Hi, I had an existing instance of freeipa that went broken so badly (pki-tomcat unrecoverable) that the only option was spinning up a new one and `ipa migrate-ds` from the broken one. The new instance was set to reuse the same id-range as the previous one, so all is good for the users in that range. The older instance has a number of user that were imported from an even older LDAP with IDs out of the IPA range.
So after import, I quickly figured out that I need to create a small (1000) `legacy` range that covers these, most of these legacy users were then able to login. Here are the id-ranges after the legacy was added. # ipa idrange-find ---------------- 3 ranges matched ---------------- Range name: DOMAIN_id_range First Posix ID of the range: 944200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range Range name: DOMAIN_id_range_legacy First Posix ID of the range: 1000 Number of IDs in the range: 1000 First RID of the corresponding RID range: 302000 First RID of the secondary RID range: 200000000 Range type: local domain range Range name: DOMAIN_subid_range First Posix ID of the range: 2147483648 Number of IDs in the range: 2147352576 First RID of the corresponding RID range: 2147283648 Domain SID of the trusted domain: S-1-5-21-738065-838566-3977953474 Range type: Active Directory domain range ---------------------------- Number of entries returned 3 ---------------------------- However, a number of the legacy users still cannot login. I tried starting the sidgen task, and from the logs it seems that there is a conflict with the ranges I chose for the legacy id range. ``` [18/Jul/2024:16:24:12.358313104 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 194]: Sidgen task starts ... [18/Jul/2024:16:24:12.598768115 +0000] - ERR - rid_to_sid_with_check - [file ipa_sidgen_common.c, line 384]: SID [S-1-5-21-3076474616-2786889582-2859700629-302272] is already used. [18/Jul/2024:16:24:12.637972455 +0000] - ERR - rid_to_sid_with_check - [file ipa_sidgen_common.c, line 384]: SID [S-1-5-21-3076474616-2786889582-2859700629-200000272] is already used. [18/Jul/2024:16:24:12.696381619 +0000] - ERR - find_sid_for_id - [file ipa_sidgen_common.c, line 432]: Secondary SID is used as well. [18/Jul/2024:16:24:12.746590836 +0000] - ERR - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 532]: Cannot convert Posix ID [1272] into an unused SID. [18/Jul/2024:16:24:12.796710604 +0000] - ERR - do_work - [file ipa_sidgen_task.c, line 154]: Cannot add SID to existing entry. [18/Jul/2024:16:24:12.854320074 +0000] - ERR - sidgen_task_thread - [file ipa_sidgen_task.c, line 199]: Sidgen task finished [19]. ``` I cannot figure out what is my error and the documentation is quite scarce on how to choose first-rids, except saying that ranges shouldn't overlap, which I thought I made care of when creating the legacy range. Maybe I am too dumb to understand where is the overlap I created, or why I do get conflict. Thanks for your help and expertise! -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
