Bug 1982211

Summary: ipa-trust-add fails with "not enough quota"
Product: Red Hat Enterprise Linux 8 Reporter: Petr Čech <pcech>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: abokovoy, amore, anoopcs, asn, extras-qa, frenaud, ftrivino, gdeschner, iboukris, ipa-maint, jarrpa, jcholast, jhrozek, jstephen, ksiddiqu, lmohanty, madam, mhjacks, pvoborni, rcritten, rharwood, sbose, ssidhaye, ssorce, tscherf, twoerner
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: idm-client-8050020210715144943.de73ecb2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1970168 Environment:
Last Closed: 2021-11-09 18:29:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970168    
Bug Blocks:    

Description Petr Čech 2021-07-14 12:48:17 UTC 
+++ This bug was initially created as a clone of Bug #1970168 +++

[root@ipaserver ~]# echo "vagrant" | ipa trust-add --type=ad ad.test --admin vagrant --password --two-way=true
ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation." (both may be "None")
[root@ipaserver ~]# 

Injecting a stack print, the callsite is:

  File "/usr/share/ipa/wsgi.py", line 59, in application
    return api.Backend.wsgi_dispatch(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 296, in __call__
    return self.route(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 308, in route
    return app(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 917, in __call__
    response = super(jsonserver_session, self).__call__(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 517, in __call__
    response = super(jsonserver, self).__call__(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 473, in __call__
    response = self.wsgi_execute(environ)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 400, in wsgi_execute
    result = command(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run
    return self.execute(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 759, in execute
    full_join = self.validate_options(*keys, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 868, in validate_options
    self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 1742, in __init__
    self.__populate_local_domain()
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 1756, in __populate_local_domain
    ld.retrieve(FQDN)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 992, in retrieve
    self.init_lsa_pipe(remote_host)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 891, in init_lsa_pipe
    self._pipe = self.__gen_lsa_connection(binding)                                                                                                                                                                                                                                                                            
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 870, in __gen_lsa_connection
    raise assess_dcerpc_error(e)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 179, in assess_dcerpc_error
    traceback.print_stack(file=f)

I've previously captured an strace, but it doesn't seem helpful: https://rharwood.fedorapeople.org/strace

I observe no network traffic on any interface, other than: DNS, STP, SSH, LDAP, and HTTPS (on 443).

Tarball of debug logs with debug level 50: https://rharwood.fedorapeople.org/var_log_samba.tar.gz

Should you reproduce this locally, I have a repo: https://github.com/frozencemetery/ad-testing/ (vagrant up ipaserver, vagrant ssh ipaserver, sudo ./install_trust.sh).

I'm personally at a loss as to how to debug this further.  I don't seem to be able to find where the lsa stuff comes from, and no matter which smbd I attach to with gdb (even all of them), I can't seem to catch the connection.  Is it possible that there is no connection, somehow?

--- Additional comment from Andreas Schneider on 2021-07-14 10:03:57 UTC ---

Error loading module '/usr/lib64/samba/idmap/sss.so': /usr/lib64/samba/idmap/sss.so: cannot open shared object file: No such file or directory

looks like idmap_sss is not installed and it can't allocate IDs ...

--- Additional comment from Alexander Bokovoy on 2021-07-14 10:05:02 UTC ---

sssd-winbind-idmap is missing in IPA dependencies, it looks like.
Comment 1 Florence Blanc-Renaud 2021-07-15 14:29:44 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/24afb10c30577be6092ab699fd7f6eeef9fa62b2
Comment 5 Florence Blanc-Renaud 2021-07-15 16:23:34 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/1a4f459b81bc77cdf233b65f41d0f76dbb5f2fce
Comment 9 anuja 2021-08-06 06:47:54 UTC 
Following test with trust-add is successful in nightly compose 

1: Test result.txt
test_integration/test_smb.py::TestSMB::test_samba_uninstallation_without_installation PASSED [  6%]

2: runner log
2021-08-06T06:04:07+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-08-06T06:04:07+0000   msg:
2021-08-06T06:04:07+0000   - arch: x86_64
2021-08-06T06:04:07+0000     epoch: null
2021-08-06T06:04:07+0000     name: ipa-server
2021-08-06T06:04:07+0000     release: 4.module+el8.5.0+11912+1b4496cf
2021-08-06T06:04:07+0000     source: rpm
2021-08-06T06:04:07+0000     version: 4.9.6

3: sssd-winbind-idmap-2.5.2-2.el8.x86_64 is also part of nightly compose.

based on this marking it verified.
Comment 12 errata-xmlrpc 2021-11-09 18:29:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230