On 02/20/2013 09:15 AM, Martin Kosek wrote:
On 02/19/2013 10:19 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/24/2013 12:01 PM, Martin Kosek wrote:
When user tries to perform any action requiring communication with
trusted domain, IPA server tries to retrieve a trust secret on his
behalf to be able to establish the connection. This happens for
example during group-add-member command when external user is
being resolved in the AD.

When user is not member of Trust admins group, the retrieval crashes
and reports internal error. Catch this exception and rather report
properly formatted ACIError.


I hit this error after updating to the latest FreeIPA version with the AD CVE


I filed a ticket to not loose this fix and patch. Attaching an updated patch
with ticket URL in description.


The patch fixes the problem but the error is untranslated:

     member group: AD\Domain Admins: Insufficient access: Gettext('communication
with trusted domains is allowed for Trusts administrator group members only',
domain='ipa', localedir=None)


I think this is just because this string is not in our ipa.pot file yet (will
be when we do Transifex refresh").


I don't have AD so I can't investigate, but this problem is usually due to the error being converted to string instead of using the strerror attribute.


Freeipa-devel mailing list

Reply via email to