Hi,

attached patch makes possible to see why using trust account to kinit
may have failed against Active Directory DC. One common error might be
time skew and there will be no chance to know about that without
actually propagating the error message.

https://fedorahosted.org/freeipa/ticket/3265

With the patch following message will be shown:

$ ipa group-add-member adadmins_ext --external=ADX\\Domain\ Admins
[member user]: [member group]: ipa: ERROR: Insufficient access: ad.lan KDC denied trust account for IPA
domain with a message 'kinit: Clock skew too great while getting initial
credentials'

--
/ Alexander Bokovoy
>From bc2c4e9cb2595e02b1fd92e64d822459f40bd417 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 27 Nov 2012 20:31:02 +0200
Subject: [PATCH 2/2] Propagate kinit errors with trust account

When using Global Catalog for resolving users and groups, one needs
to authenticate against Active Directory DC using GSSAPI. Obtaining
Kerberos ticket might fail. Make sure the failure message is actually
returned to the user so that decision can be made about the source
of issue.

https://fedorahosted.org/freeipa/ticket/3265
---
 ipaserver/dcerpc.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 
68b5ad52873753b6c78840c558636c16ea2dd803..8190bf6acd4ac3429ff2d06d2c4592bc46067ab5
 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -279,6 +279,10 @@ class DomainValidator(object):
         if returncode == 0:
             return (ccache_name, principal)
         else:
+            if returncode == 1:
+                raise errors.ACIError(
+                   info=_("KDC for %(domain)s denied trust account for IPA 
domain with a message '%(message)s'") %
+                        dict(domain=info['dns_domain'],message=stderr.strip()))
             return (None, None)
 
     def resolve_against_gc(self, domain, name):
-- 
1.8.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to