Solution for IPA Error 4203: DatabaseError

Introduction

I’m trying to add a new user to my IDM server and getting the error “IPA Error 4203: DatabaseError”. Let’s see how to resolve the same.

The IPA uses the 389-ds Distributed Numeric Assignment (DNA) plugin to automatically manage POSIX uid/gid assignment. When we don’t have a valid range of DNA vale this error will be throw. The cause of this issue could be due to the master crashed before and I have managed to recover from a replica.

The Actual Error IPA Error 4203

This is the actual error that I get from the IDM web portal.

IPA Error 4203 DatabaseError
IPA Error 4203 DatabaseError

Not allowed to proceed with creating the user.

Check Current Configuration

Let’s do a ldapsearch and confirm the current DNA assignment value. The expected value should be some range other than the default values 1100 and 1101.

[root@idm1 ~]# ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Posix IDs, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
cn: Posix IDs
dnaExcludeScope: cn=provisioning,dc=linuxsysadmins,dc=local
dnaFilter: (|(objectClass=posixAccount)(objectClass=posixGroup)(objectClass=ip
 aIDobject))
dnaMagicRegen: -1
dnaMaxValue: 1100
dnaNextValue: 1101
dnaScope: dc=linuxsysadmins,dc=local
dnaSharedCfgDN: cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=linuxsysadmins,dc=local
dnaThreshold: 500
dnaType: uidNumber
dnaType: gidNumber
objectClass: top
objectClass: extensibleObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@idm1 ~]# 

We don’t find a valid range.

I’m using three numbers of IDM servers and let me verify on the first node.

[root@idm1 ~]# ipa-replica-manage dnarange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: No range set
[root@idm1 ~]# 

Don’t find a DNA range

Let’s verify for all remaining serves.

[root@idm1 ~]# ipa-replica-manage dnarange-show
idm2.linuxsysadmins.local: No range set
idm1.linuxsysadmins.local: No range set
idm3.linuxsysadmins.local: No range set
[root@idm1 ~]#

Set new DNA Range

As the value does not exist let’s set a range to begin.

[root@idm1 ~]# ipa-replica-manage dnarange-set idm1.linuxsysadmins.local 5000-6000
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnarange-show
idm2.linuxsysadmins.local: No range set
idm1.linuxsysadmins.local: 5000-6000
idm3.linuxsysadmins.local: No range set
[root@idm1 ~]#

Set the extra range

[root@idm1 ~]# ipa-replica-manage dnanextrange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: No on-deck range set
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm1.linuxsysadmins.local 6001-7000
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage dnanextrange-show idm1.linuxsysadmins.local
idm1.linuxsysadmins.local: 6001-7000
[root@idm1 ~]# 

Finally, set the extra range for remaining replicas

[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm2.linuxsysadmins.local 7001-8000
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnanextrange-set idm3.linuxsysadmins.local 8001-9000
[root@idm1 ~]# 
[root@idm1 ~]# ipa-replica-manage dnanextrange-show
idm2.linuxsysadmins.local: 7001-8000
idm1.linuxsysadmins.local: 6001-7000
idm3.linuxsysadmins.local: 8001-9000
[root@idm1 ~]#

Create a new User

Now it will be fine with creating a new user, Let’s create a new user and check from the IDM server portal.

# ipa user-add --first=RHEV --last=Admin  --gidnumber=5050 --displayname="RHEV Super Admin" --password rhevmadmin

It works and we have managed to resolve the IPA Error 4203.

[root@idm1 ~]# ipa user-add --first=RHEV --last=Admin  --gidnumber=5050 --displayname="RHEV Super Admin" --password rhevmadmin
Password: 
Enter Password again to verify: 
-----------------------
Added user "rhevmadmin"
-----------------------
  User login: rhevmadmin
  First name: RHEV
  Last name: Admin
  Full name: RHEV Admin
  Display name: RHEV Super Admin
  Initials: RA
  Home directory: /home/rhevmadmin
  GECOS: RHEV Admin
  Login shell: /bin/sh
  Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
  Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
  User password expiration: 20210708055918Z
  Email address: rhevmadmin@linuxsysadmins.local
  UID: 5003
  GID: 5050
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@idm1 ~]#

Verify the status of the created account

[root@idm1 ~]# ipa user-show rhevmadmin
  User login: rhevmadmin
  First name: RHEV
  Last name: Admin
  Home directory: /home/rhevmadmin
  Login shell: /bin/sh
  Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
  Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
  Email address: rhevmadmin@linuxsysadmins.local
  UID: 5003
  GID: 5050
  Account disabled: False
  Password: True
  Member of groups: ipausers, rhevadmins
  Kerberos keys available: True
[root@idm1 ~]#

Or check from the IDM web interface.

IPA server user created
IPA server user-created

Let’s set the password expiry to any future date for the newly created account.

[root@idm1 ~]# ipa user-mod rhevmadmin --setattr=krbPasswordExpiration=20211231000000Z
--------------------------
Modified user "rhevmadmin"
--------------------------
  User login: rhevmadmin
  First name: RHEV
  Last name: Admin
  Home directory: /home/rhevmadmin
  Login shell: /bin/sh
  Principal name: rhevmadmin@LINUXSYSADMINS.LOCAL
  Principal alias: rhevmadmin@LINUXSYSADMINS.LOCAL
  User password expiration: 20211231000000Z
  Email address: rhevmadmin@linuxsysadmins.local
  UID: 5003
  GID: 5050
  Account disabled: False
  Password: True
  Member of groups: ipausers, rhevadmins, rhevmusers
  Kerberos keys available: True
[root@idm1 ~]# 

That’s it, we have managed to set a new DNA range and create the users in the IDM server.

Conclusion:

The DNS range missing in my case is due to crashed master IDM server and I have managed to rebuild it from the existing replica server.

Similarly, your case could be with a different issue and if you face the same DNA range missing problem then this solution will help to resolve the DNA range missing. Will come up with a similar troubleshooting guide, subscribe to the newsletter, and register your thoughts through below comment section.