590d18
From c4859813a5fd89082c9c05a3808f9b6cb97ca5d0 Mon Sep 17 00:00:00 2001
590d18
From: Tomas Babej <tbabej@redhat.com>
590d18
Date: Wed, 15 Jul 2015 15:38:50 +0200
590d18
Subject: [PATCH] dcerpc: Expand explanation for WERR_ACCESS_DENIED
590d18
590d18
It's possible for AD to contact a wrong IPA server in case the DNS
590d18
SRV records on the AD sides are not properly configured.
590d18
590d18
Mention this case in the error message as well.
590d18
590d18
https://fedorahosted.org/freeipa/ticket/5013
590d18
590d18
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
590d18
---
590d18
 ipaserver/dcerpc.py | 36 +++++++++++++++++++++++++++++-------
590d18
 1 file changed, 29 insertions(+), 7 deletions(-)
590d18
590d18
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
590d18
index a1da0a641064f59a79639d97489ff73181787a4a..97f6c1694c20f26af0861b86a1ae1adf7a970a59 100644
590d18
--- a/ipaserver/dcerpc.py
590d18
+++ b/ipaserver/dcerpc.py
590d18
@@ -1084,22 +1084,44 @@ class TrustDomainInstance(object):
590d18
         result = retrieve_netlogon_info_2(None, self,
590d18
                                           netlogon.NETLOGON_CONTROL_TC_VERIFY,
590d18
                                           another_domain.info['dns_domain'])
590d18
-        if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
590d18
-            if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):
590d18
+
590d18
+        if result and result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED:
590d18
+            if result.pdc_connection_status[0] != 0 and result.tc_connection_status[0] != 0:
590d18
                 if result.pdc_connection_status[1] == "WERR_ACCESS_DENIED":
590d18
                     # Most likely AD DC hit another IPA replica which yet has no trust secret replicated
590d18
+
590d18
                     # Sleep and repeat again
590d18
                     self.validation_attempts += 1
590d18
                     if self.validation_attempts < 10:
590d18
                         sleep(5)
590d18
                         return self.verify_trust(another_domain)
590d18
-                    raise errors.ACIError(
590d18
-                            info=_('IPA master denied trust validation requests from AD DC '
590d18
-                                   '%(count)d times. Most likely AD DC contacted a replica '
590d18
-                                   'that has no trust information replicated yet.')
590d18
-                                   % dict(count=self.validation_attempts))
590d18
+
590d18
+                    # If we get here, we already failed 10 times
590d18
+                    srv_record_templates = (
590d18
+                        '_ldap._tcp.%s',
590d18
+                        '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.%s'
590d18
+                    )
590d18
+
590d18
+                    srv_records = ', '.join(
590d18
+                        [srv_record % api.env.domain
590d18
+                         for srv_record in srv_record_templates]
590d18
+                    )
590d18
+
590d18
+                    error_message = _(
590d18
+                        'IPA master denied trust validation requests from AD '
590d18
+                        'DC %(count)d times. Most likely AD DC contacted a '
590d18
+                        'replica that has no trust information replicated '
590d18
+                        'yet. Additionally, please check that AD DNS is able '
590d18
+                        'to resolve %(records)s SRV records to the correct '
590d18
+                        'IPA server.') % dict(count=self.validation_attempts,
590d18
+                                              records=srv_records)
590d18
+
590d18
+                    raise errors.ACIError(info=error_message)
590d18
+
590d18
                 raise assess_dcerpc_exception(*result.pdc_connection_status)
590d18
+
590d18
             return True
590d18
+
590d18
         return False
590d18
 
590d18
 
590d18
-- 
590d18
2.4.3
590d18