Catch more permission failures when joining domain

* Windows Server returns all sorts of strange errors when permission problems for joining domain
author: Stef Walter <stefw@redhat.com> 2013-04-09 22:11:34 +0200
committer: Stef Walter <stefw@redhat.com> 2013-04-09 22:11:34 +0200
commit: 6f4880029a2c002395cc19d4a7558c830f143d87 (patch)
tree: 6731c88d8935e89ad7c458e40dcec83de43f650b
parent: 48166f0a3b33a5d69fc09486cc8e0f6848a48867 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/library/adenroll.c b/library/adenroll.c
index fd73c05..3b225ec 100644
--- a/library/adenroll.c
+++ b/library/adenroll.c
@@ -519,6 +519,9 @@ create_computer_account (adcli_enroll *enroll,
 	 * OBJECT_CLASS_VIOLATION when the 'admin' account doesn't have
 	 * enough permission to create this computer account.
 	 *
+	 * Additionally LDAP_UNWILLING_TO_PERFORM and LDAP_CONSTRAINT_VIOLATION
+	 * are seen on various Windows Servers as responses to this case.
+	 *
 	 * TODO: Perhaps some missing attributes are auto-generated when
 	 * the administrative credentials have sufficient permissions, and
 	 * those missing attributes cause the object class violation. However
@@ -526,7 +529,8 @@ create_computer_account (adcli_enroll *enroll,
 	 * attributes. They may be hidden, like unicodePwd.
 	 */
 
-	if (ret == LDAP_INSUFFICIENT_ACCESS || ret == LDAP_OBJECT_CLASS_VIOLATION) {
+	if (ret == LDAP_INSUFFICIENT_ACCESS || ret == LDAP_OBJECT_CLASS_VIOLATION ||
+	    ret == LDAP_UNWILLING_TO_PERFORM || ret == LDAP_CONSTRAINT_VIOLATION) {
 		return _adcli_ldap_handle_failure (ldap, ADCLI_ERR_CREDENTIALS,
 		                                   "Insufficient permissions to modify computer account: %s",
 		                                   enroll->computer_dn);
author	Stef Walter <stefw@redhat.com>	2013-04-09 22:11:34 +0200
committer	Stef Walter <stefw@redhat.com>	2013-04-09 22:11:34 +0200
commit	6f4880029a2c002395cc19d4a7558c830f143d87 (patch)
tree	6731c88d8935e89ad7c458e40dcec83de43f650b
parent	48166f0a3b33a5d69fc09486cc8e0f6848a48867 (diff)