Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 37. Adjusting ID ranges manually
Adjust Identity Management (IdM) ID ranges manually to control how unique user ID (UID) and group ID (GID) numbers are assigned across your deployment.
By default, IdM automatically assigns ID ranges to prevent ID numbers overlapping between replicas, but you can manually set ranges during server installation or define a replica’s DNA ID range when needed.
37.1. ID ranges
In Identity Management (IdM), ID numbers are divided into ID ranges. Keeping separate numeric ranges for individual servers and replicas eliminates the chance that an ID number issued for an entry is already used by another entry on another server or replica.
Note that there are two distinct types of ID ranges:
- The IdM ID range, which is assigned during the installation of the first server. This range cannot be modified after it is created. However, you can create a new IdM ID range in addition to the original one. For more information, see Automatic ID ranges assignment and Adding a new IdM ID range.
The Distributed Numeric Assignment (DNA) ID ranges, which can be modified by the user. These have to fit within an existing IdM ID range. For more information, see Assigning DNA ID ranges manually.
Replicas can also have a next DNA ID range assigned. A replica uses its next range when it runs out of IDs in its current range. Next ranges are not assigned automatically when a replica is deleted and you must assign them manually.
The ranges are updated and shared between the server and replicas by the DNA plug-in, as part of the back end 389 Directory Server instance for the domain.
The DNA range definition is set by two attributes:
- The server’s next available number: the low end of the DNA range
- The range size: the number of ID’s in the DNA range
The initial bottom range is set during the plug-in instance configuration. After that, the plug-in updates the bottom value. Breaking the available numbers into ranges allows the servers to continually assign numbers without overlapping with each other.
37.2. Automatic ID ranges assignment
Identity Management (IdM) automatically assigns ID ranges during installation to ensure unique user and group identifiers across your deployment. Understanding automatic ID range assignment helps you plan capacity and troubleshoot ID conflicts.
- IdM ID ranges
-
By default, a local domain IdM ID range (
ipa-local) is automatically assigned during the IdM server installation. Theipa-server-installcommand randomly selects and assigns a range of 200,000 IDs from a total of 10,000 possible ranges. Selecting a random range in this way significantly reduces the probability of conflicting IDs in case you decide to merge two separate IdM domains in the future.
Avoid modifying this IdM ID range after it is created. You can manually adjust the Distributed Numeric Assignment (DNA) ID ranges, using the commands described in Assigning DNA ID ranges manually. A DNA range matching the IdM ID range is automatically created during installation.
- DNA ID ranges
- If you have a single IdM server installed, it controls the whole DNA ID range. When you install a new replica and the replica requests its own DNA ID range, the initial ID range for the server splits and is distributed between the server and replica: the replica receives half of the remaining DNA ID range that is available on the initial server. The server and replica then use their respective portions of the original ID range for new user or group entries. Also, if the replica is close to depleting its allocated ID range and fewer than 100 IDs remain, the replica contacts the other available servers to request a new DNA ID range.
When you install a replica, it does not immediately receive an ID range. A replica receives an ID range the first time the DNA plug-in is used, for example when you first add a user.
If the initial server stops functioning before the replica requests a DNA ID range from it, the replica is unable to contact the server to request the ID range. Attempting to add a new user on the replica then fails. In such situations, you can find out what ID range is assigned to the disabled server, and assign an ID range to the replica manually.
37.3. Assigning the IdM ID range manually during server installation
You can set a custom ID range during Identity Management (IdM) server installation. Manual ID range assignment gives you control over the numeric space used for user and group identifiers.
Do not set ID ranges that include UID values of 1000 and lower; these values are reserved for system use. Also, do not set an ID range that would include the 0 value; the SSSD service does not handle the 0 ID value.
Procedure
You can define the IdM ID range manually during server installation by using the following two options with
ipa-server-install:-
--idstartgives the starting value for UID and GID numbers. -
--idmaxgives the maximum UID and GID number; by default, the value is the--idstartstarting value plus 199,999.
-
Verification
To check if the ID range was assigned correctly, you can display the assigned IdM ID range by using the
ipa idrange-findcommand:# ipa idrange-find --------------- 1 range matched --------------- Range name: IDM.EXAMPLE.COM_id_range First Posix ID of the range: 882200000 Number of IDs in the range: 200000 Range type: local domain range ---------------------------- Number of entries returned 1 ----------------------------
37.4. Adding a new IdM ID range
Create a new ID range in Identity Management (IdM) when the original range is depleted to ensure replicas can continue assigning user and group IDs. This prevents ID assignment failures and maintains continuous operation of your IdM deployment.
