summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2015-06-05 15:31:32 +0000
committerTomas Babej <tbabej@redhat.com>2015-07-08 01:56:52 +0200
commita9570e8ea347c3e5cb4c1489e70828bd00077a22 (patch)
treec86afddb5171a3b92e2e874b66b6ab62d74e4d56
parentd5aa1ee04e2e4923f42bccd60d51f063df144a0b (diff)
downloadfreeipa-a9570e8ea347c3e5cb4c1489e70828bd00077a22.tar.gz
freeipa-a9570e8ea347c3e5cb4c1489e70828bd00077a22.tar.xz
freeipa-a9570e8ea347c3e5cb4c1489e70828bd00077a22.zip
ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
-rw-r--r--daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 09c877f70..dc657cc4e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1612,8 +1612,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
READKEYS_OP_CHECK, NULL,
SLAPI_ACL_READ);
if (!acl_ok) {
- LOG_FATAL("Not allowed to retrieve keytab on [%s]!\n",
- service_name);
+ LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
+ service_name, bind_dn);
err_msg = "Insufficient access rights\n";
rc = LDAP_INSUFFICIENT_ACCESS;
goto free_and_return;