Alexander Bokovoy wrote:
Hi,
attached patch makes possible to see why using trust account to kinit
may have failed against Active Directory DC. One common error might be
time skew and there will be no chance to know about that without
actually propagating the error message.
https://fedorahosted.org/freeipa/ticket/3265
With the patch following message will be shown:
$ ipa group-add-member adadmins_ext --external=ADX\\Domain\ Admins
[member user]: [member group]: ipa: ERROR: Insufficient access: ad.lan
KDC denied trust account for IPA
domain with a message 'kinit: Clock skew too great while getting initial
credentials'
ACK, pushed to master and ipa-3-0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
