[jernej@ipa2 ~]$ sudo ipa-replica-manage list
ipa3.abak.si: master
ipa2.abak.si: master
[jernej@ipa2 ~]$ sudo ipa-replica-manage dnanextrange-show
Directory Manager password:
ipa2.abak.si: No on-deck range set
ipa3.abak.si: No on-deck range set
[jernej@ipa2 ~]$ ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn
=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=abak,dc=si
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=abak,dc=si
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=abak,dc=si
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[1]:
https://access.redhat.com/solutions/6958018