KRB5: use the right authtok type for renewals

author: Sumit Bose <sbose@redhat.com> 2013-06-24 14:44:00 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-06-24 16:59:53 +0200
commit: 6bfbfefd65a7875a1fb28631d581eec11a758975 (patch)
tree: 2e5b38af3ba6845eaed321a957fde3c4a132c904 /src/providers
parent: 1190b58239b305d88f0937b5aadd8b7db47bc581 (diff)
download: sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.gz
sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.xz
sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.zip
1 files changed, 20 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f6acfb489..dfd22f7a3 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -493,10 +493,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
-        case SSS_CMD_RENEW:
         case SSS_PAM_CHAUTHTOK:
             if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-                DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("Wrong authtok type for user [%s]. " \
+                       "Expected [%d], got [%d]\n", pd->user,
+                          SSS_AUTHTOK_TYPE_PASSWORD,
+                          sss_authtok_get_type(pd->authtok)));
                 state->pam_status = PAM_SYSTEM_ERR;
                 state->dp_err = DP_ERR_FATAL;
                 ret = EINVAL;
@@ -506,13 +509,27 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
         case SSS_PAM_CHAUTHTOK_PRELIM:
             if (pd->priv == 1 &&
                 sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-                DEBUG(4, ("Password reset by root is not supported.\n"));
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Password reset by root is not supported.\n"));
                 state->pam_status = PAM_PERM_DENIED;
                 state->dp_err = DP_ERR_OK;
                 ret = EOK;
                 goto done;
             }
             break;
+        case SSS_CMD_RENEW:
+            if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_CCFILE) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("Wrong authtok type for user [%s]. " \
+                       "Expected [%d], got [%d]\n", pd->user,
+                          SSS_AUTHTOK_TYPE_CCFILE,
+                          sss_authtok_get_type(pd->authtok)));
+                state->pam_status = PAM_SYSTEM_ERR;
+                state->dp_err = DP_ERR_FATAL;
+                ret = EINVAL;
+                goto done;
+            }
+            break;
         default:
             DEBUG(4, ("Unexpected pam task %d.\n", pd->cmd));
             state->pam_status = PAM_SYSTEM_ERR;
author	Sumit Bose <sbose@redhat.com>	2013-06-24 14:44:00 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-06-24 16:59:53 +0200
commit	6bfbfefd65a7875a1fb28631d581eec11a758975 (patch)
tree	2e5b38af3ba6845eaed321a957fde3c4a132c904 /src/providers
parent	1190b58239b305d88f0937b5aadd8b7db47bc581 (diff)
download	sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.gz sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.xz sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.zip