[Freeipa-users] Re: how to set the RIDs during migration to Rocky 8?

Mon, 26 Jun 2023 01:05:34 -0700 

On Mon, 26 Jun 2023, Harald Dunkel via FreeIPA-users wrote:

Hi Flo,

On 2023-06-23 14:48:25, Florence Blanc-Renaud via FreeIPA-users wrote:


The 2 above ranges don't have "First RID of the corresponding RID range" and "First 
RID of the secondary RID range" set. If you edit them with ipa idrange-mod --rid-base=INT 
--secondary-rid-base=INT this should fix the issue. The installer is able to add these values if 
there is only one range but prefers to let the admin manually select the right values if there are 
multiple ranges.

For more information you can refer to https://pagure.io/freeipa/issue/9076 
<https://pagure.io/freeipa/issue/9076>, which contains a link to a mail thread 
with the workaround and a KCS.



AFAIU this RID thing is about AD trust relationship. This is
something I do not have (literally). Is it possible to get rid
of these RIDs and the unwanted 3rd ID range instead?


I am off to vacation for next three weeks but wanted to highlight that
this is a topic we have been discussing on this list for quite few
months. There is a documentation available that covers some aspects of
it but not everything, surely.

Please see my answers in this thread (dated March 2023) for some of the
reasons:
https://lists.fedorahosted.org/archives/list/[email protected]/thread/HC54UQIEJQVMKZ6S5A5DCAJ4WYYTYJ7E/

and some materials are available in this thread:
https://lists.fedorahosted.org/archives/list/[email protected]/thread/RSAXURG6AR3MWONR3CZSOOI5ULDB2UVC/

and few others.

This all affects FreeIPA, Samba AD, MIT Kerberos, and Heimdal, as well
as Microsoft's implementation of Active Directory with or without trust
to other AD. The issues are real, with real exploits in the wild, so we
had to work on tightening things up in multiple projects.

I am yet to complete that promised blog article, may be I'll find time
for that on this vacation...


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to