diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-06-05 15:31:32 +0000 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-08 01:56:52 +0200 |
commit | a9570e8ea347c3e5cb4c1489e70828bd00077a22 (patch) | |
tree | c86afddb5171a3b92e2e874b66b6ab62d74e4d56 | |
parent | d5aa1ee04e2e4923f42bccd60d51f063df144a0b (diff) | |
download | freeipa-a9570e8ea347c3e5cb4c1489e70828bd00077a22.tar.gz freeipa-a9570e8ea347c3e5cb4c1489e70828bd00077a22.tar.xz freeipa-a9570e8ea347c3e5cb4c1489e70828bd00077a22.zip |
ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.
Part of https://fedorahosted.org/freeipa/ticket/4959
Reviewed-By: Tomas Babej <tbabej@redhat.com>
-rw-r--r-- | daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index 09c877f70..dc657cc4e 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -1612,8 +1612,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) READKEYS_OP_CHECK, NULL, SLAPI_ACL_READ); if (!acl_ok) { - LOG_FATAL("Not allowed to retrieve keytab on [%s]!\n", - service_name); + LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n", + service_name, bind_dn); err_msg = "Insufficient access rights\n"; rc = LDAP_INSUFFICIENT_ACCESS; goto free_and_return; |