From a9570e8ea347c3e5cb4c1489e70828bd00077a22 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 5 Jun 2015 15:31:32 +0000
Subject: ipa-pwd-extop: expand error message to tell what user is not allowed
 to fetch keytab

When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.

Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
---
 daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
index 09c877f70..dc657cc4e 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
@@ -1612,8 +1612,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg)
                                            READKEYS_OP_CHECK, NULL,
                                            SLAPI_ACL_READ);
         if (!acl_ok) {
-            LOG_FATAL("Not allowed to retrieve keytab on [%s]!\n",
-                      service_name);
+            LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n",
+                      service_name, bind_dn);
             err_msg = "Insufficient access rights\n";
             rc = LDAP_INSUFFICIENT_ACCESS;
             goto free_and_return;
-- 
cgit