Bug 877434
Summary: | not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Xiyang Dong <xdong> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 6.4 | CC: | abokovoy, dpal, mkosek, sbose, sgoveas, ssorce |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-3.0.0-10.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 09:30:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 886216 |
Description
Xiyang Dong
2012-11-16 14:35:21 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3265 The kinit errors are propagated back to the user. Fixed upstream. master: ec20a74a599821806f62905b676ef4fd75f6c07d ipa-3-0: 1c19d1fb2688039276bed85ca567fe38d2cb30f1 [root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 877434' test --external ------------------ Added group "test" ------------------ Group name: test Description: test group for bug 877434 # Adding invalid AD user [root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2333" [member user]: [member group]: ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain # Adding Valid existing AD user [root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser1" [member user]: [member group]: Group name: test Description: test group for bug 877434 External member: S-1-5-21-3655990580-1375374850-1633065477-1178 ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# date Wed Jan 30 20:04:51 IST 2013 # Changed time on AD server 10 mins ahead and tried adding a second valid AD user [root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2" [member user]: [member group]: ipa: ERROR: Insufficient access: KDC for adlab.qe denied trust account for IPA domain with a message 'kinit: Clock skew too great while getting initial credentials' Verified on version ipa-server-3.0.0-24.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |