RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1982211 - ipa-trust-add fails with "not enough quota"
Summary: ipa-trust-add fails with "not enough quota"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: ---
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: beta
: ---
Assignee: Thomas Woerner
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On: 1970168
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-14 12:48 UTC by Petr Čech
Modified: 2021-11-10 00:01 UTC (History)
26 users (show)

Fixed In Version: idm-client-8050020210715144943.de73ecb2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1970168
Environment:
Last Closed: 2021-11-09 18:29:52 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 8923 0 None None None 2021-07-14 14:42:13 UTC
Red Hat Issue Tracker FREEIPA-7263 0 None None None 2021-11-09 10:03:59 UTC
Red Hat Product Errata RHBA-2021:4230 0 None None None 2021-11-09 18:30:16 UTC

Description Petr Čech 2021-07-14 12:48:17 UTC 
+++ This bug was initially created as a clone of Bug #1970168 +++

[root@ipaserver ~]# echo "vagrant" | ipa trust-add --type=ad ad.test --admin vagrant --password --two-way=true
ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation." (both may be "None")
[root@ipaserver ~]# 

Injecting a stack print, the callsite is:

  File "/usr/share/ipa/wsgi.py", line 59, in application
    return api.Backend.wsgi_dispatch(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 296, in __call__
    return self.route(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 308, in route
    return app(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 917, in __call__
    response = super(jsonserver_session, self).__call__(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 517, in __call__
    response = super(jsonserver, self).__call__(environ, start_response)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 473, in __call__
    response = self.wsgi_execute(environ)
  File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 400, in wsgi_execute
    result = command(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 471, in __call__
    return self.__do_call(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 499, in __do_call
    ret = self.run(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipalib/frontend.py", line 821, in run
    return self.execute(*args, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 759, in execute
    full_join = self.validate_options(*keys, **options)
  File "/usr/lib/python3.9/site-packages/ipaserver/plugins/trust.py", line 868, in validate_options
    self.trustinstance = ipaserver.dcerpc.TrustDomainJoins(self.api)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 1742, in __init__
    self.__populate_local_domain()
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 1756, in __populate_local_domain
    ld.retrieve(FQDN)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 992, in retrieve
    self.init_lsa_pipe(remote_host)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 891, in init_lsa_pipe
    self._pipe = self.__gen_lsa_connection(binding)                                                                                                                                                                                                                                                                            
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 870, in __gen_lsa_connection
    raise assess_dcerpc_error(e)
  File "/usr/lib/python3.9/site-packages/ipaserver/dcerpc.py", line 179, in assess_dcerpc_error
    traceback.print_stack(file=f)

I've previously captured an strace, but it doesn't seem helpful: https://rharwood.fedorapeople.org/strace

I observe no network traffic on any interface, other than: DNS, STP, SSH, LDAP, and HTTPS (on 443).

Tarball of debug logs with debug level 50: https://rharwood.fedorapeople.org/var_log_samba.tar.gz

Should you reproduce this locally, I have a repo: https://github.com/frozencemetery/ad-testing/ (vagrant up ipaserver, vagrant ssh ipaserver, sudo ./install_trust.sh).

I'm personally at a loss as to how to debug this further.  I don't seem to be able to find where the lsa stuff comes from, and no matter which smbd I attach to with gdb (even all of them), I can't seem to catch the connection.  Is it possible that there is no connection, somehow?

--- Additional comment from Andreas Schneider on 2021-07-14 10:03:57 UTC ---

Error loading module '/usr/lib64/samba/idmap/sss.so': /usr/lib64/samba/idmap/sss.so: cannot open shared object file: No such file or directory

looks like idmap_sss is not installed and it can't allocate IDs ...

--- Additional comment from Alexander Bokovoy on 2021-07-14 10:05:02 UTC ---

sssd-winbind-idmap is missing in IPA dependencies, it looks like.
Comment 1 Florence Blanc-Renaud 2021-07-15 14:29:44 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/24afb10c30577be6092ab699fd7f6eeef9fa62b2
Comment 5 Florence Blanc-Renaud 2021-07-15 16:23:34 UTC 
Fixed upstream
ipa-4-9:
https://pagure.io/freeipa/c/1a4f459b81bc77cdf233b65f41d0f76dbb5f2fce
Comment 9 anuja 2021-08-06 06:47:54 UTC 
Following test with trust-add is successful in nightly compose 

1: Test result.txt
test_integration/test_smb.py::TestSMB::test_samba_uninstallation_without_installation PASSED [  6%]

2: runner log
2021-08-06T06:04:07+0000 ok: [master.testrelm.test] => (item=ipa-server) => 
2021-08-06T06:04:07+0000   msg:
2021-08-06T06:04:07+0000   - arch: x86_64
2021-08-06T06:04:07+0000     epoch: null
2021-08-06T06:04:07+0000     name: ipa-server
2021-08-06T06:04:07+0000     release: 4.module+el8.5.0+11912+1b4496cf
2021-08-06T06:04:07+0000     source: rpm
2021-08-06T06:04:07+0000     version: 4.9.6

3: sssd-winbind-idmap-2.5.2-2.el8.x86_64 is also part of nightly compose.

based on this marking it verified.
Comment 12 errata-xmlrpc 2021-11-09 18:29:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4230
Note You need to log in before you can comment on or make changes to this bug.