On (01/03/16 12:05), Simo Sorce wrote: >On Tue, 2016-03-01 at 17:51 +0100, Lukas Slebodnik wrote: >> On (01/03/16 17:45), Lukas Slebodnik wrote: >> >On (31/01/16 11:53), Simo Sorce wrote: >> >>Expired != Disabled >> >>this change is intentional. >> >> >> >Yes, but explain it to Active directory :-) >> > >> >Attached is patch with workaround/hack >> >regression with expired AD users. >> > >> ENOPATCH >> >> LS > >I think a better approach is to return the KRBKDC error from the child >without mapping (or with an intermediate mapping) and have the IPA and >AD providers map it on their own. > It's not related to mapping KRBKDC error codes to internal error code. The main problem is that AD return the same error code for expired and disabled user. And ad provider used generic krb5 functions.
BTW the same issue would be with id_provider ldap + auth_provider = krb5 with AD :-( I'm not sure how your proposal would help. LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
