2 files changed, 10 insertions, 5 deletions

diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 8513a46f8f..0630403cbc 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -178,10 +178,9 @@ static NTSTATUS cm_open_connection(const char *domain, const int pipe_index,
 
 				result = NT_STATUS_OK;
 
-				if (!cli_session_setup_spnego(new_conn->cli, machine_krb5_principal, 
+				if (!NT_STATUS_IS_OK(result = cli_session_setup_spnego(new_conn->cli, machine_krb5_principal, 
 							      machine_password, 
-							      domain)) {
-					result = cli_nt_error(new_conn->cli);
+							      domain))) {
 					DEBUG(4,("failed kerberos session setup with %s\n", nt_errstr(result)));
 					if (NT_STATUS_IS_OK(result)) 
 						result = NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index d696428de4..993e7d68ff 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -224,9 +224,15 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	DATA_BLOB lm_resp, nt_resp;
 
 	if (!state->privileged) {
-		DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied!\n"));
+		char *error_string = NULL;
+		DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access denied.  !\n"));
+		DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions on %s are set correctly.\n", 
+			     get_winbind_priv_pipe_dir()));
 		/* send a better message than ACCESS_DENIED */
-		push_utf8_fstring(state->response.data.auth.error_string, "winbind client not authorized to use winbindd_pam_auth_crap");
+		asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap.  Ensure permissions on %s are set correctly.",
+			 get_winbind_priv_pipe_dir());
+		push_utf8_fstring(state->response.data.auth.error_string, error_string);
+		SAFE_FREE(error_string);
 		result =  NT_STATUS_ACCESS_DENIED;
 		goto done;
 	}