https://bugzilla.redhat.com/show_bug.cgi?id=877434 (Red Hat Enterprise Linux 6)
Description of problem: when the time difference between ad and ipa server is greater than 5 minutes ,it's unable to get initial credentials. However,both in CLI and WebUI when adding an existing ad member to an external type ipa group under the situation ,the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member. I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created and the time difference between them is too great In CLI: [root@rhel ~]# ipa group-add --desc='add a external group' test --external ------------------ Added group "test" ------------------ Group name: test Description: add a external group [root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1" [member user]: [member group]: ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain In WebUI: Steps: User Groups-Click Add-Add a group with External group type-Click Add and Edit-External tab-Click Add-type aduser1-Click Add Error message: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain Both are all showing the error message as adding a non-extent external member. In /var/log/httpd/error_log could find the error message: [error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial credentials Version-Release number of selected component (if applicable): ipa-server-3.0.0-8.el6.x86_64 How reproducible: always Steps to Reproduce: see discription above Actual results: when adding an existing ad member to an external type ipa group with a time difference of more than 5mins between ipa and ad ,both in CLI and WebUI the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member. Expected results: Tell the reason that the add fail because clock skew too great to get the initial credentials instead of telling adding with an invalid SID. Additional info:
Patch sent for review: https://www.redhat.com/archives/freeipa-devel/2012-November/msg00345.html
master: ec20a74
ipa-3-0: 1c19d1f
Metadata Update from @rcritten: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.