Issue #3265: not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great - freeipa

freeipa

#3265 not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great

Closed: Fixed None Opened 11 years ago by rcritten.

https://bugzilla.redhat.com/show_bug.cgi?id=877434 (Red Hat Enterprise Linux 6)

Description of problem:
when the time difference between ad and ipa server is greater than 5 minutes
,it's unable to get initial credentials.
However,both in CLI and WebUI when adding an existing ad member to an external
type ipa group under the situation ,the error message is not telling you
exactly the reason.Insteadly ,it will show the same error message as adding a
non-existent ad member.

I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created
and the time difference between them is too great

In CLI:
[root@rhel ~]# ipa group-add --desc='add a external group'  test --external
------------------
Added group "test"
------------------
  Group name: test
  Description: add a external group
[root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1"
[member user]:
[member group]:
ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None):
values are not recognized as valid SIDs from trusted domain

In WebUI:
Steps:
User Groups-Click Add-Add a group with External group type-Click Add and
Edit-External tab-Click Add-type aduser1-Click Add
Error message:
invalid Gettext('external member', domain='ipa', localedir=None): values are
not recognized as valid SIDs from trusted domain

Both are all showing the error message as adding a non-extent external member.


In /var/log/httpd/error_log could find the error message:
[error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial
credentials






Version-Release number of selected component (if applicable):
ipa-server-3.0.0-8.el6.x86_64

How reproducible:
always

Steps to Reproduce:
see discription above

Actual results:
when adding an existing ad member to an external type ipa group with a time
difference of more than 5mins between ipa and ad  ,both in CLI and WebUI the
error message is not telling you exactly the reason.Insteadly ,it will show the
same error message as adding a non-existent ad member.


Expected results:
Tell the reason that the add fail because clock skew too great to get the
initial credentials instead of telling adding with an invalid SID.


Additional info:

abbra commented 11 years ago

Patch sent for review: https://www.redhat.com/archives/freeipa-devel/2012-November/msg00345.html

rcritten commented 11 years ago

master: ec20a74

ipa-3-0: 1c19d1f

Metadata Update from @rcritten:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 3.0.2

7 years ago

Metadata

Assignee

abbra

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 3.0.2

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=877434

tester

None

changelog

None

design

None

freeipa

Source Code

#3265 not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great Closed: Fixed None Opened 11 years ago by rcritten.

Metadata

#3265 not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great

Closed: Fixed None Opened 11 years ago by rcritten.