From ec20a74a599821806f62905b676ef4fd75f6c07d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 27 Nov 2012 20:31:02 +0200
Subject: Propagate kinit errors with trust account

When using Global Catalog for resolving users and groups, one needs
to authenticate against Active Directory DC using GSSAPI. Obtaining
Kerberos ticket might fail. Make sure the failure message is actually
returned to the user so that decision can be made about the source
of issue.

https://fedorahosted.org/freeipa/ticket/3265
---
 ipaserver/dcerpc.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'ipaserver')

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 68b5ad52..8190bf6a 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -279,6 +279,10 @@ class DomainValidator(object):
         if returncode == 0:
             return (ccache_name, principal)
         else:
+            if returncode == 1:
+                raise errors.ACIError(
+                   info=_("KDC for %(domain)s denied trust account for IPA domain with a message '%(message)s'") %
+                        dict(domain=info['dns_domain'],message=stderr.strip()))
             return (None, None)
 
     def resolve_against_gc(self, domain, name):
-- 
cgit