[Freeipa-devel] [PATCH] 355 Avoid internal error when user is not Trust admin
Petr Viktorin
pviktori at redhat.com
Wed Feb 20 11:30:48 UTC 2013
On 02/20/2013 09:15 AM, Martin Kosek wrote:
> On 02/19/2013 10:19 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/24/2013 12:01 PM, Martin Kosek wrote:
>>>> When user tries to perform any action requiring communication with
>>>> trusted domain, IPA server tries to retrieve a trust secret on his
>>>> behalf to be able to establish the connection. This happens for
>>>> example during group-add-member command when external user is
>>>> being resolved in the AD.
>>>>
>>>> When user is not member of Trust admins group, the retrieval crashes
>>>> and reports internal error. Catch this exception and rather report
>>>> properly formatted ACIError.
>>>>
>>>> ----
>>>>
>>>> I hit this error after updating to the latest FreeIPA version with the AD CVE
>>>> fixed.
>>>>
>>>> Martin
>>>>
>>>
>>> I filed a ticket to not loose this fix and patch. Attaching an updated patch
>>> with ticket URL in description.
>>>
>>> Martin
>>>
>>
>>
>> The patch fixes the problem but the error is untranslated:
>>
>> member group: AD\Domain Admins: Insufficient access: Gettext('communication
>> with trusted domains is allowed for Trusts administrator group members only',
>> domain='ipa', localedir=None)
>>
>> rob
>
> I think this is just because this string is not in our ipa.pot file yet (will
> be when we do Transifex refresh").
>
> Martin
>
I don't have AD so I can't investigate, but this problem is usually due
to the error being converted to string instead of using the strerror
attribute.
--
Petr³
More information about the Freeipa-devel
mailing list