On Tue, 2016-03-01 at 22:34 +0100, Lukas Slebodnik wrote:
On (01/03/16 12:05), Simo Sorce wrote:
>On Tue, 2016-03-01 at 17:51 +0100, Lukas Slebodnik wrote:
>> On (01/03/16 17:45), Lukas Slebodnik wrote:
>> >On (31/01/16 11:53), Simo Sorce wrote:
>> >>Expired != Disabled
>> >>this change is intentional.
>> >>
>> >Yes, but explain it to Active directory :-)
>> >
>> >Attached is patch with workaround/hack
>> >regression with expired AD users.
>> >
>> ENOPATCH
>>
>> LS
>
>I think a better approach is to return the KRBKDC error from the child
>without mapping (or with an intermediate mapping) and have the IPA and
>AD providers map it on their own.
>
It's not related to mapping KRBKDC error codes to internal error code.
The main problem is that AD return the same error code for expired
and disabled user. And ad provider used generic krb5 functions.
BTW the same issue would be with id_provider ldap +
auth_provider = krb5 with AD :-(
I'm not sure how your proposal would help.
I think AD returns additional information in edata, maybe we can use
that to do the proper mapping in the generic krb5 code.
Absence of AD specific edata would indicate MIT mapping, presence would
allow us to use that additional data to figure out the correct mapping.
Simo.
--
Simo Sorce * Red Hat, Inc * New York