[Freeipa-users] Re: New primary rid range overlaps with existing primary rid range

Wed, 17 May 2023 00:06:44 -0700 

On Tue, 16 May 2023, Andreas Binapfl via FreeIPA-users wrote:

Greetings, we also upgraded to RHEL9.2 and got the auth problems.

following the advice here i wanted to use "ipa config-mod --enable-sid 
--add-sids" but unfortunately i get an error in /etc/messages
ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary 
rid range overlaps with existing primary rid range.

Using ipa idrange-find
----------------
3 ranges matched
----------------
 Range name: DOMAIN.LOCAL_id_range
 First Posix ID of the range: 512800000
 Number of IDs in the range: 200000
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 100000000
 Range type: local domain range

 Range name: DOMAIN.LOCAL_new_range
 First Posix ID of the range: 1600
 Number of IDs in the range: 2000
 Range type: local domain range


This one is a bit weird. Can you please show

ipa idrange-show --all --raw DOMAIN.LOCAL_new_range

?



 Range name: DOMAIN.LOCAL_subid_range
 First Posix ID of the range: 2147483648
 Number of IDs in the range: 2147352576
 First RID of the corresponding RID range: 2147283648
 Domain SID of the trusted domain: S-1-5-21-738065-838566-2958400175
 Range type: Active Directory domain range
----------------------------
Number of entries returned 3



On a first glance they seems not to overlap. Can someone help me how i
can troubleshoot that problem further?


The error message is quite clear -- there is some range that overlaps in
its parameters with existing range. It comes from this code in the range
check plugin:

        /* For ipa-local or ipa-ad-trust range types primary RID ranges should
         * not overlap */

        if (strcasecmp(r1->id_range_type, AD_TRUST_RANGE_TYPE) == 0 ||
            strcasecmp(r1->id_range_type, LOCAL_RANGE_TYPE) == 0) {

            /* Check if primary rid range overlaps with existing primary rid 
range */
            if ((r1->base_rid_set && r2->base_rid_set) &&
                intervals_overlap(r1->base_rid, r2->base_rid,
                                  r1->id_range_size, r2->id_range_size))
                return RANGE_CHECK_PRIMARY_PRIMARY_RID_OVERLAP;
        }


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to