Adding a new IdM ID range does not create new DNA ID ranges automatically. You must assign new DNA ID ranges to replicas manually as needed. For more information about how to do this, see assigning DNA ID ranges manually.
Procedure
To create a new IdM ID range, use the
ipa idrange-addcommand. You must specify the new range name, the first ID number of the range, the range size, and the first RID number of the primary and secondary RID range:# ipa idrange-add IDM.EXAMPLE.COM_new_range --base-id 5000 --range-size 1000 --rid-base 300000 --secondary-rid-base 1300000 ipa: WARNING: Service dirsrv@IDM-EXAMPLE-COM.service requires restart on IPA server <all IPA servers> to apply configuration changes. ------------------------------------------ Added ID range "IDM.EXAMPLE.COM_new_range" ------------------------------------------ Range name: IDM.EXAMPLE.COM_new_range First Posix ID of the range: 5000 Number of IDs in the range: 1000 First RID of the corresponding RID range: 300000 First RID of the secondary RID range: 1300000 Range type: local domain rangeRestart the Directory Server service on all IdM servers in the deployment:
# systemctl restart dirsrv@IDM-EXAMPLE-COM.serviceThis ensures that when you create users with UIDs from the new range, they have security identifiers (SIDs) assigned.
Optional: Update the ID range immediately:
Clear the System Security Services Daemon (SSSD) cache:
# sss_cache -ERestart the SSSD daemon:
# systemctl restart sssdNoteIf you do not clear the SSSD cache and restart the service, SSSD only detects the new ID range when it updates the domain list and other configuration data stored on the IdM server.
Verification
You can check if the new range is set correctly by using the
ipa idrange-findcommand:# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: IDM.EXAMPLE.COM_id_range First Posix ID of the range: 882200000 Number of IDs in the range: 200000 Range type: local domain range Range name: IDM.EXAMPLE.COM_new_range First Posix ID of the range: 5000 Number of IDs in the range: 1000 First RID of the corresponding RID range: 300000 First RID of the secondary RID range: 1300000 Range type: local domain range ---------------------------- Number of entries returned 2 ----------------------------
37.5. The role of security and relative identifiers in IdM ID ranges
Identity Management (IdM) uses security identifiers (SIDs) and relative identifiers (RIDs) derived from its ID ranges to uniquely identify users and groups, ensuring compatibility with Active Directory and preventing SID conflicts when POSIX UIDs and GIDs overlap.
An IdM ID range is defined by several parameters:
- The range name
- The first POSIX ID of the range
- The range size: the number of IDs in the range
- The first relative identifier (RID) of the corresponding RID range
- The first RID of the secondary RID range
You can view these values by using the ipa idrange-show command:
$ ipa idrange-show IDM.EXAMPLE.COM_id_range
Range name: IDM.EXAMPLE.COM_id_range
First Posix ID of the range: 196600000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 1000000
Range type: local domain range- Security identifiers
The data from the ID ranges of the local domain are used by the IdM server internally to assign unique security identifiers (SIDs) to IdM users and groups. The SIDs are stored in the user and group objects. A user’s SID consists of the following:
- The domain SID
- The user’s relative identifier (RID), which is a four-digit 32-bit value appended to the domain SID
For example, if the domain SID is S-1-5-21-123-456-789 and the RID of a user from this domain is 1008, then the user has the SID of S-1-5-21-123-456-789-1008.
- Relative identifiers
- The RID itself is computed in the following way:
Subtract the first POSIX ID of the range from the user’s POSIX UID, and add the first RID of the corresponding RID range to the result. For example, if the UID of idmuser is 196600008, the first POSIX ID is 196600000, and the first RID is 1000, then idmuser's RID is 1008.
The algorithm computing the user’s RID checks if a given POSIX ID falls into the ID range allocated before it computes a corresponding RID. For example, if the first ID is 196600000 and the range size is 200000, then the POSIX ID of 1600000 is outside of the ID range and the algorithm does not compute a RID for it.
- Secondary relative identifiers
- In IdM, a POSIX UID can be identical to a POSIX GID. This means that if idmuser already exists with the UID of 196600008, you can still create a new idmgroup group with the GID of 196600008.
