Hide Forgot
Description of problem: Can't add a trust to an AD domain in IPA. This is for a trust that's established on other IPA servers for separate test domains already. # ipa trust-add adlab.qe --admin Administrator --password --type=ad Active directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741801", message "Memory allocation error" (both may be "None") Version-Release number of selected component (if applicable): ipa-server-trust-ad-3.0.0-8.el6.x86_64 samba4-winbind-clients-4.0.0-44.el6.rc4.x86_64 samba4-common-4.0.0-44.el6.rc4.x86_64 samba4-libs-4.0.0-44.el6.rc4.x86_64 samba4-python-4.0.0-44.el6.rc4.x86_64 samba4-4.0.0-44.el6.rc4.x86_64 samba4-client-4.0.0-44.el6.rc4.x86_64 samba4-winbind-4.0.0-44.el6.rc4.x86_64 How reproducible: unknown. I've only seen this on the one server so far. Steps to Reproduce: 1. Setup IPA/AD servers 2. ipa-adtrust-install 3. ipa trust-add <AD domain> --admin Administrator --password --type=ad Actual results: [root@mgmt8 ~]# ipa trust-add adlab.qe --admin Administrator --password --type=ad Active directory domain administrator's password: ipa: ERROR: CIFS server communication error: code "-1073741801", message "Memory allocation error" (both may be "None") Expected results: No error and trust is setup correctly. Additional info:
It would be good to see logs taken from the affected system. 1. Add 'log level = 11' to /usr/share/ipa/smb.conf.empty 2. Retry.
I've seen this error only once when the AD server wasn't able to resolve the IPA domain. If this is not the case in your setup maybe the AD server is confused in other way, maybe a reboot of the AD server helps?
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3266
Created attachment 648789 [details] samba logs I tried adding log level to the smb.conf.empty but, didn't seem to change it. So, I just changed it with net conf. This is pretty much all I saw.
No, please follow my request in comment 3. The resulting log is within /var/log/httpd/error_log (i.e. IPA web server log).
Ah, ok, I was looking at the wrong logs. I'll upload that shortly.
Created attachment 648906 [details] http error_log
Comment on attachment 648906 [details] http error_log Looking at the log I can see that AD DC never answers back to our attempt to connect to it with ncacn_np:win2k8r2.adlab.qe[,] connection string (SMB RPC connection, http://msdn.microsoft.com/en-us/library/cc243786%28v=prot.20%29.aspx). It most likely means that it doesn't know how to route properly traffic back to us. Compare this communication with previous one directed to our own server, starting with "Using binding ncacn_np:mgmt8.ipa2.example.com[,]".
Reopening since we found cause of the issue. It is bug in Samba: https://bugzilla.samba.org/show_bug.cgi?id=9618
Re-assign to samba4.
Link to external bugzilla.
Can this bug be closed? Does anything need to be documented?
Speaking of documentation, I think we are fine with regards to FreeIPA documentation: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#hostname-requirements We already state that the hostname needs to be fully qualified.
(In reply to Ann Marie Rubin from comment #24) > Can this bug be closed? Does anything need to be documented? I would prefer to keep this bug open, because it tracks a samba upstream issue which we might want to include in RHEL if fixed upstream. About documentation, maybe Nirupama would like to write a knowledge-base article about how she fixed her setup to get arround the issue?
Closing; the known issue has been added to the book.