KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user

If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.
author: Jakub Hrozek <jhrozek@redhat.com> 2013-10-08 18:25:20 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-10-17 13:40:54 +0200
commit: e30fbb81f5406ed8556df06288e97a39b54c843c (patch)
tree: eceeda7918a7347e477bf3a0f77022ee107a486a /src/providers/krb5/krb5_auth.c
parent: 3f422ba0a6c9e2606848256044a9d775e0236201 (diff)
download: sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.tar.gz
sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.tar.xz
sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a4183dcac..b4c205789 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1006,6 +1006,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
         ret = EOK;
         goto done;
 
+    case ERR_ACCOUNT_EXPIRED:
+        state->pam_status = PAM_ACCT_EXPIRED;
+        state->dp_err = DP_ERR_OK;
+        ret = EOK;
+        goto done;
+
     case ERR_NO_CREDS:
         state->pam_status = PAM_CRED_UNAVAIL;
         state->dp_err = DP_ERR_OK;
author	Jakub Hrozek <jhrozek@redhat.com>	2013-10-08 18:25:20 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-10-17 13:40:54 +0200
commit	e30fbb81f5406ed8556df06288e97a39b54c843c (patch)
tree	eceeda7918a7347e477bf3a0f77022ee107a486a /src/providers/krb5/krb5_auth.c
parent	3f422ba0a6c9e2606848256044a9d775e0236201 (diff)
download	sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.tar.gz sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.tar.xz sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.zip