However, a SID can define only one object, a user or a group. The SID of S-1-5-21-123-456-789-1008 that has already been created for idmuser cannot be shared with idmgroup. An alternative SID must be generated for idmgroup.
IdM uses a secondary relative identifier, or secondary RID, to avoid conflicting SIDs. This secondary RID consists of the following:
- The secondary RID base
- A range size; by default identical with the base range size
In the example above, the secondary RID base is set to 1000000. To compute the RID for the newly created idmgroup: subtract the first POSIX ID of the range from the user’s POSIX UID, and add the first RID of the secondary RID range to the result. idmgroup is therefore assigned the RID of 1000008. Consequently, the SID of idmgroup is S-1-5-21-123-456-789-1000008.
IdM uses the secondary RID to compute a SID only if a user or a group object was previously created with a manually set POSIX ID. Otherwise, automatic assignment prevents assigning the same ID twice.
37.6. Detecting and fixing ID range issues automatically
Automatically detect and resolve ID range misconfigurations in Identity Management (IdM) to ensure proper SID generation for Kerberos authorization. Fixing range issues prevents authentication failures and maintains secure access to resources.
Kerberos in IdM uses the Privilege Attribute Certificate (PAC) for authorization. For this to function correctly, users and groups must have a Security Identifier (SID) assigned. SIDs can only be generated for entities that are within a valid ipa-local ID range.
If users or groups are created outside of a defined ipa-local range, or if an existing range is misconfigured, the SID generation task can fail. This can prevent users from authenticating and obtaining Kerberos tickets.
You can use the ipa-idrange-fix command-line tool to analyze and repair these inconsistencies. The tool identifies users and groups outside of valid ranges, proposes the creation of new ranges to cover them, and applies the changes upon confirmation.
Prerequisites
You have
rootaccess to the IdM server where you will run the tool.ImportantRed Hat strongly recommends creating a full backup of the system before you apply any changes suggested by the
ipa-idrange-fixtool.
Procedure
Run
ipa-idrange-fixto analyze the current ID ranges. You can customize this by using various options, such as:# ipa-idrange-fix --rangegap 300000 --minrange 20 --ridoffset 200000-
--rangegap <value>: Specifies the maximum gap between IDs to be included in a single proposed range. The default is200000. -
--minrange <value>: Sets the minimum number of IDs required to form a valid new range. Any group of IDs smaller than this will be listed as outliers for manual resolution. The default is10. --ridoffset <value>: Sets an offset for new RID bases to allow for future expansion of existing ranges. The default is100000.NoteBy default, the
ipa-idrange-fixtool ignores users and groups with IDs below 1000, as these are typically reserved for system accounts. To include these entities in the analysis, which is not recommended, use the--allowunder1000option.
-
The tool displays proposed changes, such as creating new ID ranges. Review the proposed changes carefully.
Noteipa-idrange-fixdoes not create new SIDs for users and groups who do not have them. To create missing SIDs, see Enabling Security Identifiers (SIDs) in IdM.Enter
yesto apply the changes.ImportantDo not run
ipa-idrange-fixwith the--unattendedoption unless you are certain you want to automatically apply all proposed changes.
Verification
Review the log file to see the applied changes:
# cat /var/log/ipa/ipa-idrange-fix.logUse the
ipa idrange-find --allcommand to verify that the new ID ranges have been created correctly:# ipa idrange-find --all ---------------- 2 ranges matched ---------------- dn: cn=IDM.EXAMPLE.COM_id_range,cn=ranges,cn=accounts,dc=example,dc=com Range name: IDM.EXAMPLE.COM_id_range First Posix ID of the range: 882200000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 1000000 Range type: local domain range ipaUniqueID: 569bf864-9d45-11ea-bea3-525400f6f085 objectclass: ipaIdRange, top dn: cn=IDM.EXAMPLE.COM_new_id_range,cn=ranges,cn=accounts,dc=example,dc=com Range name: IDM.EXAMPLE.COM_new_id_range First Posix ID of the range: 12000000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 10000 First RID of the secondary RID range: 20000000 Range type: local domain range ipaUniqueID: 7a2b3c4d-e5f6-7890-a1b2-c3d4e5f67890 objectclass: ipaIdRange, top ---------------------------- Number of entries returned 2 ----------------------------
37.7. Using Ansible to add a new local IdM ID range
Create a new Identity Management (IdM) ID range with Ansible when the original range is depleted to extend your domain’s available user and group IDs.
