Bug 1270294
Summary: | ipa trust-add : Constraint violation: New base range overlaps with existing base range | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED NOTABUG | QA Contact: | Namita Soman <nsoman> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.2 | CC: | abokovoy, ksiddiqu, pvoborni, rcritten, tbabej, theophanis_kontogiannis | ||||
Target Milestone: | rc | Keywords: | TestBlocker | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-10-12 16:16:57 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This looks like a misconfiguration to me. There should not be a situation where you have a trust established but the corresponding range does not exist anymore. Note that in step 5, deletion of the trust is not enough, you also have to delete the corresponding range. Can you please repeat the steps below on a clean machine? 1. Run ipa-server-install 2. Run ipa-adtrust-install 3. Make sure there are no stale ipa range objects (only the local range expected) 4. Make sure there are no trusts 5. Run ipa trust-add Tomas, I am able to reproduce the issue, seems that the range is not getting added for the trusted domain, but trust-find list the domain added. Is it because of the WARNING message seen while running ipa-adtrust-install? [root@ipa01 ~]# ipa-adtrust-install The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will setup components needed to establish trust to AD domains for the IPA Server. This includes: * Configure Samba * Add trust related objects to IPA LDAP server To accept the default shown in brackets, press the Enter key. Do you want to enable support for trusted domains in Schema Compatibility plugin? This will allow clients older than SSSD 1.9 and non-Linux clients to work with trusted users. Enable trusted domains support in slapi-nis? [no]: yes Configuring cross-realm trusts for IPA server requires password for user 'admin'. This user is a regular system account used for IPA server administration. admin password: Enter the NetBIOS name for the IPA domain. Only up to 15 uppercase ASCII letters and digits are allowed. Example: EXAMPLE. NetBIOS domain name [LABS01]: WARNING: 3 existing users or groups do not have a SID identifier assigned. Installer can run a task to have ipa-sidgen Directory Server plugin generate the SID identifier for all these users. Please note, the in case of a high number of users and groups, the operation might lead to high replication traffic and performance degradation. Refer to ipa-adtrust-install(1) man page for details. <======= Do you want to run the ipa-sidgen task? [no]: yes The following operations may take some minutes to complete. Please wait until the prompt is returned. Configuring CIFS [1/23]: stopping smbd [2/23]: creating samba domain object [3/23]: creating samba config registry [4/23]: writing samba config file [5/23]: adding cifs Kerberos principal [6/23]: adding cifs and host Kerberos principals to the adtrust agents group [7/23]: check for cifs services defined on other replicas [8/23]: adding cifs principal to S4U2Proxy targets [9/23]: adding admin(group) SIDs [10/23]: adding RID bases [11/23]: updating Kerberos config 'dns_lookup_kdc' already set to 'true', nothing to do. [12/23]: activating CLDAP plugin [13/23]: activating sidgen task [14/23]: configuring smbd to start on boot [15/23]: adding special DNS service records [16/23]: enabling trusted domains support for older clients via Schema Compatibility plugin [17/23]: restarting Directory Server to take MS PAC and LDAP plugins changes into account [18/23]: adding fallback group [19/23]: adding Default Trust View [20/23]: setting SELinux booleans [21/23]: enabling oddjobd [22/23]: starting CIFS services [23/23]: adding SIDs to existing users and groups Done configuring CIFS. ============================================================================= Setup complete 1. [root@ipa01 ~]# ipa trust-add --range-type=ipa-ad-trust-posix Realm name: TEST.IN Active Directory domain administrator: administrator Active Directory domain administrator's password: ipa: ERROR: Constraint violation: New base range overlaps with existing base range. 2. Domain added is listed in trust-find command. [root@ipa01 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: test.in Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-742749997-2996825573-4184801258 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- 3. The posix range for the trusted domain is not listed in idrange-find command. [root@ipa01 ~]# ipa idrange-find --------------- 1 range matched --------------- Range name: LABS01.TEST_id_range First Posix ID of the range: 400600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ---------------------------- 4. Please note that labs01.test domain is listed in Trusts Tab in Windows AD. No, it is because you have local domain range misconfigured and Active Directory has the same range occupied for the POSIX attributes. Fix your