From 65579492d3d545d6acabaedc019c457551c32063 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Mon, 3 Apr 2017 10:29:21 +0300

Subject: [PATCH] ipaserver/dcerpc: unify error processing

Samba error code reporting changes from version to version but we also

did not provide proper input into DCE RPC error processing method we

have.

Unify error processing and add few more fallback entries.

With Samba 4.7 we'll have to change it again because error code

processing for Samba Python modules will change with introduction of

samba.ntstatus and samba.werror modules.

Note that this commit also changes a message returned for error code

-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.

Fixes https://pagure.io/freeipa/issue/6859

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

 ipaserver/dcerpc.py | 23 +++++++++++++++++------

 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py

index 2d9d7e5577f1cac6f35701dd277199f9a37387f8..d684a17cabe43bbbd43d29f75f534b6e50fccd12 100644

--- a/ipaserver/dcerpc.py

+++ b/ipaserver/dcerpc.py

@@ -117,19 +117,27 @@ dcerpc_error_codes = {

                   # we simply will skip the binding

         access_denied_error,

     -1073741772:  # NT_STATUS_OBJECT_NAME_NOT_FOUND

-        errors.RemoteRetrieveError(

-            reason=_('CIFS server configuration does not allow '

-                     'access to \\\\pipe\\lsarpc')),

+        errors.NotFound(

+            reason=_('Cannot find specified domain or server name')),

 }

 dcerpc_error_messages = {

     "NT_STATUS_OBJECT_NAME_NOT_FOUND":

         errors.NotFound(

             reason=_('Cannot find specified domain or server name')),

+    "The object name is not found.":

+        errors.NotFound(

+            reason=_('Cannot find specified domain or server name')),

     "WERR_NO_LOGON_SERVERS":

         errors.RemoteRetrieveError(

             reason=_('AD DC was unable to reach any IPA domain controller. '

                      'Most likely it is a DNS or firewall issue')),

+    # This is a very long key, don't change it

+    "There are currently no logon servers available to "

+    "service the logon request.":

+        errors.RemoteRetrieveError(

+            reason=_('AD DC was unable to reach any IPA domain controller. '

+                     'Most likely it is a DNS or firewall issue')),

     "NT_STATUS_INVALID_PARAMETER_MIX":

         errors.RequirementError(

             name=_('At least the domain or IP address should be specified')),

@@ -802,7 +810,8 @@ class DomainValidator(object):

         # Both methods should not fail at the same time

         if finddc_error and len(info['gc']) == 0:

-            raise assess_dcerpc_exception(message=str(finddc_error))

+            num, message = e.args  # pylint: disable=unpacking-non-sequence

+            raise assess_dcerpc_exception(num=num, message=message)

         self._info[domain] = info

         return info

@@ -908,7 +917,8 @@ class TrustDomainInstance(object):

             else:

                 result = netrc.finddc(address=remote_host, flags=flags)

         except RuntimeError as e:

-            raise assess_dcerpc_exception(message=str(e))

+            num, message = e.args  # pylint: disable=unpacking-non-sequence

+            raise assess_dcerpc_exception(num=num, message=message)

         if not result:

             return False

@@ -1408,7 +1418,8 @@ def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):

             result = netrc.finddc(domain=trustdomain,

                                   flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)

     except RuntimeError as e:

-        raise assess_dcerpc_exception(message=str(e))

+        num, message = e.args  # pylint: disable=unpacking-non-sequence

+        raise assess_dcerpc_exception(num=num, message=message)

     td.info['dc'] = unicode(result.pdc_dns_name)

     td.info['name'] = unicode(result.dns_domain)

-- 

2.9.3