Hi,
I am trying to establish a trust between my FreeIPA and AD.
I ran ipa-ad-trust-install, and chose yes to everything, including running the
sidgen-task.
I then ran the `ipa trust-add` command, and got this error:
```
ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not
Enough Quota} Not enough virtual memory or paging file quota is available to
complete the specified operation." (both may be "None")
```
Investigating the issue, I noticed that only my admin user has a SID
(ipaNTTrustedDomainSID), and that the `samba` service is not running precisely
because of that:
```
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: GSSAPI client step 2
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737482, 0,
pid=8660] ipa_sam.c:4211(get_fallback_group_sid)
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Missing mandatory attribute
ipaNTSecurityIdentifier.
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737537, 0,
pid=8660] ipa_sam.c:5182(pdb_init_ipasam)
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Cannot find SID of fallback group.
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737556, 0,
pid=8660] ../../source3/passdb/pdb_interface.c:179(mak>
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-MYDOMAIN.socket did not correctly i>
Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Main process exited,
code=exited, status=1/FAILURE
Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Failed with result
'exit-code'.
```
I do have a default SMB group, but it doesn't have a SID:
```
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=mydomain
Group name: Default SMB Group
Description: Fallback group for primary group RID, do not add users to this
group
GID: 1987100500
ipauniqueid: a4cbcef2-9671-11ec-bbb5-000c29945382
objectclass: top, ipaobject, posixgroup
```
I realized that the ipa-sidgen-task failed:
```
[03/Apr/2022:18:02:54.670826769 +0200] - ERR - get_ranges - [file
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[03/Apr/2022:18:02:54.671439501 +0200] - ERR - ipa_sidgen_add_post_op - [file
ipa_sidgen.c, line 140]: Failed to get ID ranges.
```
and
```
ipaserver.install.service: CRITICAL Failed to load ipa-sidgen-task-run.ldif:
CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f',
'/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y',
'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL
authentication started\nSASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add:
Operations error (1)\n')
ipaserver.install.adtrustinstance: WARNING Exception occured during SID
generation: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f',
'/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y',
'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL
authentication started\nSASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add:
Operations error (1)\n')
```
Could anyone help me with this? I don't know how to generate these SID's, and I
got stuck. Worse: my ipa won't start without the --ignore-service-failures, as
smb is refusing to start.
Best,
Francis
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
