Hi, I really have no idea if the wheel group will cause any issue as it is defined in IPA and probably also locally. Usually wheel is used to define the set of users allowed to perform su but in IPA the proper way is to create sudo rules and add members.
If you feel ok to keep the wheel group in IPA (but once again, hum...), the idrange needs to have primary and secondary rid bases. Currently you have the following: Size POSIX ids start POSIX ids end RIDs start RIDs end 2nd RIDs start 2nd RIDs end 200,000 396,000,000 396,200,000 1,000 201,000 100,000,000 100,200,000 39,000 1,000 40,000 301,000 340,000 100,300,000 100,339,000 1 112 113 The following RIDs are already taken: [1,000-201,000] [301,000-340,000], [100,000,000-100,200,000] and [100,300,000-100,339,000]. Pick any value outside of those ranges and it won't complain about overlaps. On the other hand, if you decide to remove the idrange, you need to do it manually with ldapdelete: ldapdelete -D "cn=Directory manager" -W cn=asterisk_system_user ,cn=ranges,cn=etc,dc=example,dc=com and then restart ipa. Sorry I'm not able to provide a definite answer, but it's hard to know if removing your wheel group from IPA would break anything. Maybe you have applications that rely on it, maybe it was added un-intentionally. Without clear understanding I can't really advise. flo On Sun, Oct 12, 2025 at 6:38 PM Brian J. Murrell via FreeIPA-users < [email protected]> wrote: > On Thu, 2025-10-09 at 11:27 -0400, Brian J. Murrell via FreeIPA-users > wrote: > > On Thu, 2025-10-09 at 10:56 +0200, Florence Blanc-Renaud via FreeIPA- > > users wrote: > > > Hi > > > > Hello! > > > > > What is the output of > > > ipa idrange-find > > > > ---------------- > > 4 ranges matched > > ---------------- > > Range name: asterisk_system_user > > First Posix ID of the range: 112 > > Number of IDs in the range: 1 > > Range type: local domain range > > > > Range name: EXAMPLE.COM_id_range > > First Posix ID of the range: 396000000 > > Number of IDs in the range: 200000 > > First RID of the corresponding RID range: 1000 > > First RID of the secondary RID range: 100000000 > > Range type: local domain range > > > > Range name: EXAMPLE.COM_id_range_001 > > First Posix ID of the range: 1000 > > Number of IDs in the range: 39000 > > First RID of the corresponding RID range: 301000 > > First RID of the secondary RID range: 100300000 > > Range type: local domain range > > > > Range name: EXAMPLE.COM_subid_range > > First Posix ID of the range: 2147483648 > > Number of IDs in the range: 2147352576 > > First RID of the corresponding RID range: 2147283648 > > Domain SID of the trusted domain: S-1-5-21-738065-838566-2194680828 > > Range type: Active Directory domain range > > ---------------------------- > > Number of entries returned 4 > > ---------------------------- > > > > > Based on the values already used we may be able to modify your new > > > range > > > with proper primary and secondary rid base. > > > > That would work also. :-) > > Any additional help available to either delete this range so that I can > re-add it with RIDs or modify it to have some valid RIDs? I think this > is the last impediment to me being able to deal with > > https://lists.fedoraproject.org/archives/list/[email protected]/message/EMVNTCDSAIWTR736BZK5CQ5LGDMTWTXD/ > and get my IPA installation functional again. > > Cheers, > b. > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
