[Freeipa-devel] [PATCH] 0097 Propagate kinit errors when using trust account
Rob Crittenden
rcritten at redhat.com
Tue Nov 27 21:19:25 UTC 2012
Alexander Bokovoy wrote:
> Hi,
>
> attached patch makes possible to see why using trust account to kinit
> may have failed against Active Directory DC. One common error might be
> time skew and there will be no chance to know about that without
> actually propagating the error message.
>
> https://fedorahosted.org/freeipa/ticket/3265
>
> With the patch following message will be shown:
>
> $ ipa group-add-member adadmins_ext --external=ADX\\Domain\ Admins
> [member user]: [member group]: ipa: ERROR: Insufficient access: ad.lan
> KDC denied trust account for IPA
> domain with a message 'kinit: Clock skew too great while getting initial
> credentials'
ACK, pushed to master and ipa-3-0
More information about the Freeipa-devel
mailing list