Table of Contents
Introduction
I’m trying to add a new user to my IDM server and getting the error “IPA Error 4203: DatabaseError”. Let’s see how to resolve the same.
The IPA uses the 389-ds Distributed Numeric Assignment (DNA) plugin to automatically manage POSIX uid/gid assignment. When we don’t have a valid range of DNA vale this error will be throw. The cause of this issue could be due to the master crashed before and I have managed to recover from a replica.
The Actual Error IPA Error 4203
This is the actual error that I get from the IDM web portal.
Not allowed to proceed with creating the user.
Check Current Configuration
Let’s do a ldapsearch
and confirm the current DNA assignment value. The expected value should be some range other than the default values 1100 and 1101.
[root@idm1 ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=linuxsysadmins,dc=local
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=linuxsysadmins,dc=local
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=linuxsysadmins,dc=local
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@idm1 ~]#
We don’t find a valid range.
I’m using three numbers of IDM servers and let me verify on the first node.
[root@idm1 ~]# ipa-replica-manage dnarange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: No range set
[root@idm1 ~]#
Don’t find a DNA range
Let’s verify for all remaining serves.
[root@idm1 ~]# ipa-replica-manage dnarange-show
idm2.linuxsysadmins.local: No range set
idm1.linuxsysadmins.local: No range set
idm3.linuxsysadmins.local: No range set
[root@idm1 ~]#
Set new DNA Range
As the value does not exist let’s set a range to begin.
[root@idm1 ~]# ipa-replica-manage dnarange-set idm1.linuxsysadmins.local 5000-6000
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnarange-show
idm2.linuxsysadmins.local: No range set
idm1.linuxsysadmins.local: 5000-6000
idm3.linuxsysadmins.local: No range set
[root@idm1 ~]#
Set the extra range
[root@idm1 ~]# ipa-replica-manage dnanextrange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: No on-deck range set
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm1.linuxsysadmins.local 6001-7000
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnanextrange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: 6001-7000
[root@idm1 ~]#
Finally, set the extra range for remaining replicas
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm2.linuxsysadmins.local 7001-8000
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm3.linuxsysadmins.local 8001-9000
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnanextrange-show
idm2.linuxsysadmins.local: 7001-8000
idm1.linuxsysadmins.local: 6001-7000
idm3.linuxsysadmins.local: 8001-9000
[root@idm1 ~]#
Create a new User
Now it will be fine with creating a new user, Let’s create a new user and check from the IDM server portal.
# ipa user-add --first=RHEV --last=Admin --gidnumber=5050 --displayname="RHEV Super Admin" --password rhevmadmin
It works and we have managed to resolve the IPA Error 4203.
[root@idm1 ~]# ipa user-add --first=RHEV --last=Admin --gidnumber=5050 --displayname="RHEV Super Admin" --password rhevmadmin
Password:
Enter Password again to verify:
-----------------------
Added user "rhevmadmin"
-----------------------
User login: rhevmadmin
First name: RHEV
Last name: Admin
Full name: RHEV Admin
Display name: RHEV Super Admin
Initials: RA
Home directory: /home/rhevmadmin
GECOS: RHEV Admin
Login shell: /bin/sh
Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
User password expiration: 20210708055918Z
Email address: rhevmadmin@linuxsysadmins.local
UID: 5003
GID: 5050
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@idm1 ~]#
Verify the status of the created account
[root@idm1 ~]# ipa user-show rhevmadmin
User login: rhevmadmin
First name: RHEV
Last name: Admin
Home directory: /home/rhevmadmin
Login shell: /bin/sh
Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
Email address: rhevmadmin@linuxsysadmins.local
UID: 5003
GID: 5050
Account disabled: False
Password: True
Member of groups: ipausers, rhevadmins
Kerberos keys available: True
[root@idm1 ~]#
Or check from the IDM web interface.
Let’s set the password expiry to any future date for the newly created account.
[root@idm1 ~]# ipa user-mod rhevmadmin --setattr=krbPasswordExpiration=20211231000000Z
--------------------------
Modified user "rhevmadmin"
--------------------------
User login: rhevmadmin
First name: RHEV
Last name: Admin
Home directory: /home/rhevmadmin
Login shell: /bin/sh
Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
User password expiration: 20211231000000Z
Email address: rhevmadmin@linuxsysadmins.local
UID: 5003
GID: 5050
Account disabled: False
Password: True
Member of groups: ipausers, rhevadmins, rhevmusers
Kerberos keys available: True
[root@idm1 ~]#
That’s it, we have managed to set a new DNA range and create the users in the IDM server.
Conclusion:
The DNS range missing in my case is due to crashed master IDM server and I have managed to rebuild it from the existing replica server.
Similarly, your case could be with a different issue and if you face the same DNA range missing problem then this solution will help to resolve the DNA range missing. Will come up with a similar troubleshooting guide, subscribe to the newsletter, and register your thoughts through below comment section.