Brian ONeill via FreeIPA-users wrote: > I am setting up IPA to replace an ancient system where I'd like to preserve a > handful of existing users UIDs that are in the 500 range. There are MANY > files that would need to change otherwise. > > I'm starting with a pristine IPA install (AlmaLinux 9.6), with standard > settings. To enable the users in the low UID range, I added a range: > > ipa idrange-add MYDOMAIN.COM_legacy_range --base-id 501 --range-size 99 > --rid-base 300000 --secondary-rid-base 200000000 --type ipa-local > > And that seemed fine...I create a user in that range, set a password, etc. > The user can log into the IPA GUI fine. > > Now, on a client, I can ssh with a key as that user, but I cannot login with > a password at all. The user shows a ipantsecurityidentifier so that isn't > missing. > > A user created in the default ID range works fine. > > The only thing I find in the logs is with sssd debug turned way up: > (2025-06-11 9:43:43): [be[mydomain.com]] [sysdb_search_by_name] (0x0400): > [RID#18] No such entry > (2025-06-11 9:43:43): [be[mydomain.com]] [sysdb_cache_search_groups] > (0x2000): [RID#18] Search groups with filter: > (&(objectCategory=group)(ghost=pam_usertype_non_existent:@mydomain.com)) > (2025-06-11 9:43:43): [be[mydomain.com]] [sysdb_cache_search_groups] > (0x2000): [RID#18] No such entry > (2025-06-11 9:43:43): [be[mydomain.com]] [sysdb_delete_user] (0x0400): > [RID#18] Error: 2 (No such file or directory) > (2025-06-11 9:43:43): [be[mydomain.com]] [sysdb_search_by_name] (0x0400): > [RID#18] No such entry > (2025-06-11 9:43:43): [be[mydomain.com]] [get_object_from_cache] (0x0200): > [RID#18] Object wasn't found in cache > (2025-06-11 9:43:43): [be[mydomain.com]] [ipa_id_get_account_info_orig_done] > (0x0080): [RID#18] Object not found, ending request > > I'm not sure what is actually missing here. The user's GID corresponds to a > group I created in IPA, no private group was created, and is a member of > ipausers. > > Any ideas what else I'm missing? >
The UID range 0 through 999 is generally reserved in modern Linux systems. This is defined in /etc/login.defs as UID_MIN. See login.defs(5) or the systemd documentation at https://systemd.io/UIDS-GIDS/. While you can probably force these lower uid's to be allowed to login by tweaking UID_MIN you'd have to do it on every client system from now until eternity. I realize it will be painful to modify existing files ownership it is probably the best solution in the long run. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
