Hello,

     I've personally been using FreeIPA for some time and I love it immensely. I thought I'd start a post here due to the direction my troubleshooting has gone instead of the Samba mailing list. Allow me to explain what I've done, why I've done it and then the problem I'm having.

     I just recently started working for a school and the school has some Windows labs. A problem that has come to my attention is that the OpenLDAP to Samba3 NT4 domain they've been using for years is no longer compatible with Windows 10. To dispel any illusion, I'm not trying to get the NT4 domain working nice with Windows 10. Additionally Samba4 has changed its design structure such that OpenLDAP, or really any LDAP server except Samba4's internal LDAP server, will no longer work for the Active Directory.

     The school would like the Windows machines in the labs to authenticate students via their OpenLDAP credentials. I am open to alternatives but the closest thing I found was adding local users on each Windows workstation and having them authenticate to the FreeIPA server. The problem here is that users will continually be added and deleted. The Samba project would have us go all in with Samba4's internal LDAP server. While I'm not directly knocking that, since from my testing it seems to be quite functional, the upheaval would be tremendous. Fortunately we were already looking into switching to 389 before I came on so I've been touting the possibility of replacing OpenLDAP with FreeIPA before this Samba4 issue. A solution I thought should work is to use a trust between a FreeIPA (IPA) and a Samba4 Active Directory (AD). I've since configured both and have created that trust.

     I have a Windows 10 machine connected to the Samba4 domain. When I attempt to logon with an account from the IPA domain I am presented with "Insufficient system resources exist to complete the requested service." At first I took this message at face value and increased the memory of the workstation from which I'm trying to logon. There are few results from a Google search about this error without focusing on local memory. After reading and troubleshooting I believe this is a failure may be in the Kerberos InitializeSecurityContext function that's producing SEC_E_INSUFFICIENT_MEMORY, specifically on the Windows workstation and seemingly not coming from Samba4 AD.

     A couple things I've noticed; when I attempt to login as user@ipa if the password is wrong Windows tell me my password is incorrect. If I use the correct password I'm presented with that "Insufficient system resources exist to complete the requested service." The Event Viewer only shows me a generic logon error message. When I look at the Kerberos logs on both systems I see on AD that the 'Realm not local to KDC' and a 'No matching key in entry' but on IPA I see 'Additional pre-authentication required', then AS_REQ ISSUE and finally TGS_REQ ISSUE.

     I continued to do a tcpdump on port 88 to see who was directly communicating to the FreeIPA server and I found that the Windows workstation was making a direct Kerberos request. I then expanded my tcpdump to include all traffic from the workstation and upon another logon attempt only port 88 was used to communicate to FreeIPA. I therefore think that this is a Kerberos specific problem and not necessarily a Samba4 problem. Unfortunately I'm not knowledgeable enough in Kerberos to identify what's going on.

     I don't know what information I should present, such as configs or logs. Whatever is needed I can provide. I greatly appreciate any help, advice or potentially other non management nightmare solutions! Thank you all very much!