hi all,
thanks to all for this thread. this is not for the faint of heart. i had
similar issue with upgrade on el88
(ipa-server-4.9.11-7.module+el8.8.0+19639+24a8b95c.x86_64 ->
ipa-server-4.9.11-9.module+el8.8.0+20825+52dd1628.x86_64; yes not even a
subminor version change)
my experience:
0. all rest client access broken after update, incl ipa command
1. find this thread
2. /usr/libexec/ipa/oddjob/org.freeipa.server.config-enable-sid broken
due to missing dnarange -> but got ipa working back for admin user,
this was a lifesaver. kudos to whoever implemented it that it started
with the admin user. it was the only one who got the ipantsecurityidentifier
3. figure out why we need dnarange (we don't; we add all users with
predefined uids), and what minimal range we can use (a range of size 1
is not enough ;)
4. config-mod enable sid gives errors in the ldap errors file (and not
the sid enable log file) due to users not in an idrange
5. add idrange without baserid, config mod reveals conflict in rids
6 so run ldapmodify to fix it. rerun config-mod to discover another set
of users not in the idrange
7. add another idrange, this time with baserids
8. run config-mod again, some errors that appear harmless
9. run config-mod again, clean logs
hooray for trusting version numbers to estimate potential impact of an
update!
stijn
On 2/12/24 12:19, Oliver Nixon via FreeIPA-users wrote:
Complete oversight by me sorry...
There was a GID of a group set to 200. After changing that and running sidgen
again all the users now have SIDs
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
