Hi,
Operations error is an error returned by the LDAP server. Can you check the
content of /var/log/dirsrv/slapd-<DOMAIN>/errors? If there is no detailed
error message, you can increase the debug level to 65536, re-run the
ipa-adtrust-install command, restore the original debug level and check the
logs.
See
for more details re. the error log level.
flo
On Sun, Apr 3, 2022 at 6:45 PM Francis Augusto Medeiros-Logeay via
FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
I am trying to establish a trust between my FreeIPA and AD.
I ran ipa-ad-trust-install, and chose yes to everything, including running
the sidgen-task.
I then ran the `ipa trust-add` command, and got this error:
```
ipa: ERROR: CIFS server communication error: code "3221225495", message
"{Not Enough Quota} Not enough virtual memory or paging file quota is
available to complete the specified operation." (both may be "None")
```
Investigating the issue, I noticed that only my admin user has a SID
(ipaNTTrustedDomainSID), and that the `samba` service is not running
precisely because of that:
```
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: GSSAPI client step 2
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737482,
0, pid=8660] ipa_sam.c:4211(get_fallback_group_sid)
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Missing mandatory attribute
ipaNTSecurityIdentifier.
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737537,
0, pid=8660] ipa_sam.c:5182(pdb_init_ipasam)
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Cannot find SID of fallback
group.
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737556,
0, pid=8660] ../../source3/passdb/pdb_interface.c:179(mak>
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: pdb backend
ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-MYDOMAIN.socket did not correctly i>
Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Main process
exited, code=exited, status=1/FAILURE
Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Failed with
result 'exit-code'.
```
I do have a default SMB group, but it doesn't have a SID:
```
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=mydomain
Group name: Default SMB Group
Description: Fallback group for primary group RID, do not add users to
this group
GID: 1987100500
ipauniqueid: a4cbcef2-9671-11ec-bbb5-000c29945382
objectclass: top, ipaobject, posixgroup
```
I realized that the ipa-sidgen-task failed:
```
[03/Apr/2022:18:02:54.670826769 +0200] - ERR - get_ranges - [file
ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range
struct.
[03/Apr/2022:18:02:54.671439501 +0200] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 140]: Failed to get ID ranges.
```
and
```
ipaserver.install.service: CRITICAL Failed to load
ipa-sidgen-task-run.ldif: CalledProcessError(Command
['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp_d3svukt',
'-H',
'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL']
returned
non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL
authentication started\nSASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n')
ipaserver.install.adtrustinstance: WARNING Exception occured during SID
generation: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v',
'-f',
'/tmp/tmp_d3svukt', '-H',
'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket',
'-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize(
ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL
authentication started\nSASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF:
0\nldap_add: Operations error (1)\n')
```
Could anyone help me with this? I don't know how to generate these SID's,
and I got stuck. Worse: my ipa won't start without the
--ignore-service-failures, as smb is refusing to start.
Best,
Francis
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure