Bug 878168 - ipa trust-add fails with CIFS server communication error: code
Summary: ipa trust-add fails with CIFS server communication error: code
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: Documentation
Version: 6.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Eliska Slobodova
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-19 19:22 UTC by Scott Poore
Modified: 2018-12-01 15:56 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
If configured, the Active Directory (AD) DNS server returns IPv4 and IPv6 addresses of an AD server. If the FreeIPA server cannot connect to the AD server with an IPv6 address, running the ipa trust-add command will fail even if it would be possible to use IPv4. To work around this problem, add the IPv4 address of the AD server to the /etc/hosts file. In this case, the FreeIPA server will use only the IPv4 address and executing ipa trust-add will be successful.
Clone Of:
Environment:
Last Closed: 2013-06-26 12:09:49 UTC


Attachments (Terms of Use)
samba logs (202.52 KB, application/octet-stream)
2012-11-20 20:08 UTC, Scott Poore
no flags Details
http error_log (23.79 KB, application/octet-stream)
2012-11-20 22:45 UTC, Scott Poore
no flags Details


Links
System ID Priority Status Summary Last Updated
Samba Project 9618 None None None 2019-06-20 11:05:15 UTC

Description Scott Poore 2012-11-19 19:22:54 UTC
Description of problem:

Can't add a trust to an AD domain in IPA.  This is for a trust that's established on other IPA servers for separate test domains already.

# ipa trust-add adlab.qe --admin Administrator --password --type=ad
Active directory domain administrator's password: 
ipa: ERROR: CIFS server communication error: code "-1073741801",
                  message "Memory allocation error" (both may be "None")


Version-Release number of selected component (if applicable):
ipa-server-trust-ad-3.0.0-8.el6.x86_64
samba4-winbind-clients-4.0.0-44.el6.rc4.x86_64
samba4-common-4.0.0-44.el6.rc4.x86_64
samba4-libs-4.0.0-44.el6.rc4.x86_64
samba4-python-4.0.0-44.el6.rc4.x86_64
samba4-4.0.0-44.el6.rc4.x86_64
samba4-client-4.0.0-44.el6.rc4.x86_64
samba4-winbind-4.0.0-44.el6.rc4.x86_64


How reproducible:
unknown. I've only seen this on the one server so far.

Steps to Reproduce:
1.  Setup IPA/AD servers
2.  ipa-adtrust-install
3.  ipa trust-add <AD domain> --admin Administrator --password --type=ad
  
Actual results:


[root@mgmt8 ~]# ipa trust-add adlab.qe --admin Administrator --password --type=ad
Active directory domain administrator's password: 
ipa: ERROR: CIFS server communication error: code "-1073741801",
                  message "Memory allocation error" (both may be "None")

Expected results:

No error and trust is setup correctly.

Additional info:

Comment 3 Alexander Bokovoy 2012-11-20 09:59:25 UTC
It would be good to see logs taken from the affected system.

1. Add 'log level = 11' to /usr/share/ipa/smb.conf.empty
2. Retry.

Comment 4 Sumit Bose 2012-11-20 11:54:35 UTC
I've seen this error only once when the AD server wasn't able to resolve the IPA domain. If this is not the case in your setup maybe the AD server is confused in other way, maybe a reboot of the AD server helps?

Comment 5 Rob Crittenden 2012-11-20 13:10:53 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3266

Comment 6 Scott Poore 2012-11-20 20:08:08 UTC
Created attachment 648789 [details]
samba logs

I tried adding log level to the smb.conf.empty but, didn't seem to change it.  So, I just changed it with net conf.

This is pretty much all I saw.

Comment 7 Alexander Bokovoy 2012-11-20 21:36:41 UTC
No, please follow my request in comment 3. The resulting log is within /var/log/httpd/error_log (i.e. IPA web server log).

Comment 8 Scott Poore 2012-11-20 22:44:44 UTC
Ah, ok, I was looking at the wrong logs.  I'll upload that shortly.

Comment 9 Scott Poore 2012-11-20 22:45:14 UTC
Created attachment 648906 [details]
http error_log

Comment 10 Alexander Bokovoy 2012-11-21 05:52:07 UTC
Comment on attachment 648906 [details]
http error_log

Looking at the log I can see that AD DC never answers back to our attempt to connect to it with ncacn_np:win2k8r2.adlab.qe[,] connection string (SMB RPC connection, http://msdn.microsoft.com/en-us/library/cc243786%28v=prot.20%29.aspx). 

It most likely means that it doesn't know how to route properly traffic back to us. Compare this communication with previous one directed to our own server, starting with "Using binding ncacn_np:mgmt8.ipa2.example.com[,]".

Comment 11 Alexander Bokovoy 2013-02-18 09:58:37 UTC
Reopening since we found cause of the issue. It is bug in Samba: https://bugzilla.samba.org/show_bug.cgi?id=9618

Comment 12 Alexander Bokovoy 2013-02-18 09:59:17 UTC
Re-assign to samba4.

Comment 13 Alexander Bokovoy 2013-02-18 10:00:00 UTC
Link to external bugzilla.

Comment 24 Ann Marie Rubin 2013-05-28 19:19:24 UTC
Can this bug be closed?  Does anything need to be documented?

Comment 25 Martin Kosek 2013-05-29 06:59:25 UTC
Speaking of documentation, I think we are fine with regards to FreeIPA documentation:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#hostname-requirements

We already state that the hostname needs to be fully qualified.

Comment 26 Sumit Bose 2013-05-29 07:11:01 UTC
(In reply to Ann Marie Rubin from comment #24)
> Can this bug be closed?  Does anything need to be documented?

I would prefer to keep this bug open, because it tracks a samba upstream issue which we might want to include in RHEL if fixed upstream.

About documentation, maybe Nirupama would like to write a knowledge-base article about how she fixed her setup to get arround the issue?

Comment 27 Eliska Slobodova 2013-06-26 12:09:49 UTC
Closing; the known issue has been added to the book.


Note You need to log in before you can comment on or make changes to this bug.