On 2/3/21 6:18 PM, Friedrich Schäuffelhut wrote:
We would like to fix this without reinstalling FreeIPA. We have already a number of hosts, users and certificates enrolled. I am now looking for a way to move the FreeIPA UID range to a different area, e.g. 10.000 - 20.000. We run 3 replicas connected to each other. I found the ipa comands 'idrange-add' and 'idrange-del' and wonder if I could use those to 1. add a new range at 10.000 2. Update UIDs of existing users 3. remove the old range at 100.000.
If I understand correctly moving your IPA range may be problematic since you are actively using the uids. Do you have substantial podman usage? If not, move the podman ranges away. They are automatically allocated according to SUB_UID_MIN et al. (man adduser): change those vars and reassign ranges for the existing users. Personally, I find the 100000+uid*65536 default rule terrible since it gives you unreadable final numbers. My rule is to rebuild everything from scratch after adding a new user with: while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo "$a:$[100000*c]:65536";done </etc/passwd >/etc/subuid while IFS=":" read a b c x; do [ $c -eq 0 ] && c=1;echo "$a:$[100000*c]:65536";done </etc/group >/etc/subgid which gives me 400015 for subuser 15 of user 4. (note that root=0 is problematic and I collapse it into bin=1, both starting at 100000) Regards. -- Roberto Ragusa mail at robertoragusa.it _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
