Univention Bugzilla – Bug 41247
connector.samr.OpenUser: Insufficient system resources exist to complete the API.
Last modified: 2016-09-21 20:11:18 CEST
At Ticket #2016042621000438 we had the case where the AD Connector failed to set the password in AD for some of the users during user import (yes, it's a school environment with a peculiar AD-Sync setup). The AD-Connector used the method introduced via Bug 40745. A typical traceback looked like this: ========================================================================= 09.05.2016 10:35:54,24 LDAP (PROCESS): sync from ucs: [ user] [ add] cn=schueler1,cn=schueler,cn=users,ou="$school","$connector_ad_ldap_basedn" 09.05.2016 10:35:54,97 LDAP (WARNING): sync failed, saved as rejected 09.05.2016 10:35:54,98 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/connector/__init__.py", line 733, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn))): File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 2358, in sync_from_ucs f(self, property_type, object) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 287, in password_sync_ucs res = set_password_in_ad(connector, object['attributes']['sAMAccountName'][0], pwd) File "/usr/lib/pymodules/python2.7/univention/connector/ad/password.py", line 139, in set_password_in_ad user_handle = connector.samr.OpenUser(connector.dom_handle, security.SEC_FLAG_MAXIMUM_ALLOWED, rid) RuntimeError: (-1073741670, 'Insufficient system resources exist to complete the API.') ========================================================================= After restarting the AD Connector the rejects resolved, so I guess that it might be a timeout issue (or other linit) for the SAMR RPC session. We should detect this and retry. After all this the majority of synchronized users accounts where still disabled in AD (userAccountControl: 546). No clue if this is related or just accidental. I fixed in manually with a small shell script.
Seem that 'Insufficient system resources exist to complete the API.' indicates a hardware/windows kernel failure: http://mikemstech.blogspot.de/2011/12/troubleshooting-0x0000007a.html this one says - error code that indicates serious file system corruption https://support.microsoft.com/en-us/kb/909095 here it is a Windows kernel power manager problem http://answers.microsoft.com/en-us/windows/forum/windows8_1-hardware/this-device-cannot-start-code-10-insufficient/4d84d097-2da5-4701-bdcf-04c5b02cd2a9 driver issue here ... So i guess if this error pops up there are some serious windows kernel/hardware issue's involved, nothing we can do about. I also checkd if the ad connector can sync password after a restart of windows (ucs/windows running, connector start and samr connection initialized, sync ok, restart windows, sync OK). It is still suspicious though that the sync in the customer environment worked after restarting the connector.
(In reply to Felix Botner from comment #1) > It is still suspicious though that the sync in the customer environment > worked after restarting the connector. But that could be a client side issue for example a timeout issue. Do we have more debug? How much time has passed from the first password sync in this connector session? How much time has passed from the last password sync in this connector session?
Created attachment 7670 [details] lsass.exe
Seems that the lsass.exe on the AD continuously increase during: (PROCESS): sync from ucs: [ user] [ add] dn-xy See attached screenshot (the actual load is low but continuously increase!). A restart of the univention-ad-connector decrease the load of the lsass.exe
I guess you are referring to the number of threads? Ok, this might lead to "Insufficient system resources". Probably we need to close the connection(s) properly. This is what the old pwdump6/LsaExt.c did: =========================================================== if (hPipe != NULL && hPipe != INVALID_HANDLE_VALUE) CloseHandle(hPipe); if(hUser) pSamrCloseHandle(&hUser); if(hDomain) pSamrCloseHandle(&hDomain); if(hSam) pSamrCloseHandle(&hSam); if(hLsa) LsaClose(hLsa); ===========================================================
Created attachment 7672 [details] untested patch for univention-ad-connector (4.1-2)
I would prefer to close only the user_handle (not self.dom_handle and self.samr_handle) in set_password_in_ad. I think this global samr connection was introduced with regard to the resource consumption of the local samba daemon. see Bug #40745 Opinions?
No objections, we can just go ahead and test. Would be great if a minimal adjustment would avoid the issue.
univention-ad-connector r69844 * connector.samr.Close(user_handle) after password sync to ad univention-ad-connector.yaml
Code review: OK Jenkins tests: OK (http://jenkins.knut.univention.de:8080/job/UCS-4.1/job/UCS-4.1-2/job/ADConnectorMultiEnv/7/) Manual tests: OK YAML: OK (r69933 s/AD/Active Directory)
<http://errata.software-univention.de/ucs/4.1/197.html>