diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2012-11-27 20:31:02 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-11-27 16:18:03 -0500 |
commit | ec20a74a599821806f62905b676ef4fd75f6c07d (patch) | |
tree | 828e105681fa4e218a34e2b8f87b915728f87831 /ipaserver | |
parent | bef251a13ca075718afe7503b5bbe8caa439a1ea (diff) | |
download | freeipa.git-ec20a74a599821806f62905b676ef4fd75f6c07d.tar.gz freeipa.git-ec20a74a599821806f62905b676ef4fd75f6c07d.tar.xz freeipa.git-ec20a74a599821806f62905b676ef4fd75f6c07d.zip |
Propagate kinit errors with trust account
When using Global Catalog for resolving users and groups, one needs
to authenticate against Active Directory DC using GSSAPI. Obtaining
Kerberos ticket might fail. Make sure the failure message is actually
returned to the user so that decision can be made about the source
of issue.
https://fedorahosted.org/freeipa/ticket/3265
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/dcerpc.py | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 68b5ad52..8190bf6a 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -279,6 +279,10 @@ class DomainValidator(object): if returncode == 0: return (ccache_name, principal) else: + if returncode == 1: + raise errors.ACIError( + info=_("KDC for %(domain)s denied trust account for IPA domain with a message '%(message)s'") % + dict(domain=info['dns_domain'],message=stderr.strip())) return (None, None) def resolve_against_gc(self, domain, name): |