On (01/03/16 18:28), Simo Sorce wrote: >On Tue, 2016-03-01 at 18:22 -0500, Simo Sorce wrote: >> On Tue, 2016-03-01 at 22:34 +0100, Lukas Slebodnik wrote: >> > On (01/03/16 12:05), Simo Sorce wrote: >> > >On Tue, 2016-03-01 at 17:51 +0100, Lukas Slebodnik wrote: >> > >> On (01/03/16 17:45), Lukas Slebodnik wrote: >> > >> >On (31/01/16 11:53), Simo Sorce wrote: >> > >> >>Expired != Disabled >> > >> >>this change is intentional. >> > >> >> >> > >> >Yes, but explain it to Active directory :-) >> > >> > >> > >> >Attached is patch with workaround/hack >> > >> >regression with expired AD users. >> > >> > >> > >> ENOPATCH >> > >> >> > >> LS >> > > >> > >I think a better approach is to return the KRBKDC error from the child >> > >without mapping (or with an intermediate mapping) and have the IPA and >> > >AD providers map it on their own. >> > > >> > It's not related to mapping KRBKDC error codes to internal error code. >> > The main problem is that AD return the same error code for expired >> > and disabled user. And ad provider used generic krb5 functions. >> > >> > BTW the same issue would be with id_provider ldap + >> > auth_provider = krb5 with AD :-( >> > I'm not sure how your proposal would help. >> >> I think AD returns additional information in edata, maybe we can use >> that to do the proper mapping in the generic krb5 code. >> >> Absence of AD specific edata would indicate MIT mapping, presence would >> allow us to use that additional data to figure out the correct mapping. >> >> Simo. >> > >See MS-KILE[1] 2.2.1, I bet the two conditions returns two different >windows Style errors in etext (not edata, sorry). > >[1] https://msdn.microsoft.com/en-us/library/cc233855.aspx > Interesting idea and it seems to work. The main difference was in time and last octet string. * response for expired user [2] the last octet string in ASN: 930100C00000000001000000 * response for disabled user [3] the last octet string in ASN: 720000C00000000001000000
The only question is how to get etext from krb5 response. I do not want to implement ASN.1 parser. LS [1] https://msdn.microsoft.com/en-us/library/cc233855.aspx [2] http://www.lapo.it/asn1js/#7E753073A003020105A10302011EA411180F32303136303330323133323533355AA50502030D327DA603020112A90C1B0A5353534441442E434F4DAA1F301DA003020102A11630141B066B72627467741B0A5353534441442E434F4DAC1904173015A103020103A20E040C930100C00000000001000000 [3] http://www.lapo.it/asn1js/#7E753073A003020105A10302011EA411180F32303136303330323132313734365AA50502030E0586A603020112A90C1B0A5353534441442E434F4DAA1F301DA003020102A11630141B066B72627467741B0A5353534441442E434F4DAC1904173015A103020103A20E040C720000C00000000001000000 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org