[Freeipa-devel] [PATCH] 0127 Map NT_STATUS_INVALID_PARAMETER to a most likely error cause
Alexander Bokovoy
abokovoy at redhat.com
Tue Nov 12 09:41:49 UTC 2013
Hi,
I stumbled upon another case of clock skew breaking trust-add code and
in this case we actually get a separate error code --
NT_STATUS_INVALID_PARAMETER that, along with a specific case we get it
in, allows to deduce that there is a possible clock skew without parsing
debug output from Samba client libraries.
I made this small patch that suggests there is indeed clock skew between
IPA and an AD DC.
--
/ Alexander Bokovoy
-------------- next part --------------
>From b491bd33b4776343af6a1cd18510f1e84b54c0ee Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 12 Nov 2013 11:36:22 +0200
Subject: [PATCH 2/2] Map NT_STATUS_INVALID_PARAMETER to most likely error
cause: clock skew
When we get NT_STATUS_INVALID_PARAMETER in response to establish
DCE RPC pipe with Kerberos, the most likely reason is clock skew.
Suggest that it is so in the error message.
---
ipaserver/dcerpc.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 86bb428..55acfa8 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -82,6 +82,9 @@ dcerpc_error_codes = {
-1073741614: access_denied_error,
-1073741603:
errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')),
+ -1073741811: # NT_STATUS_INVALID_PARAMETER
+ error.RemoteRetrieveError(
+ reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')),
}
dcerpc_error_messages = {
--
1.8.3.1
More information about the Freeipa-devel
mailing list