In certain situations, it is necessary to manually adjust an ID range:
- An assigned ID range has been depleted
A replica has exhausted the ID range that was assigned to it, and requesting additional IDs failed because no more free IDs are available in the ID ranges of other replicas. You want to extend the ID range assigned to the replica. This might involve splitting an existing ID range or extending it past the initial configured ID range for the server. Alternatively, you might want to assign a new ID range.
If you assign a new ID range, the UIDs of the already existing entries on the server or replica stay the same. This does not pose a problem because even if you change the current ID range, IdM keeps a record of what ranges were assigned in the past.
- A replica stopped functioning
ID range is not automatically retrieved when a replica dies and needs to be deleted, which means the ID range previously assigned to the replica becomes unavailable. You want to recover the ID range and make it available for other replicas.
If you want to recover the ID range belonging to a server that stopped functioning and assign it to another server, first find out what are the ID range values using the ipa-replica-manage dnarange-show
command described in Section 14.3, “Displaying Currently Assigned ID Ranges”
, and then manually assign that ID range to the server. Also, to avoid duplicate UIDs or GIDs, make sure that no ID value from the recovered range was previously assigned to a user or group; you can do this by examining the UIDs and GIDs of existent users and groups.
To manually define the ID ranges, use the following two commands:
ipa-replica-manage dnarange-set allows you to define the current ID range for a specified server:
# ipa-replica-manage dnarange-set masterA.example.com 1250-1499
ipa-replica-manage dnanextrange-set allows you to define the next ID range for a specified server:
# ipa-replica-manage dnanextrange-set masterB.example.com 1001-5000
For more information about these commands, see the ipa-replica-manage(1) man page.
Be careful not to create overlapping ID ranges. If any of the ID ranges you assign to servers or replicas overlap, it could result in two different servers assigning the same ID value to different entries.
Do not set ID ranges that include UID values of 1000 and lower; these values are reserved for system use. Also, do not set an ID range that would include the
0 value; the SSSD service does not handle the
0 ID value.
When extending an ID range manually, make sure that the newly extended range is included in the IdM ID range; you can check this using the ipa idrange-find command. Run the ipa idrange-find -h command to display help for how to use ipa idrange-find.