Adding a new IdM ID range does not create new DNA ID ranges automatically. You need to assign new DNA ID ranges manually as needed. For more information about how to do this, see Assigning DNA ID ranges manually.
Prerequisites
On the control node:
- You are using Ansible version 2.15 or later.
-
You have installed the
ansible-freeipapackage. - The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
-
The example assumes that the secret.yml Ansible vault stores your
ipaadmin_passwordand that you have access to a file that stores the password protecting the secret.yml file.
-
The target node, that is the node on which the
freeipa.ansible_freeipamodule is executed, is part of the IdM domain as an IdM client, server or replica.
Procedure
Navigate to your ~/MyPlaybooks/ directory:
$ cd ~/MyPlaybooks/Create the
idrange-present.ymlplaybook with the following content:--- - name: Playbook to manage idrange hosts: ipaserver become: no vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure local idrange is present ipaidrange: ipaadmin_password: "{{ ipaadmin_password }}" name: new_id_range base_id: 12000000 range_size: 200000 rid_base: 1000000 secondary_rid_base: 200000000- Save the file.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
$ ansible-playbook --vault-password-file=password_file -v -i inventory idrange-present.ymlSSHtoipaserverand restart the Directory Server:# systemctl restart dirsrv@IDM.EXAMPLE.COM.serviceThis ensures that when you create users with UIDs from the new range, they have security identifiers (SIDs) assigned.
Optional: Update the ID range immediately:
On
ipaserver, clear the System Security Services Daemon (SSSD) cache:# sss_cache -EOn
ipaserver, restart the SSSD daemon:# systemctl restart sssd
NoteIf you do not clear the SSSD cache and restart the service, SSSD only detects the new ID range when it updates the domain list and other configuration data stored on the IdM server.
Verification
-
You can check if the new range is set correctly by using the
ipa idrange-findcommand:
# ipa idrange-find
----------------
2 ranges matched
----------------
Range name: IDM.EXAMPLE.COM_id_range
First Posix ID of the range: 882200000
Number of IDs in the range: 200000
Range type: local domain range
Range name: IDM.EXAMPLE.COM_new_id_range
First Posix ID of the range: 12000000
Number of IDs in the range: 200000
Range type: local domain range
----------------------------
Number of entries returned 2
----------------------------37.8. Removing an ID range after removing a trust to AD
Manually delete the ID range associated with a removed Active Directory (AD) trust to clean up the Identity Management (IdM) configuration. This action purges unused ID allocations from the system.
IDs allocated to ID ranges associated with trusted domains might still be used for ownership of files and directories on systems enrolled into IdM.
If you remove the ID range that corresponds to an AD trust that you have removed, you will not be able to resolve the ownership of any files and directories owned by AD users.
Prerequisites
- You have removed a trust to an AD environment.
Procedure
Display all the ID ranges that are currently in use:
[root@server ~]# ipa idrange-find-
Identify the name of the ID range associated with the trust you have removed. The first part of the name of the ID range is the name of the trust, for example
AD.EXAMPLE.COM_id_range. Remove the range:
[root@server ~]# ipa idrange-del AD.EXAMPLE.COM_id_rangeRestart the SSSD service to remove references to the ID range you have removed.
[root@server ~]# systemctl restart sssd
37.9. Displaying currently assigned DNA ID ranges
Display active and next Distributed Numeric Assignment (DNA) ID ranges in Identity Management (IdM) to monitor UID and GID allocation across your topology. Checking DNA ranges helps prevent conflicts and ensures continuous ID assignment.
Procedure
To display which DNA ID ranges are configured for the servers in the topology, use the following commands:
ipa-replica-manage dnarange-showdisplays the active DNA ID range that is set on all servers or, if you specify a server, only on the specified server, for example:# ipa-replica-manage dnarange-show serverA.example.com: 1001-1500 serverB.example.com: 1501-2000 serverC.example.com: No range set # ipa-replica-manage dnarange-show serverA.example.com serverA.example.com: 1001-1500ipa-replica-manage dnanextrange-showdisplays the next DNA ID range currently set on all servers or, if you specify a server, only on the specified server, for example:# ipa-replica-manage dnanextrange-show serverA.example.com: 2001-2500 serverB.example.com: No on-deck range set serverC.example.com: No on-deck range set # ipa-replica-manage dnanextrange-show serverA.example.com serverA.example.com: 2001-2500
37.10. Manual ID range assignment
Manual DNA ID range assignment gives you direct control over ID allocation when automatic distribution between Identity Management (IdM) replicas cannot resolve the situation on its own.
