Add ipa_auth

To support IPA DS to Kerberos password migration a seperate authentication target is added. It calls the Kerberos authentication target and in the case of a 'Preauthentication Error' the LDAP authentication target. On success the Kerberos target is called again to request the TGT.
author: Sumit Bose <sbose@redhat.com> 2009-11-04 12:39:00 +0100
committer: Stephen Gallagher <sgallagh@redhat.com> 2009-11-20 16:46:47 -0500
commit: 0e4eba0a994d286ae0832adc1731ab2dc10c5ff9 (patch)
tree: b787c77df7ef16d0fcae46a2177dc039beb4d7c1 /server/providers/krb5/krb5_child.c
parent: 53b4c8fdb26ac799544f8ef8f12e0cadac8ea5e1 (diff)
download: sssd-0e4eba0a994d286ae0832adc1731ab2dc10c5ff9.tar.gz
sssd-0e4eba0a994d286ae0832adc1731ab2dc10c5ff9.tar.xz
sssd-0e4eba0a994d286ae0832adc1731ab2dc10c5ff9.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c
index 5a1bf374e..f7809d2c6 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -582,6 +582,9 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
             case KRB5KDC_ERR_KEY_EXP:
                     pam_status = PAM_AUTHTOK_EXPIRED;
                     break;
+            case KRB5KDC_ERR_PREAUTH_FAILED:
+                    pam_status = PAM_CRED_ERR;
+                    break;
             default:
                     pam_status = PAM_SYSTEM_ERR;
         }
author	Sumit Bose <sbose@redhat.com>	2009-11-04 12:39:00 +0100
committer	Stephen Gallagher <sgallagh@redhat.com>	2009-11-20 16:46:47 -0500
commit	0e4eba0a994d286ae0832adc1731ab2dc10c5ff9 (patch)
tree	b787c77df7ef16d0fcae46a2177dc039beb4d7c1 /server/providers/krb5/krb5_child.c
parent	53b4c8fdb26ac799544f8ef8f12e0cadac8ea5e1 (diff)
download	sssd-0e4eba0a994d286ae0832adc1731ab2dc10c5ff9.tar.gz sssd-0e4eba0a994d286ae0832adc1731ab2dc10c5ff9.tar.xz sssd-0e4eba0a994d286ae0832adc1731ab2dc10c5ff9.zip