Works now. thanks
пт, 19 мая 2023 г. в 15:13, Alexander Bokovoy <[email protected]>: > > On Fri, 19 May 2023, alexey safonov via FreeIPA-users wrote: > >After upgrading to RHEL 9.2 it seems I must enable SID in my prod setup. > > > >So when I tried I'm getting an error message > > > >[18/May/2023:23:09:46.570447195 +0800] - ERR - get_ranges - [file > >ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range > >struct. > >[18/May/2023:23:09:46.571579606 +0800] - ERR - sidgen_task_add - [file > >ipa_sidgen_task.c, line 283]: Cannot find ranges. > > > So, somehow, sidgen plugin was unable to load at least one range of > those you have: > > ret = get_ranges(worker_ctx->plugin_id, worker_ctx->base_dn, > &worker_ctx->ranges); > if (ret != 0) { > LOG_FATAL("Cannot find ranges.\n"); > goto done; > } > > > Judging by the 'ipa idrange-find --all --raw' output below this is due > to missing secondary RID bases. You need to add them. > > I think we also have a problem in that when we probably have not fully > compatible logic in sidgen plugin and in the RID base generator in > ipa-adtrust-install tool. This does not affect you as you have no AD > trust configuration setup, but we probably should be reusing that code > on upgrade to add RID bases to most common ID range configurations > automatically. > > Anyway, please use ldapmodify to add ipasecondarybaserid attribute to > your ranges of type 'ipa-local'. > > > > > > > >After investigating/search forum it seems like an error with my ID > >range. But I can't get why. I have no overlaps > > > >---------------- > >4 ranges matched > >---------------- > > dn: cn=INT.LHFT.IO_id_range,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io > > cn: INT.LHFT.IO_id_range > > ipabaseid: 1368600000 > > ipaidrangesize: 200000 > > ipabaserid: 100000 > > iparangetype: ipa-local > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaDomainIDRange > > > > dn: cn=INT.LHFT.IO_subid_range,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io > > cn: INT.LHFT.IO_subid_range > > ipabaseid: 2147483648 > > ipaidrangesize: 2147352576 > > ipabaserid: 2147283648 > > ipanttrusteddomainsid: S-1-5-21-738065-838566-328754306 > > iparangetype: ipa-ad-trust > > objectclass: top > > objectclass: ipaIDrange > > objectclass: ipaTrustedADDomainRange > > > > dn: cn=LHFT_1,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io > > cn: LHFT_1 > > ipabaseid: 10000 > > ipaidrangesize: 10000 > > ipabaserid: 10000 > > iparangetype: ipa-local > > objectclass: ipaIDrange > > objectclass: ipadomainidrange > > > > dn: cn=LHFT_2,cn=ranges,cn=etc,dc=int,dc=lhft,dc=io > > cn: LHFT_2 > > ipabaseid: 4000 > > ipaidrangesize: 5000 > > ipabaserid: 1000 > > iparangetype: ipa-local > > objectclass: ipaIDrange > > objectclass: ipadomainidrange > >---------------------------- > >Number of entries returned 4 > >---------------------------- > >[root@lt-hk1-avm01 asafonov]# > > > >Any ideas why I can't enable/generate SIDs? > >_______________________________________________ > >FreeIPA-users mailing list -- [email protected] > >To unsubscribe send an email to [email protected] > >Fedora Code of Conduct: > >https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: > >https://lists.fedorahosted.org/archives/list/[email protected] > >Do not reply to spam, report it: > >https://pagure.io/fedora-infrastructure/new_issue > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
