Hi, Operations error is an error returned by the LDAP server. Can you check the content of /var/log/dirsrv/slapd-<DOMAIN>/errors? If there is no detailed error message, you can increase the debug level to 65536, re-run the ipa-adtrust-install command, restore the original debug level and check the logs.
See https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/configuration_command_and_file_reference/core_server_configuration_reference#cnconfig-nsslapd_errorlog_level_Error_Log_Level for more details re. the error log level. flo On Sun, Apr 3, 2022 at 6:45 PM Francis Augusto Medeiros-Logeay via FreeIPA-users <[email protected]> wrote: > Hi, > I am trying to establish a trust between my FreeIPA and AD. > I ran ipa-ad-trust-install, and chose yes to everything, including running > the sidgen-task. > I then ran the `ipa trust-add` command, and got this error: > ``` > ipa: ERROR: CIFS server communication error: code "3221225495", message > "{Not Enough Quota} Not enough virtual memory or paging file quota is > available to complete the specified operation." (both may be "None") > ``` > Investigating the issue, I noticed that only my admin user has a SID > (ipaNTTrustedDomainSID), and that the `samba` service is not running > precisely because of that: > > ``` > > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: GSSAPI client step 2 > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737482, > 0, pid=8660] ipa_sam.c:4211(get_fallback_group_sid) > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Missing mandatory attribute > ipaNTSecurityIdentifier. > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737537, > 0, pid=8660] ipa_sam.c:5182(pdb_init_ipasam) > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Cannot find SID of fallback > group. > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737556, > 0, pid=8660] ../../source3/passdb/pdb_interface.c:179(mak> > Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: pdb backend > ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-MYDOMAIN.socket did not correctly i> > Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Main process > exited, code=exited, status=1/FAILURE > Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Failed with > result 'exit-code'. > ``` > I do have a default SMB group, but it doesn't have a SID: > ``` > dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=mydomain > Group name: Default SMB Group > Description: Fallback group for primary group RID, do not add users to > this group > GID: 1987100500 > ipauniqueid: a4cbcef2-9671-11ec-bbb5-000c29945382 > objectclass: top, ipaobject, posixgroup > ``` > I realized that the ipa-sidgen-task failed: > ``` > [03/Apr/2022:18:02:54.670826769 +0200] - ERR - get_ranges - [file > ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range > struct. > [03/Apr/2022:18:02:54.671439501 +0200] - ERR - ipa_sidgen_add_post_op - > [file ipa_sidgen.c, line 140]: Failed to get ID ranges. > ``` > and > ``` > > ipaserver.install.service: CRITICAL Failed to load > ipa-sidgen-task-run.ldif: CalledProcessError(Command > ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp_d3svukt', '-H', > 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL'] returned > non-zero exit status 1: 'ldap_initialize( > ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL > authentication started\nSASL username: > gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: > 0\nldap_add: Operations error (1)\n') > ipaserver.install.adtrustinstance: WARNING Exception occured during SID > generation: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', > '/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', > '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( > ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL > authentication started\nSASL username: > gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: > 0\nldap_add: Operations error (1)\n') > ``` > > Could anyone help me with this? I don't know how to generate these SID's, > and I got stuck. Worse: my ipa won't start without the > --ignore-service-failures, as smb is refusing to start. > > Best, > Francis > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
