Bug 470957
Summary: | Bad error message if ipa-adduser run without admin ticket | ||
---|---|---|---|
Product: | [Retired] freeIPA | Reporter: | W. Michael Petullo <mike> |
Component: | ipa-admintools | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 1.1 | CC: | benl, dpal, ssorce |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-12 19:36:15 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 431020 |
Description
W. Michael Petullo
2008-11-11 03:55:01 UTC
This error isn't related to the ticket being used. It is a pure Kerberos error essentially meaining "password incorrect." So the ticket got rejected somewhere, either when trying to get the service ticket for the IPA XML-RPC server or during the XML-RPC request. You might get more information by adding the -v flag to ipa-adduser. You'll be able to see if it does the XML-RPC request or not. Otherwise you'll need to check the KDC log to see if there is anything relevent there. You might try: kdestroy kinit user@REALM ipa-adduser ... If it fails with the same message, see if you have an HTTP service ticket for the IPA server. I understand all that. The spirit of this bug report is that the error message is not helpful for normal users. What would you suggest? I don't know that this is something an average user would be able to diagnose, requiring admin assistance, the KDC log, etc. Would you expect every admin to understand that "Could not initialize GSSAPI: Unspecified GSS failure. Minor code may provide more information/Decrypt integrity check failed" means "admin credentials not present?" I'm not trying to be contemptuous, but the error message that the GSSAPI library provides is terrible. How about something like, "Could not create user because admin credentials not present, try "kinit admin"?" Your presumption is wrong. This message does not mean that admin credentials are required. This message means that the encryption key used to encrypt the data in this request didn't match the encryption key used for decryption, and as a result the checksum comparison didn't work. http://www.faqs.org/faqs/kerberos-faq/general/section-73.html So further debugging is required. It has nothing to do with admin user vs non-admin user. |