On Tue, 2016-03-01 at 18:22 -0500, Simo Sorce wrote: > On Tue, 2016-03-01 at 22:34 +0100, Lukas Slebodnik wrote: > > On (01/03/16 12:05), Simo Sorce wrote: > > >On Tue, 2016-03-01 at 17:51 +0100, Lukas Slebodnik wrote: > > >> On (01/03/16 17:45), Lukas Slebodnik wrote: > > >> >On (31/01/16 11:53), Simo Sorce wrote: > > >> >>Expired != Disabled > > >> >>this change is intentional. > > >> >> > > >> >Yes, but explain it to Active directory :-) > > >> > > > >> >Attached is patch with workaround/hack > > >> >regression with expired AD users. > > >> > > > >> ENOPATCH > > >> > > >> LS > > > > > >I think a better approach is to return the KRBKDC error from the child > > >without mapping (or with an intermediate mapping) and have the IPA and > > >AD providers map it on their own. > > > > > It's not related to mapping KRBKDC error codes to internal error code. > > The main problem is that AD return the same error code for expired > > and disabled user. And ad provider used generic krb5 functions. > > > > BTW the same issue would be with id_provider ldap + > > auth_provider = krb5 with AD :-( > > I'm not sure how your proposal would help. > > I think AD returns additional information in edata, maybe we can use > that to do the proper mapping in the generic krb5 code. > > Absence of AD specific edata would indicate MIT mapping, presence would > allow us to use that additional data to figure out the correct mapping. > > Simo. >
See MS-KILE[1] 2.2.1, I bet the two conditions returns two different windows Style errors in etext (not edata, sorry). [1] https://msdn.microsoft.com/en-us/library/cc233855.aspx Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org