Bug 877434
| Summary: | not exact error message show up when adding an AD member to an external type group while the time difference between ad and ipa is too great | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Xiyang Dong <xdong> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | abokovoy, dpal, mkosek, sbose, sgoveas, ssorce |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-10.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:30:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 886216 | ||
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3265 The kinit errors are propagated back to the user. Fixed upstream. master: ec20a74a599821806f62905b676ef4fd75f6c07d ipa-3-0: 1c19d1fb2688039276bed85ca567fe38d2cb30f1 [root@ibm-x3500m4-01 ~]# ipa group-add --desc='test group for bug 877434' test --external ------------------ Added group "test" ------------------ Group name: test Description: test group for bug 877434 # Adding invalid AD user [root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2333" [member user]: [member group]: ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain # Adding Valid existing AD user [root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser1" [member user]: [member group]: Group name: test Description: test group for bug 877434 External member: S-1-5-21-3655990580-1375374850-1633065477-1178 ------------------------- Number of members added 1 ------------------------- [root@ibm-x3500m4-01 ~]# date Wed Jan 30 20:04:51 IST 2013 # Changed time on AD server 10 mins ahead and tried adding a second valid AD user [root@ibm-x3500m4-01 ~]# ipa group-add-member test --external "ADLAB\adtestuser2" [member user]: [member group]: ipa: ERROR: Insufficient access: KDC for adlab.qe denied trust account for IPA domain with a message 'kinit: Clock skew too great while getting initial credentials' Verified on version ipa-server-3.0.0-24.el6.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |
Description of problem: when the time difference between ad and ipa server is greater than 5 minutes ,it's unable to get initial credentials. However,both in CLI and WebUI when adding an existing ad member to an external type ipa group under the situation ,the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member. I have trust setup between rhel and ad server ipaqe.com ,with aduser1 created and the time difference between them is too great In CLI: [root@rhel ~]# ipa group-add --desc='add a external group' test --external ------------------ Added group "test" ------------------ Group name: test Description: add a external group [root@rhel ~]# ipa group-add-member test --external "IPAQE.COM\aduser1" [member user]: [member group]: ipa: ERROR: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain In WebUI: Steps: User Groups-Click Add-Add a group with External group type-Click Add and Edit-External tab-Click Add-type aduser1-Click Add Error message: invalid Gettext('external member', domain='ipa', localedir=None): values are not recognized as valid SIDs from trusted domain Both are all showing the error message as adding a non-extent external member. In /var/log/httpd/error_log could find the error message: [error] ipa: DEBUG: stderr=kinit: Clock skew too great while getting initial credentials Version-Release number of selected component (if applicable): ipa-server-3.0.0-8.el6.x86_64 How reproducible: always Steps to Reproduce: see discription above Actual results: when adding an existing ad member to an external type ipa group with a time difference of more than 5mins between ipa and ad ,both in CLI and WebUI the error message is not telling you exactly the reason.Insteadly ,it will show the same error message as adding a non-existent ad member. Expected results: Tell the reason that the add fail because clock skew too great to get the initial credentials instead of telling adding with an invalid SID. Additional info: