|
|
590d18 |
From c4859813a5fd89082c9c05a3808f9b6cb97ca5d0 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Tomas Babej <tbabej@redhat.com>
|
|
|
590d18 |
Date: Wed, 15 Jul 2015 15:38:50 +0200
|
|
|
590d18 |
Subject: [PATCH] dcerpc: Expand explanation for WERR_ACCESS_DENIED
|
|
|
590d18 |
|
|
|
590d18 |
It's possible for AD to contact a wrong IPA server in case the DNS
|
|
|
590d18 |
SRV records on the AD sides are not properly configured.
|
|
|
590d18 |
|
|
|
590d18 |
Mention this case in the error message as well.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5013
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipaserver/dcerpc.py | 36 +++++++++++++++++++++++++++++-------
|
|
|
590d18 |
1 file changed, 29 insertions(+), 7 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
|
590d18 |
index a1da0a641064f59a79639d97489ff73181787a4a..97f6c1694c20f26af0861b86a1ae1adf7a970a59 100644
|
|
|
590d18 |
--- a/ipaserver/dcerpc.py
|
|
|
590d18 |
+++ b/ipaserver/dcerpc.py
|
|
|
590d18 |
@@ -1084,22 +1084,44 @@ class TrustDomainInstance(object):
|
|
|
590d18 |
result = retrieve_netlogon_info_2(None, self,
|
|
|
590d18 |
netlogon.NETLOGON_CONTROL_TC_VERIFY,
|
|
|
590d18 |
another_domain.info['dns_domain'])
|
|
|
590d18 |
- if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
|
|
|
590d18 |
- if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if result and result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED:
|
|
|
590d18 |
+ if result.pdc_connection_status[0] != 0 and result.tc_connection_status[0] != 0:
|
|
|
590d18 |
if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED":
|
|
|
590d18 |
# Most likely AD DC hit another IPA replica which yet has no trust secret replicated
|
|
|
590d18 |
+
|
|
|
590d18 |
# Sleep and repeat again
|
|
|
590d18 |
self.validation_attempts += 1
|
|
|
590d18 |
if self.validation_attempts < 10:
|
|
|
590d18 |
sleep(5)
|
|
|
590d18 |
return self.verify_trust(another_domain)
|
|
|
590d18 |
- raise errors.ACIError(
|
|
|
590d18 |
- info=_('IPA master denied trust validation requests from AD DC '
|
|
|
590d18 |
- '%(count)d times. Most likely AD DC contacted a replica '
|
|
|
590d18 |
- 'that has no trust information replicated yet.')
|
|
|
590d18 |
- % dict(count=self.validation_attempts))
|
|
|
590d18 |
+
|
|
|
590d18 |
+ # If we get here, we already failed 10 times
|
|
|
590d18 |
+ srv_record_templates = (
|
|
|
590d18 |
+ '_ldap._tcp.%s',
|
|
|
590d18 |
+ '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.%s'
|
|
|
590d18 |
+ )
|
|
|
590d18 |
+
|
|
|
590d18 |
+ srv_records = ', '.join(
|
|
|
590d18 |
+ [srv_record % api.env.domain
|
|
|
590d18 |
+ for srv_record in srv_record_templates]
|
|
|
590d18 |
+ )
|
|
|
590d18 |
+
|
|
|
590d18 |
+ error_message = _(
|
|
|
590d18 |
+ 'IPA master denied trust validation requests from AD '
|
|
|
590d18 |
+ 'DC %(count)d times. Most likely AD DC contacted a '
|
|
|
590d18 |
+ 'replica that has no trust information replicated '
|
|
|
590d18 |
+ 'yet. Additionally, please check that AD DNS is able '
|
|
|
590d18 |
+ 'to resolve %(records)s SRV records to the correct '
|
|
|
590d18 |
+ 'IPA server.') % dict(count=self.validation_attempts,
|
|
|
590d18 |
+ records=srv_records)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ raise errors.ACIError(info=error_message)
|
|
|
590d18 |
+
|
|
|
590d18 |
raise assess_dcerpc_exception(*result.pdc_connection_status)
|
|
|
590d18 |
+
|
|
|
590d18 |
return True
|
|
|
590d18 |
+
|
|
|
590d18 |
return False
|
|
|
590d18 |
|
|
|
590d18 |
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|