Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1982212

Summary: ipa-trust-add fails with "not enough quota"
Product: Red Hat Enterprise Linux 9 Reporter: Petr Čech <pcech>
Component: ipaAssignee: Florence Blanc-Renaud <frenaud>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: abokovoy, anoopcs, asn, contribs, extras-qa, ftrivino, gdeschner, iboukris, ipa-maint, jarrpa, jcholast, jhrozek, jstephen, ksiddiqu, lmohanty, madam, mhjacks, pvoborni, rcritten, rharwood, sbose, ssorce, tscherf, twoerner
Target Milestone: betaKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.9.6-3.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1970168 Environment:
Last Closed: 2021-12-07 21:30:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1970168    
Bug Blocks:    

Description Petr Čech 2021-07-14 12:48:59 UTC 
+++ This bug was initially created as a clone of Bug #1970168 +++

[root@ipaserver ~]# echo "vagrant" | ipa trust-add --type=ad ad.test --admin vagrant --password --two-way=true
ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation." (both may be "None")
[root@ipaserver ~]# 

Injecting a stack print, the callsite is:

  File "/usr/share/ipa/wsgi.py", line 59, in application
    return api.Backend.wsgi_dispatch(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 296, in __call__
    return self.route(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 308, in route
    return app(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 917, in __call__
    response = super(jsonserver_session, self).__call__(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 517, in __call__
    response = super(jsonserver, self).__call__(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 473, in __call__
    response = self.wsgi_execute(environ)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 400, in wsgi_execute
    result = command(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run
    return self.execute(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 759, in execute
    full_join = self.validate_options(*keys, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 868, in validate_options
    self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 1742, in __init__
    self.__populate_local_domain()
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 1756, in __populate_local_domain
    ld.retrieve(FQDN)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 992, in retrieve
    self.init_lsa_pipe(remote_host)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 891, in init_lsa_pipe
    self._pipe = self.__gen_lsa_connection(binding)                                                                                                                                                                                                                                                                            
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 870, in __gen_lsa_connection
    raise assess_dcerpc_error(e)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 179, in assess_dcerpc_error
    traceback.print_stack(file=f)

I've previously captured an strace, but it doesn't seem helpful: https://rharwood.fedorapeople.org/strace

I observe no network traffic on any interface, other than: DNS, STP, SSH, LDAP, and HTTPS (on 443).

Tarball of debug logs with debug level 50: https://rharwood.fedorapeople.org/var_log_samba.tar.gz

Should you reproduce this locally, I have a repo: https://github.com/frozencemetery/ad-testing/ (vagrant up ipaserver, vagrant ssh ipaserver, sudo ./install_trust.sh).

I'm personally at a loss as to how to debug this further.  I don't seem to be able to find where the lsa stuff comes from, and no matter which smbd I attach to with gdb (even all of them), I can't seem to catch the connection.  Is it possible that there is no connection, somehow?

--- Additional comment from Andreas Schneider on 2021-07-14 10:03:57 UTC ---

Error loading module '/usr/lib64/samba/idmap/sss.so': /usr/lib64/samba/idmap/sss.so: cannot open shared object file: No such file or directory

looks like idmap_sss is not installed and it can't allocate IDs ...

--- Additional comment from Alexander Bokovoy on 2021-07-14 10:05:02 UTC ---

sssd-winbind-idmap is missing in IPA dependencies, it looks like.
Comment 1 Florence Blanc-Renaud 2021-07-15 14:30:51 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/24afb10c30577be6092ab699fd7f6eeef9fa62b2
Comment 2 Florence Blanc-Renaud 2021-07-15 16:23:44 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/1a4f459b81bc77cdf233b65f41d0f76dbb5f2fce
Comment 6 Kaleem 2021-07-30 06:26:13 UTC 
Following snippet shows that trust-add is successful in nightly compose (RHEL-9.0.0-20210728.4), based on this info marking it verified

2021-07-30T02:01:17-0400 [ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport] INFO RUN ['ipa', 'trust-add', '--type', 'ad', 'domgkpt.test', '--two-way=true', '--admin', 'Administrator', '--password']
2021-07-30T02:01:17-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG RUN ['ipa', 'trust-add', '--type', 'ad', 'domgkpt.test', '--two-way=true', '--admin', 'Administrator', '--password']
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG -----------------------------------------------------
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG Added Active Directory trust for realm "domgkpt.test"
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG -----------------------------------------------------
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG   Realm name: domgkpt.test
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG   Domain NetBIOS name: DOMGKPT
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG   Domain Security Identifier: S-1-5-21-2108113503-166276962-3801836906
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG   Trust direction: Two-way trust
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG   Trust type: Active Directory domain
2021-07-30T02:02:36-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG   Trust status: Established and verified
2021-07-30T02:02:37-0400 [ipatests.pytest_ipa.integration.host.Host.master.cmd100] DEBUG Exit code: 0


2021-07-30T05:34:08+0000 ok: [master.testrelm.test] => (item=ipa-server) =>
2021-07-30T05:34:08+0000   msg:
2021-07-30T05:34:08+0000   - arch: x86_64
2021-07-30T05:34:08+0000     epoch: null
2021-07-30T05:34:08+0000     name: ipa-server
2021-07-30T05:34:08+0000     release: 4.el9
2021-07-30T05:34:08+0000     source: rpm
2021-07-30T05:34:08+0000     version: 4.9.6