summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTomas Babej <tbabej@redhat.com>2015-07-15 15:38:50 +0200
committerPetr Vobornik <pvoborni@redhat.com>2015-07-21 19:10:06 +0200
commit1299c60a83ccaf669abd74d35845f8c321e4ed5e (patch)
treef7d587dec21d0a83ed0a5d180803031fae2b28c3
parent705603a396bff251a453aec73fc973a5d85c6d44 (diff)
downloadfreeipa-1299c60a83ccaf669abd74d35845f8c321e4ed5e.zip
freeipa-1299c60a83ccaf669abd74d35845f8c321e4ed5e.tar.gz
freeipa-1299c60a83ccaf669abd74d35845f8c321e4ed5e.tar.xz
dcerpc: Expand explanation for WERR_ACCESS_DENIED
It's possible for AD to contact a wrong IPA server in case the DNS SRV records on the AD sides are not properly configured. Mention this case in the error message as well. https://fedorahosted.org/freeipa/ticket/5013 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
-rw-r--r--ipaserver/dcerpc.py36
1 files changed, 29 insertions, 7 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 87f978c..6a1c179 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1090,22 +1090,44 @@ class TrustDomainInstance(object):
result = retrieve_netlogon_info_2(None, self,
netlogon.NETLOGON_CONTROL_TC_VERIFY,
another_domain.info['dns_domain'])
- if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
- if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):
+
+ if result and result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED:
+ if result.pdc_connection_status[0] != 0 and result.tc_connection_status[0] != 0:
if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED":
# Most likely AD DC hit another IPA replica which yet has no trust secret replicated
+
# Sleep and repeat again
self.validation_attempts += 1
if self.validation_attempts < 10:
sleep(5)
return self.verify_trust(another_domain)
- raise errors.ACIError(
- info=_('IPA master denied trust validation requests from AD DC '
- '%(count)d times. Most likely AD DC contacted a replica '
- 'that has no trust information replicated yet.')
- % dict(count=self.validation_attempts))
+
+ # If we get here, we already failed 10 times
+ srv_record_templates = (
+ '_ldap._tcp.%s',
+ '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.%s'
+ )
+
+ srv_records = ', '.join(
+ [srv_record % api.env.domain
+ for srv_record in srv_record_templates]
+ )
+
+ error_message = _(
+ 'IPA master denied trust validation requests from AD '
+ 'DC %(count)d times. Most likely AD DC contacted a '
+ 'replica that has no trust information replicated '
+ 'yet. Additionally, please check that AD DNS is able '
+ 'to resolve %(records)s SRV records to the correct '
+ 'IPA server.') % dict(count=self.validation_attempts,
+ records=srv_records)
+
+ raise errors.ACIError(info=error_message)
+
raise assess_dcerpc_exception(*result.pdc_connection_status)
+
return True
+
return False