ipa-sidgen-task failing, can't make trust to work
by Francis Augusto Medeiros-Logeay
Hi,
I am trying to establish a trust between my FreeIPA and AD.
I ran ipa-ad-trust-install, and chose yes to everything, including running the sidgen-task.
I then ran the `ipa trust-add` command, and got this error:
```
ipa: ERROR: CIFS server communication error: code "3221225495", message "{Not Enough Quota} Not enough virtual memory or paging file quota is available to complete the specified operation." (both may be "None")
```
Investigating the issue, I noticed that only my admin user has a SID (ipaNTTrustedDomainSID), and that the `samba` service is not running precisely because of that:
```
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: GSSAPI client step 2
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737482, 0, pid=8660] ipa_sam.c:4211(get_fallback_group_sid)
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Missing mandatory attribute ipaNTSecurityIdentifier.
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737537, 0, pid=8660] ipa_sam.c:5182(pdb_init_ipasam)
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: Cannot find SID of fallback group.
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: [2022/04/03 18:03:02.737556, 0, pid=8660] ../../source3/passdb/pdb_interface.c:179(mak>
Apr 03 18:03:02 free.ipa.med-lo smbd[8660]: pdb backend ipasam:ldapi://%2fvar%2frun%2fslapd-IPA-MYDOMAIN.socket did not correctly i>
Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Main process exited, code=exited, status=1/FAILURE
Apr 03 18:03:02 free.ipa.med-lo systemd[1]: smb.service: Failed with result 'exit-code'.
```
I do have a default SMB group, but it doesn't have a SID:
```
dn: cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=mydomain
Group name: Default SMB Group
Description: Fallback group for primary group RID, do not add users to this group
GID: 1987100500
ipauniqueid: a4cbcef2-9671-11ec-bbb5-000c29945382
objectclass: top, ipaobject, posixgroup
```
I realized that the ipa-sidgen-task failed:
```
[03/Apr/2022:18:02:54.670826769 +0200] - ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
[03/Apr/2022:18:02:54.671439501 +0200] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 140]: Failed to get ID ranges.
```
and
```
ipaserver.install.service: CRITICAL Failed to load ipa-sidgen-task-run.ldif: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n')
ipaserver.install.adtrustinstance: WARNING Exception occured during SID generation: CalledProcessError(Command ['/usr/bin/ldapmodify', '-v', '-f', '/tmp/tmp_d3svukt', '-H', 'ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket', '-Y', 'EXTERNAL'] returned non-zero exit status 1: 'ldap_initialize( ldapi://%2Frun%2Fslapd-IPA-MYDOMAIN.socket/??base )\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nldap_add: Operations error (1)\n')
```
Could anyone help me with this? I don't know how to generate these SID's, and I got stuck. Worse: my ipa won't start without the --ignore-service-failures, as smb is refusing to start.
Best,
Francis