On ti, 12 huhti 2022, Noah Walden via FreeIPA-users wrote:
Hi all,
I recently attempted to add a replica running FreeIPA v4.9.6 to our
domain, which consists of two servers running FreeIPA v4.9.2. I was
prompted to set a NetBIOS domain name. The installation then failed
with the error “Too many ID ranges.” In order to avoid needing to
delete ID ranges to accommodate the new replica, I removed the replica
from FreeIPA and reinstalled it with an earlier version (v4.9.2). Since
then, users have been unable to perform password-based authentication
(tested with ssh & sudo). "Preauthentication failed" errors have also
been appearing in /var/log/sssd/krb5_child.log on the server I've been
attempting to login to via ssh. Does anyone know the root cause of
this issue and/or a possible solution?
It is the same as
https://lists.fedorahosted.org/archives/list/[email protected]/thread/GAE2BYGL2IRXEW37KBBGGMROKIY5LETL/
and https://pagure.io/freeipa/issue/9076.
Repeated message in /var/log/sssd/sssd_example.org.log of the server I’ve been
attempting to ssh to:
(2022-04-12 8:29:34): [be[example.org]] [sysdb_range_create] (0x0040): Invalid
range, skipping. Expected that either the secondary base RID or the SID of the
trusted domain is set, but not both or none of them.
Our ID ranges:
[root@ipaserver ~]$ ipa idrange-find --all --raw
----------------
2 ranges matched
----------------
dn: cn=example-freeipa-service-accounts,cn=ranges,cn=etc,dc=example,dc=org
cn: example-freeipa-service-accounts
ipabaseid: 900000
ipaidrangesize: 99999
iparangetype: ipa-local
objectclass: ipaIDrange
objectclass: ipadomainidrange
dn: cn=EXAMPLE.ORG_id_range,cn=ranges,cn=etc,dc=example,dc=org
cn: EXAMPLE.ORG_id_range
ipabaseid: 1014000
ipaidrangesize: 200000
iparangetype: ipa-local
objectclass: top
objectclass: ipaIDrange
objectclass: ipaDomainIDRange
----------------------------
Number of entries returned 2
----------------------------
You need to add base RID and base secondary RID values to your ranges.
The code knows how to do that in the case of a single range but lacks
support for doing so for multiple ranges. You can add those manually.
Please see discussion in
https://lists.fedorahosted.org/archives/list/[email protected]/thread/USAZO4FZX2IRDEGOH5YYRTIQ6T3Y6O2I/#DSZWR5EMGZQWLJX53WMEVJVFGS7XD4AT
about a similar situation. You need to come up with the RID bases that
work for you and then use either ldapmodify or ipa console as in that
thread to modify the ranges. You cannot do that through the 'ipa
idrange-mod' command as it prevents you from such modifications.
For the base idrange (EXAMPLE.ORG_id_range) take base RID 1000 and
secondary base RID to a value that is not overlapping with 1000+range
size (e.g. above 201000 for your case).
For the second idrange you need to take bases that would not overlap
with the first range's base RIDs.
[root@ipaserver ~]$
Last ~100 lines from /var/log/ipareplica-install.log:
2022-04-01T16:55:16Z DEBUG Configuring SID generation
2022-04-01T16:55:16Z DEBUG [1/7]: creating samba domain object
2022-04-01T16:55:16Z DEBUG step duration: SID generation
__create_samba_domain_object 0.02 sec
2022-04-01T16:55:16Z DEBUG [2/7]: adding admin(group) SIDs
2022-04-01T16:55:16Z DEBUG step duration: SID generation __add_admin_sids 0.01
sec
2022-04-01T16:55:16Z DEBUG [3/7]: adding RID bases
2022-04-01T16:55:16Z CRITICAL Found more than one local domain ID range with no
RID base set.
2022-04-01T16:55:16Z DEBUG Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 380, in __add_rid_bases
raise RuntimeError("Too many ID ranges\n")
RuntimeError: Too many ID ranges
2022-04-01T16:55:16Z DEBUG [error] RuntimeError: Too many ID ranges
2022-04-01T16:55:16Z DEBUG File
"/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/cli.py", line 342, in
run
return cfgr.run()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 360,
in run
return self.execute()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 386,
in execute
for rval in self._executor():
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in
<lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 655,
in _configure
next(executor)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 431,
in __runner
exc_handler(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 460,
in _handle_execute_exception
self._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 518,
in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 515,
in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 450,
in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 421,
in __runner
step()
File "/usr/lib/python3.6/site-packages/ipapython/install/core.py", line 418, in
<lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 81, in
run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/ipapython/install/util.py", line 59, in
run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python3.6/site-packages/ipapython/install/common.py", line 65,
in _install
for unused in self._installer(self.parent):
File "/usr/lib/python3.6/site-packages/ipaserver/install/server/__init__.py",
line 603, in main
replica_install(self)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
line 401, in decorated
func(installer)
File
"/usr/lib/python3.6/site-packages/ipaserver/install/server/replicainstall.py",
line 1371, in install
adtrust.install(False, options, fstore, api)
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrust.py", line
483, in install
smb.create_instance()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 895, in create_instance
self.start_creation(show_service_name=False)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
635, in start_creation
run_step(full_msg, method)
File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line
621, in run_step
method()
File "/usr/lib/python3.6/site-packages/ipaserver/install/adtrustinstance.py",
line 380, in __add_rid_bases
raise RuntimeError("Too many ID ranges\n")
2022-04-01T16:55:16Z DEBUG The ipa-replica-install command failed, exception:
RuntimeError: Too many ID ranges
2022-04-01T16:55:16Z ERROR Too many ID ranges
2022-04-01T16:55:16Z ERROR The ipa-replica-install command failed. See
/var/log/ipareplica-install.log for more information
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
