Thanks, Flo. I believe we now know what the correct values should be for the rid-base and secondary-rid-base, however, we can’t seem to modify the ID range with the missing values we created to cover the legacy NIS users:
$ ipa idrange-mod ID.EXAMPLE.COM_legacy_range ipa: ERROR: This command can not be used to change ID allocation for local IPA domain. Run `ipa help idrange` for more information Nor can we simply delete the range and try again: ipa idrange-del ID.EXAMPLE.COM_legacy_range ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed It seems that we are in a chicken or the egg bind here. Below is the output of iprange-find for reference. ---------------- 3 ranges matched ---------------- Range name: ID.EXAMPLE.COM _id_range First Posix ID of the range: 866800000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: ID.EXAMPLE.COM _legacy_range First Posix ID of the range: 1000 Number of IDs in the range: 98899 Range type: local domain range Range name: ID.EXAMPLE.COM _subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-538032-778436-45698521293 Range type: Active Directory domain range ---------------------------- Number of entries returned 3 ---------------------------- From: Florence Blanc-Renaud <f...@redhat.com> Sent: Monday, January 22, 2024 11:50 PM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Dungan, Scott A. <sdun...@caltech.edu> Subject: Re: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working Hi, On Tue, Jan 23, 2024 at 1:05 AM Dungan, Scott A. via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> wrote: Thanks to Paul for all the leg work on this issue. Based on that, I can confirm that we have the same problem after updating to 4.9.12-11 from 4.9.11-7. Running the oddjob command to add SIDs to the user accounts fails after encountering UIDs outside of the default IPA range. It was able to get the admin account working though. We have 294 users with UIDs in the range of 1001 to 99657. These were migrated from an ancient NIS domain when the IPA domain was provisioned. We tried adding a secondary IPA range that covers that scope: ipa idrange-add ID.EXAMPLE.COM_legacy_range --base-id=1000 --range-size=98899 And then running the oddjob command again, but we get the sidgen errors still, plus a error about overlapping rid ranges: [22/Jan/2024:15:09:50.398460268 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [22/Jan/2024:15:09:50.499604871 -0800] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [29034] into an unused SID. [22/Jan/2024:15:09:50.499960197 -0800] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [22/Jan/2024:15:09:50.503257753 -0800] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. [22/Jan/2024:15:09:55.035779436 -0800] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=id,dc=example,dc=com [22/Jan/2024:15:09:55.036238563 -0800] - ERR - schema-compat-plugin - Finished plugin initialization. [22/Jan/2024:15:47:04.969286883 -0800] - ERR - ipa_range_check_pre_op - [file ipa_range_check.c, line 670]: New primary rid range overlaps with existing primary rid range. I suspect that we may not have added the range correctly. We didn't pass the --rid-base= or --secondary-rid-base= flags/values as we were not sure what these values should be. These values are important in order to generate the SIDs. Please read The role of security and relative identifiers in IdM ID ranges<https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_idm_users_groups_hosts_and_access_control_rules/index#con_the-role-of-security-and-relative-identifiers-in-idm-id-ranges_adjusting-id-ranges-manually> and Security Identifiers<https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html#security-identifiers> to understand how they are used. You need to pick values that do not conflict with the ones for your initial range. flo Any help would be much appreciated. Scott -----Original Message----- From: Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Sent: Thursday, January 18, 2024 11:25 AM To: FreeIPA users list <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>> Cc: Paul Nickerson <pgn...@gmail.com<mailto:pgn...@gmail.com>>; Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> Subject: [Freeipa-users] Re: Upgrade to FreeIPA 4.9.12 on RHEL 8.9 caused web UI login and ipa command to stop working Paul Nickerson via FreeIPA-users wrote: > I confirmed that users who had an ipaNTSecurityIdentifier attribute could log > in to the web UI, and those that did not have the ipaNTSecurityIdentifier > attribute could not. > > I found the error in /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors like you > said: > [17/Jan/2024:20:28:09.571195828 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 194]: Sidgen task starts ... > [17/Jan/2024:20:28:09.637675948 +0000] - ERR - find_sid_for_ldap_entry - > [file ipa_sidgen_common.c, line 522]: Cannot convert Posix ID [1566000023] > into an unused SID. > [17/Jan/2024:20:28:09.658369523 +0000] - ERR - do_work - [file > ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. > [17/Jan/2024:20:28:09.666726494 +0000] - ERR - sidgen_task_thread - [file > ipa_sidgen_task.c, line 199]: Sidgen task finished [32]. > > I found some nice documentation at > https://access.redhat.com/solutions/394763 > > I used this command to see the ranges that I have configured: > ipa idrange-find > > And these two commands to see the UIDs of the users who had not yet been > given SIDs (some were inside the existing range; I think you're correct that > the process stops at the first error): > ldapsearch -H > ldap://ipa01.semi.example.net:389/<http://ipa01.semi.example.net:389/> -x -D > "cn=Directory > Manager" -W -b "cn=users,cn=accounts,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v > "# requesting: " | sed 's/uidNumber: //' | sort -n ldapsearch -H > ldap://ipa01.semi.example.net:389/<http://ipa01.semi.example.net:389/> -x -D > "cn=Directory Manager" -W -b > "cn=deleted > users,cn=accounts,cn=provisioning,dc=semi,dc=example,dc=net" > "(!(ipaNTSecurityIdentifier=*))" uidNumber | grep uidNumber | grep -v > "# requesting: " | sed 's/uidNumber: //' | sort -n > > Here's some documentation on what ID and RID ranges are for: > https://www.freeipa.org/page/V3/ID_Ranges > > After doing a bunch of math and guess and check, I ran this: > ipa idrange-add SEMI.EXAMPLE.NET_US150777_range --base-id=1441400000 > --range-size=531251000 --rid-base=101000000 > --secondary-rid-base=633000000 > > That gave me an additional range (confirmed with ipa idrange-find). I ran ipa > config-mod --enable-sid --add-sids again, saw no significant errors in > /var/log/dirsrv/slapd-SEMI-EXAMPLE-NET/errors, and confirmed that there were > 0 users left with no ipaNTSecurityIdentifier. > > All users are all set now. Thank you again. Glad to hear it and thank you for your detailed analysis. I think this will be useful to other users that may run into this. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
