Make return values more specific during password change

- return PAM_AUTHTOK_ERR instead of PAM_SYSTEM_ERR if the password
  change operation fails
- send a message to the user if the system is offline and the password
  cannot be changed

2 files changed, 6 insertions, 3 deletions

diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c
index 08e16b4a2..b73032605 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -579,6 +579,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
                       result_string.length, result_string.data));
         }
 
+        pam_status = PAM_AUTHTOK_ERR;
         goto sendresponse;
     }
 
diff --git a/server/providers/ldap/ldap_auth.c b/server/providers/ldap/ldap_auth.c
index fbb4e53b6..1d1346c07 100644
--- a/server/providers/ldap/ldap_auth.c
+++ b/server/providers/ldap/ldap_auth.c
@@ -772,7 +772,7 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
         if (pw_expire_type == PWEXPIRE_SHADOW) {
 /* TODO: implement async ldap modify request */
             DEBUG(1, ("Changing shadow password attributes not implemented.\n"));
-            state->pd->pam_status = PAM_SYSTEM_ERR;
+            state->pd->pam_status = PAM_MODULE_UNKNOWN;
             goto done;
         } else {
             subreq = sdap_exop_modify_passwd_send(state,
@@ -791,7 +791,9 @@ static void sdap_auth4chpass_done(struct tevent_req *req)
             return;
         }
         break;
-
+    case SDAP_AUTH_FAILED:
+        state->pd->pam_status = PAM_AUTH_ERR;
+        break;
     default:
         state->pd->pam_status = PAM_SYSTEM_ERR;
     }
@@ -821,7 +823,7 @@ static void sdap_pam_chpass_done(struct tevent_req *req)
         dp_err = DP_ERR_OK;
         break;
     default:
-        state->pd->pam_status = PAM_SYSTEM_ERR;
+        state->pd->pam_status = PAM_AUTHTOK_ERR;
     }
 
 done: