On Fri, 19 May 2023, alexey safonov via FreeIPA-users wrote:
After upgrading to RHEL 9.2 it seems I must enable SID in my prod setup.
So when I tried I'm getting an error message
[18/May/2023:23:09:46.570447195 +0800] - ERR - get_ranges - [file
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range
struct.
[18/May/2023:23:09:46.571579606 +0800] - ERR - sidgen_task_add - [file
ipa_sidgen_task.c, line 283]: Cannot find ranges.
So, somehow, sidgen plugin was unable to load at least one range of
those you have:
ret = get_ranges(worker_ctx->plugin_id, worker_ctx->base_dn,
&worker_ctx->ranges);
if (ret != 0) {
LOG_FATAL("Cannot find ranges.\n");
goto done;
}
Judging by the 'ipa idrange-find --all --raw' output below this is due
to missing secondary RID bases. You need to add them.
I think we also have a problem in that when we probably have not fully
compatible logic in sidgen plugin and in the RID base generator in
ipa-adtrust-install tool. This does not affect you as you have no AD
trust configuration setup, but we probably should be reusing that code
on upgrade to add RID bases to most common ID range configurations
automatically.
Anyway, please use ldapmodify to add ipasecondarybaserid attribute to
your ranges of type 'ipa-local'.
After investigating/search forum it seems like an error with my ID
range. But I can't get why. I have no overlaps
----------------
4 ranges matched
----------------
dn: cn=INT.LHFT.IO_id_range,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: INT.LHFT.IO_id_range
ipabaseid: 1368600000
ipaidrangesize: 200000
ipabaserid: 100000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
dn: cn=INT.LHFT.IO_subid_range,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: INT.LHFT.IO_subid_range
ipabaseid: 2147483648
ipaidrangesize: 2147352576
ipabaserid: 2147283648
ipanttrusteddomainsid: S-1-5-21-738065-838566-328754306
iparangetype: ipa-ad-trust
objectclass: top
objectclass: ipaIDrange
objectclass: ipaTrustedADDomainRange
dn: cn=LHFT_1,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: LHFT_1
ipabaseid: 10000
ipaidrangesize: 10000
ipabaserid: 10000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
dn: cn=LHFT_2,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io
cn: LHFT_2
ipabaseid: 4000
ipaidrangesize: 5000
ipabaserid: 1000
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
----------------------------
Number of entries returned 4
----------------------------
[root@lt-hk1-avm01 asafonov]#
Any ideas why I can't enable/generate SIDs?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue