diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-19 12:51:50 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-20 10:11:47 +0200 |
| commit | 6c722d1125ee285d72fb4d7444b8cefc6db33a0b (patch) | |
| tree | 567d965088fd58be42f0ffd6b88a99a689a8b45f /src/providers/krb5 | |
| parent | 383fa7e69136ce27031d7d0b9b9b8e5b0392bfee (diff) | |
| download | sssd-6c722d1125ee285d72fb4d7444b8cefc6db33a0b.tar.gz sssd-6c722d1125ee285d72fb4d7444b8cefc6db33a0b.tar.xz sssd-6c722d1125ee285d72fb4d7444b8cefc6db33a0b.zip | |
KRB5 child: handle more error codes gracefully
This patch changes handling of krb5 child error codes so that it's on
par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
Diffstat (limited to 'src/providers/krb5')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 57 |
1 files changed, 26 insertions, 31 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 9665f45ba..6987d2b9e 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -923,40 +923,45 @@ done: } -static int kerr_to_status(krb5_error_code kerr) +static int kerr_handle_error(krb5_error_code kerr) { - int pam_status = PAM_SYSTEM_ERR; - - if (kerr == 0) { - return PAM_SUCCESS; - } + int pam_status; KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); switch (kerr) { case KRB5_LIBOS_CANTREADPWD: - pam_status = PAM_CRED_UNAVAIL; - break; + pam_status = PAM_CRED_UNAVAIL; + break; case KRB5_KDC_UNREACH: - pam_status = PAM_AUTHINFO_UNAVAIL; - break; + pam_status = PAM_AUTHINFO_UNAVAIL; + break; case KRB5KDC_ERR_KEY_EXP: - pam_status = PAM_NEW_AUTHTOK_REQD; - break; + pam_status = PAM_NEW_AUTHTOK_REQD; + break; case KRB5KRB_AP_ERR_BAD_INTEGRITY: - pam_status = PAM_AUTH_ERR; - break; + pam_status = PAM_AUTH_ERR; + break; case KRB5_PREAUTH_FAILED: case KRB5KDC_ERR_PREAUTH_FAILED: - pam_status = PAM_CRED_ERR; - break; + pam_status = PAM_CRED_ERR; + break; default: - pam_status = PAM_SYSTEM_ERR; - break; + pam_status = PAM_SYSTEM_ERR; + break; } return pam_status; } +static int kerr_to_status(krb5_error_code kerr) +{ + if (kerr == 0) { + return PAM_SUCCESS; + } + + return kerr_handle_error(kerr); +} + static errno_t changepw_child(int fd, struct krb5_req *kr) { int ret; @@ -1015,8 +1020,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) changepw_princ, kr->options); if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - pam_status = kerr_to_status(kerr); + pam_status = kerr_handle_error(kerr); goto sendresponse; } @@ -1104,12 +1108,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) talloc_zfree(newpass_str); memset(kr->pd->newauthtok, 0, kr->pd->newauthtok_size); - if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - if (kerr == KRB5_KDC_UNREACH) { - pam_status = PAM_AUTHINFO_UNAVAIL; - } - } + pam_status = kerr_to_status(kerr); sendresponse: ret = sendresponse(fd, kerr, pam_status, kr); @@ -1264,11 +1263,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - if (kerr == KRB5_KDC_UNREACH) { - status = PAM_AUTHINFO_UNAVAIL; - DEBUG(SSSDBG_TRACE_ALL, ("kdc unreachable for renewed creds.\n")); - } + status = kerr_handle_error(kerr); goto done; } |