From 98c640cf0917ca22b60e6ac4ad70a2da7aa11e7b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 5 Jun 2015 15:31:32 +0000 Subject: ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 09c877f70..dc657cc4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1612,8 +1612,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) READKEYS_OP_CHECK, NULL, SLAPI_ACL_READ); if (!acl_ok) { - LOG_FATAL("Not allowed to retrieve keytab on [%s]!\n", - service_name); + LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n", + service_name, bind_dn); err_msg = "Insufficient access rights\n"; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; -- cgit