Still not working. I do not have any trust set up with any active
directory currently, we have a AD running on the network but that and my
ipa domain don't trust each other in any way.
Got two idranges setup:
-----------
Range name: domain_id_range
First Posix ID of the range: 824400000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 100000000
Range type: local domain range
Range name: EDIPIs_id_range
First Posix ID of the range: 1009210100
Number of IDs in the range: 619332697
Range type: local domain range
-----------
And dnarange/dnanextrange is setup also. The dnanext ranges match up to
the EDIPIs range.
-----------
[root@ipa02 ~]# ipa-replica-manage dnarange-show
ipa25.domain: 824400015-824425499
ipa08.domain: 824550503-824599999
ipa22.domain: 824450504-824500499
ipa02.domain: 824425523-824450499
[root@ipa02 ~]# ipa-replica-manage dnanextrange-show
ipa25.domain: 1464499522-1619332666
ipa08.domain: 1154833194-1309666338
ipa22.domain: 1309666348-1464499502
ipa02.domain: 1009210100-1154833174
-----------
Tried running the add-sids process and it errors out. There's nothing
in the error log
-----------
[root@ipa02 ~]# ipa -vv config-mod --enable-sid --add-sids
ipa: INFO: Request: {
"id": 0,
"method": "config_mod/1",
"params": [
[],
{
"add_sids": true,
"enable_sid": true,
"version": "2.251"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 4000,
"data": {},
"message": "Configuration of SID failed. See details in the
error log",
"name": "ExecutionError"
},
"id": 0,
"principal": "admin@domain",
"result": null,
"version": "4.9.12"
}
ipa: ERROR: Configuration of SID failed. See details in the error log
-----------
There's nothing in /var/log/dirsrv/slapd-DOMAIN/errors about the
failure. So I'm at a roadblock right now. Can't do what I need to do
and can't figure out why.
On 2/1/24 02:13, Giulio Casella via FreeIPA-users wrote:
Ok, maybe you are missing some id range...
Let's check this page, just to point in the right direction:
https://www.linuxsysadmins.com/ipa-error-4203-databaseerror/
(I had that error, after a couple of migration: CentOS 7 -> CentOS 8
stream -> RHEL 9).
Briefly:
- "ipa idrange-find" should give id range (and subid range, but ignore
it for now): write down "First Posix ID..." and "Number of IDs..."
- "ipa-replica-manage dnarange-show" should give current dna ranges
(maybe you have no dna range right now)
- create dna ranges with "ipa-replica-manage dnarange-set
server1.ipa.example.com 10000-20000" for every domain controller
(range should be different for every server and included in range got
from idrange-find)
If you manage to have correct ID ranges (and DNA ranges), don't forget
to fire the sids creation command at end.
This procedure helped me to solve, I don't know if this is the correct
way to go. Maybe some list guru out there can correct me.
Good luck.
--
//- Fixer of that which is broke -//
//- Home = sb...@mississippi.com -//
//- Sinners can repent, but stupid is forever. -//
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
