主页
产品
Red Hat Enterprise Linux
10
Managing IdM users, groups, hosts, and access control rules
38.6. Detecting and fixing ID range issues automatically

38.6. Detecting and fixing ID range issues automatically

Kerberos in Identity Management (IdM) uses the Privilege Attribute Certificate (PAC) for authorization. For this to function correctly, users and groups must have a Security Identifier (SID) assigned. SIDs can only be generated for entities that are within a valid ipa-local ID range.

If users or groups are created outside of a defined ipa-local range, or if an existing range is misconfigured, the SID generation task can fail. This can prevent users from authenticating and obtaining Kerberos tickets.

You can use the ipa-idrange-fix command-line tool to analyze and repair these inconsistencies. The tool identifies users and groups outside of valid ranges, proposes the creation of new ranges to cover them, and applies the changes upon confirmation.

Prerequisites

You have root access to the IdM server where you will run the tool.
重要
Red Hat strongly recommends creating a full backup of the system before you apply any changes suggested by the ipa-idrange-fix tool.

Procedure

Run ipa-idrange-fix to analyze the current ID ranges. You can customize this by using various options, such as:
```
# ipa-idrange-fix --rangegap 300000 --minrange 20 --ridoffset 200000
```
- --rangegap <value>: Specifies the maximum gap between IDs to be included in a single proposed range. The default is 200000.
- --minrange <value>: Sets the minimum number of IDs required to form a valid new range. Any group of IDs smaller than this will be listed as outliers for manual resolution. The default is 10.
- --ridoffset <value>: Sets an offset for new RID bases to allow for future expansion of existing ranges. The default is 100000.
  注意
  By default, the ipa-idrange-fix tool ignores users and groups with IDs below 1000, as these are typically reserved for system accounts. To include these entities in the analysis, which is not recommended, use the --allowunder1000 option.
The tool displays proposed changes, such as creating new ID ranges. Review the proposed changes carefully.
注意
ipa-idrange-fix does not create new SIDs for users and groups who do not have them. To create missing SIDs, see Enabling Security Identifiers (SIDs) in IdM.
Enter yes to apply the changes.
重要
Do not run ipa-idrange-fix with the --unattended option unless you are certain you want to automatically apply all proposed changes.

Verification

Review the log file to see the applied changes:
```
# cat /var/log/ipa/ipa-idrange-fix.log
```

Use the ipa idrange-find --all command to verify that the new ID ranges have been created correctly:

# ipa idrange-find --all

----------------
2 ranges matched
----------------
dn: cn=IDM.EXAMPLE.COM_id_range,cn=ranges,cn=accounts,dc=example,dc=com
Range name: IDM.EXAMPLE.COM_id_range
First Posix ID of the range: 882200000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 1000
First RID of the secondary RID range: 1000000
Range type: local domain range
ipaUniqueID: 569bf864-9d45-11ea-bea3-525400f6f085
objectclass: ipaIdRange, top

dn: cn=IDM.EXAMPLE.COM_new_id_range,cn=ranges,cn=accounts,dc=example,dc=com
Range name: IDM.EXAMPLE.COM_new_id_range
First Posix ID of the range: 12000000
Number of IDs in the range: 200000
First RID of the corresponding RID range: 10000
First RID of the secondary RID range: 20000000
Range type: local domain range
ipaUniqueID: 7a2b3c4d-e5f6-7890-a1b2-c3d4e5f67890
objectclass: ipaIdRange, top
----------------------------
Number of entries returned 2
----------------------------

38.6. Detecting and fixing ID range issues automatically

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links