This may be necessary for example when:
A replica has run out of IDs and the IdM ID range is depleted
A replica has exhausted the DNA ID range that was assigned to it, and requesting additional IDs failed because no more free IDs are available in the IdM range.
To solve this situation, extend the DNA ID range assigned to the replica. You can do this in two ways:
- Shorten the DNA ID range assigned to a different replica, then assign the newly available values to the depleted replica.
Create a new IdM ID range, then set a new DNA ID range for the replica within this created IdM range.
For information about how to create a new IdM ID range, see Adding a new IdM ID range.
A replica stopped functioning
A replica’s DNA ID range is not automatically retrieved when the replica stops functioning and must be deleted, which means the DNA ID range previously assigned to the replica becomes unavailable. You want to recover the DNA ID range and make it available for other replicas.
To do this, find out what the ID range values are, before manually assigning that range to a different server. Also, to avoid duplicate UIDs or GIDs, make sure that no ID value from the recovered range was previously assigned to a user or group; you can do this by examining the UIDs and GIDs of existing users and groups.
You can manually assign a DNA ID range to a replica using the commands in Assigning DNA ID ranges manually.
If you assign a new DNA ID range, the UIDs of the already existing entries on the server or replica stay the same. This does not pose a problem because even if you change the current DNA ID range, IdM keeps a record of what ranges were assigned in the past.
37.11. Assigning DNA ID ranges manually
Manually assign Distributed Numeric Assignment (DNA) ID ranges to Identity Management (IdM) replicas to recover ranges from non-functioning replicas or rebalance ID distribution. This ensures all replicas can continue assigning unique user and group IDs without interruption.
When adjusting a DNA ID range manually, make sure that the newly adjusted range is included in the IdM ID range; you can check this using the ipa idrange-find command. Otherwise, the command fails.
Be careful not to create overlapping ID ranges. If any of the ID ranges you assign to servers or replicas overlap, it could result in two different servers assigning the same ID value to different entries.
Prerequisites
- Optional: If you are recovering a DNA ID range from a non-functioning replica, first find the ID range using the commands described in Displaying currently assigned DNA ID ranges.
Procedure
To define the current DNA ID range for a specified server, use
ipa-replica-manage dnarange-set:# ipa-replica-manage dnarange-set serverA.example.com 1250-1499To define the next DNA ID range for a specified server, use
ipa-replica-manage dnanextrange-set:# ipa-replica-manage dnanextrange-set serverB.example.com 1500-5000
Verification
- You can check that the new DNA ranges are set correctly by using the commands described in Displaying the currently assigned DNA ID ranges.
37.12. Enabling UIDs up to Linux maximum limit for legacy systems compatibility
Configure User and Group IDs up to the Linux maximum limit of 4,294,967,293 (2^32-1) in rare Identity Management (IdM) deployments where the standard ID range is insufficient.
In standard deployments, IdM reserves the 2,147,483,648 - 4,294,836,223 range for subordinate IdS (subIDs). Enabling the 2^31 to 2^32-1 UID range requires disabling the subID feature and therefore conflicts with modern Linux capabilities.
Prerequisites
- You are running RHEL 10.1 or later.
-
You have obtained IdM
admincredentials. -
You have
rootpermissions on an IdM server.
Procedure
Disable the subordinate ID feature:
$ ipa config-mod --addattr ipaconfigstring=SubID:DisableRemove any existing subordinate ID ranges:
$ ipa idrange-del <id_range>On the IdM server, ensure the internal DNA plugin configuration is correctly removed:
# ipa-server-upgradeAdd a new local ID range that covers the 2^31 to 2^32-1 space. Ensure that you define RID bases for this new range so that IdM can generate SIDs properly for users and groups. For example:
$ ipa idrange-add IDM.EXAMPLE.COM_new_range --base-id 2200000000 --range-size 200000 --rid-base 1000 --secondary-rid-base 2300000000NoteYou can only disable the subordinate ID feature if no subordinate IDs have been allocated yet.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}