On 02/20/2013 07:25 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 02/20/2013 12:30 PM, Petr Viktorin wrote:
>>> On 02/20/2013 09:15 AM, Martin Kosek wrote:
>>>> On 02/19/2013 10:19 PM, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>>>> On 01/24/2013 12:01 PM, Martin Kosek wrote:
>>>>>>> When user tries to perform any action requiring communication with
>>>>>>> trusted domain, IPA server tries to retrieve a trust secret on his
>>>>>>> behalf to be able to establish the connection. This happens for
>>>>>>> example during group-add-member command when external user is
>>>>>>> being resolved in the AD.
>>>>>>>
>>>>>>> When user is not member of Trust admins group, the retrieval crashes
>>>>>>> and reports internal error. Catch this exception and rather report
>>>>>>> properly formatted ACIError.
>>>>>>>
>>>>>>> ----
>>>>>>>
>>>>>>> I hit this error after updating to the latest FreeIPA version with the
>>>>>>> AD CVE
>>>>>>> fixed.
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>
>>>>>> I filed a ticket to not loose this fix and patch. Attaching an updated 
>>>>>> patch
>>>>>> with ticket URL in description.
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>
>>>>>
>>>>> The patch fixes the problem but the error is untranslated:
>>>>>
>>>>>       member group: AD\Domain Admins: Insufficient access:
>>>>> Gettext('communication
>>>>> with trusted domains is allowed for Trusts administrator group members 
>>>>> only',
>>>>> domain='ipa', localedir=None)
>>>>>
>>>>> rob
>>>>
>>>> I think this is just because this string is not in our ipa.pot file yet 
>>>> (will
>>>> be when we do Transifex refresh").
>>>>
>>>> Martin
>>>>
>>>
>>> I don't have AD so I can't investigate, but this problem is usually due to 
>>> the
>>> error being converted to string instead of using the strerror attribute.
>>>
>>
>> You are right, attaching a patch which fixes it for group-add-member. But 
>> just
>> with using a quick grep, I see we do not use strerror on a lot of other 
>> places,
>> we may want to open a ticket to fix that too.
>>
>> Martin
>>
> 
> ACK, pushed to master and ipa-3-1
> 
> I think another ticket for your grep findings would be a good idea.
> 
> rob

Ok, here it is:
https://fedorahosted.org/freeipa/ticket/3445

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to