local misconfiguration first, then try to establish trust. Enviornment issue with AD on my test environment which created the above problem. I tried with different Active directory test domain and its working. [root@ipa02 ~]# ipa trust-add Realm name: ADLABS.COM Active Directory domain administrator: administrator Active Directory domain administrator's password: --------------------------------------------------- Added Active Directory trust for realm "adlabs.com" --------------------------------------------------- Realm name: adlabs.com Domain NetBIOS name: ADLABS Domain Security Identifier: S-1-5-21-3069109027-1612402048-776712048 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified [root@ipa02 ~]# ipa idrange-find ---------------- 2 ranges matched ---------------- Range name: ADLABS.COM_id_range First Posix ID of the range: 10000 Number of IDs in the range: 200000 Domain SID of the trusted domain: S-1-5-21-3069109027-1612402048-776712048 Range type: Active Directory trust range with POSIX attributes Range name: LABS02.TEST_id_range First Posix ID of the range: 1663400000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 2 ---------------------------- [root@ipa02 ~]# ipa trust-add --range-type=ipa-ad-trust-posix --all Realm name: ADTEST.QE Active Directory domain administrator: Administrator Active Directory domain administrator's password: -------------------------------------------------- Added Active Directory trust for realm "adtest.qe" -------------------------------------------------- dn: cn=adtest.qe,cn=ad,cn=trusts,dc=labs02,dc=test Realm name: adtest.qe Domain NetBIOS name: ADTEST Domain Security Identifier: S-1-5-21-1910160501-511572375-3625658879 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7, S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14, S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0, S-1-5-19, S-1-5-18 Trust direction: Trusting forest Trust type: Active Directory domain Trust status: Established and verified ipantsecurityidentifier: S-1-5-21-1833836562-2148201194-3949243355-1010 ipantsupportedencryptiontypes: 28 ipanttrustattributes: 8 ipanttrustdirection: 1 ipanttrustpartner: adtest.qe ipanttrustposixoffset: 0 ipanttrusttype: 2 objectclass: top, ipaNTTrustedDomain, ipaIDobject uidnumber: 1663400010 |
Created attachment 1081359 [details] Dirsrv logs, httpd logs, install logs. Description of problem: "Constraint violation: New base range overlaps with existing base range" when trust is being added. Version-Release number of selected component (if applicable): [root@ipa01 ~]# rpm -qa | grep ipa-server ipa-server-dns-4.2.0-13.el7.x86_64 ipa-server-trust-ad-4.2.0-13.el7.x86_64 ipa-server-4.2.0-13.el7.x86_64 sssd-1.13.0-39.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA server 2. Make sure that there is no trust already existing with the same domain. 3. Make sure that the AD trusts tab doesn't list the IPA realm as existing trust. 4. Now establish trust using the below command. #ipa trust-add --range-type=ipa-ad-trust-posix Actual results: 1. [root@ipa01 ~]# ipa trust-add --range-type=ipa-ad-trust-posix Realm name: TEST.IN Active Directory domain administrator: administrator Active Directory domain administrator's password: ipa: ERROR: Constraint violation: New base range overlaps with existing base range. 2. [root@ipa01 ~]# ipa trust-find --------------- 1 trust matched --------------- Realm name: test.in Domain NetBIOS name: TEST Domain Security Identifier: S-1-5-21-742749997-2996825573-4184801258 Trust type: Active Directory domain ---------------------------- Number of entries returned 1 ---------------------------- 3. [root@ipa01 ~]# ipa idrange-find --------------- 1 range matched --------------- Range name: LABS01.TEST_id_range First Posix ID of the range: 338600000 Number of IDs in the range: 200000 First RID of the corresponding RID range: 1000 First RID of the secondary RID range: 100000000 Range type: local domain range ---------------------------- Number of entries returned 1 ---------------------------- 4. labs01.test is listed under the Trusts Tab in AD 5. Removed labs01.test from the trusts tab in AD and then tried doing a trust-add without posix as well and that too gives the same error [root@ipa01 ~]# ipa trust-del Realm name: TEST.IN ----------------------- Deleted trust "TEST.IN" ----------------------- [root@ipa01 ~]# ipa trust-add Realm name: TEST.IN Active Directory domain administrator: administrator Active Directory domain administrator's password: ipa: ERROR: Constraint violation: New base range overlaps with existing base range. Expected results: The trust should get added successfully without any error. Additional info: This issue is seen lately. Just to ensure i did install/uninstall IPA server on the test machine and also ensured that the IPA domain is removed from trust-tab and idrange for the trusted domain is deleted prior to adding it again as trusted domain.