Solution for IPA Error 4203: DatabaseError

0 0
0 0
Read Time:4 Minute

Introduction

I’m trying to add a new user to my IDM server and getting the error “IPA Error 4203: DatabaseError”. Let’s see how to resolve the same.

The IPA uses the 389-ds Distributed Numeric Assignment (DNA) plugin to automatically manage POSIX uid/gid assignment. When we don’t have a valid range of DNA vale this error will be throw. The cause of this issue could be due to the master crashed before and I have managed to recover from a replica.

The Actual Error IPA Error 4203

This is the actual error that I get from the IDM web portal.

IPA Error 4203 DatabaseError
IPA Error 4203 DatabaseError

Not allowed to proceed with creating the user.

Check Current Configuration

Let’s do a ldapsearch and confirm the current DNA assignment value. The expected value should be some range other than the default values 1100 and 1101.

[root@idm1 ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=linuxsysadmins,dc=local
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
 aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=linuxsysadmins,dc=local
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=linuxsysadmins,dc=local
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@idm1 ~]# 

We don’t find a valid range.

I’m using three numbers of IDM servers and let me verify on the first node.

[root@idm1 ~]# ipa-replica-manage dnarange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: No range set
[root@idm1 ~]# 

Don’t find a DNA range

Let’s verify for all remaining serves.

[root@idm1 ~]# ipa-replica-manage dnarange-show
idm2.linuxsysadmins.local: No range set
idm1.linuxsysadmins.local: No range set
idm3.linuxsysadmins.local: No range set
[root@idm1 ~]#

Set new DNA Range

As the value does not exist let’s set a range to begin.

[root@idm1 ~]# ipa-replica-manage dnarange-set idm1.linuxsysadmins.local 5000-6000
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnarange-show
idm2.linuxsysadmins.local: No range set
idm1.linuxsysadmins.local: 5000-6000
idm3.linuxsysadmins.local: No range set
[root@idm1 ~]#

Set the extra range

[root@idm1 ~]# ipa-replica-manage dnanextrange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: No on-deck range set
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm1.linuxsysadmins.local 6001-7000
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnanextrange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: 6001-7000
[root@idm1 ~]# 

Finally, set the extra range for remaining replicas

[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm2.linuxsysadmins.local 7001-8000
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm3.linuxsysadmins.local 8001-9000
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnanextrange-show
idm2.linuxsysadmins.local: 7001-8000
idm1.linuxsysadmins.local: 6001-7000
idm3.linuxsysadmins.local: 8001-9000
[root@idm1 ~]#

Create a new User

Now it will be fine with creating a new user, Let’s create a new user and check from the IDM server portal.

# ipa user-add --first=RHEV --last=Admin  --gidnumber=5050 --displayname="RHEV Super Admin" --password rhevmadmin

It works and we have managed to resolve the IPA Error 4203.

[root@idm1 ~]# ipa user-add --first=RHEV --last=Admin  --gidnumber=5050 --displayname="RHEV Super Admin" --password rhevmadmin
Password: 
Enter Password again to verify: 
-----------------------
Added user "rhevmadmin"
-----------------------
  User login: rhevmadmin
  First name: RHEV
  Last name: Admin
  Full name: RHEV Admin
  Display name: RHEV Super Admin
  Initials: RA
  Home directory: /home/rhevmadmin
  GECOS: RHEV Admin
  Login shell: /bin/sh
  Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
  Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
  User password expiration: 20210708055918Z
  Email address: rhevmadmin@linuxsysadmins.local
  UID: 5003
  GID: 5050
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@idm1 ~]#

Verify the status of the created account

[root@idm1 ~]# ipa user-show rhevmadmin
  User login: rhevmadmin
  First name: RHEV
  Last name: Admin
  Home directory: /home/rhevmadmin
  Login shell: /bin/sh
  Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
  Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
  Email address: rhevmadmin@linuxsysadmins.local
  UID: 5003
  GID: 5050
  Account disabled: False
  Password: True
  Member of groups: ipausers, rhevadmins
  Kerberos keys available: True
[root@idm1 ~]#

Or check from the IDM web interface.

IPA server user created
IPA server user-created

Let’s set the password expiry to any future date for the newly created account.

[root@idm1 ~]# ipa user-mod rhevmadmin --setattr=krbPasswordExpiration=20211231000000Z
--------------------------
Modified user "rhevmadmin"
--------------------------
  User login: rhevmadmin
  First name: RHEV
  Last name: Admin
  Home directory: /home/rhevmadmin
  Login shell: /bin/sh
  Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
  Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
  User password expiration: 20211231000000Z
  Email address: rhevmadmin@linuxsysadmins.local
  UID: 5003
  GID: 5050
  Account disabled: False
  Password: True
  Member of groups: ipausers, rhevadmins, rhevmusers
  Kerberos keys available: True
[root@idm1 ~]# 

That’s it, we have managed to set a new DNA range and create the users in the IDM server.

Conclusion:

The DNS range missing in my case is due to crashed master IDM server and I have managed to rebuild it from the existing replica server.

Similarly, your case could be with a different issue and if you face the same DNA range missing problem then this solution will help to resolve the DNA range missing. Will come up with a similar troubleshooting guide, subscribe to the newsletter, and register your thoughts through below comment section.

Solution for IPA Error 4203: DatabaseError 1

About Author

Babin Lonston

Overall 14+ Years of experience in the IT field, currently working as a Senior Linux administration with Virtualization & Cloud. Being numismatist for a long time.
Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Leave a Comment

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

We promise not to spam you, and we don't usually send more than one email a week.

You have Successfully Subscribed!