We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed"
Any suggestions to troubleshoot and remove this range?
On Пят, 06 кас 2023, Jeremy Tourville via FreeIPA-users wrote:
We are running IPA server 4.9.11 We previously had a domain trust established with AD. Presently, the trust has been removed and we are trying to remove / clean up the ID range for AD. When doing so, using the command ipa idrange-del <range_name>, we get the error: "ipa: ERROR: invalid 'ipabaseid,ipaidrangesize': range modification leaving objects with ID out of the defined range is not allowed"
Any suggestions to troubleshoot and remove this range?
This means you still have references to UID/GIDs from this range in, for example, ID overrides.
You can try a script from https://gist.github.com/abbra/33f5ac59c5cae750ecdb3974978d9cec to see what objects reference these IDs and then might decide to remove or modify them.
freeipa-users@lists.fedorahosted.org