diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-08 18:25:20 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-10-17 13:40:54 +0200 |
commit | e30fbb81f5406ed8556df06288e97a39b54c843c (patch) | |
tree | eceeda7918a7347e477bf3a0f77022ee107a486a /src/providers | |
parent | 3f422ba0a6c9e2606848256044a9d775e0236201 (diff) | |
download | sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.tar.gz sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.tar.xz sssd-e30fbb81f5406ed8556df06288e97a39b54c843c.zip |
KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user
If an expired AD user logs in, the SSSD receives
KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled
by the SSSD which resulted in System Error being returned to the PAM
stack.
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 6 | ||||
-rw-r--r-- | src/providers/krb5/krb5_child.c | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index a4183dcac..b4c205789 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1006,6 +1006,12 @@ static void krb5_auth_done(struct tevent_req *subreq) ret = EOK; goto done; + case ERR_ACCOUNT_EXPIRED: + state->pam_status = PAM_ACCT_EXPIRED; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + case ERR_NO_CREDS: state->pam_status = PAM_CRED_UNAVAIL; state->dp_err = DP_ERR_OK; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 16ab4dbbb..20fb76318 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -991,6 +991,9 @@ static errno_t map_krb5_error(krb5_error_code kerr) case KRB5_REALM_CANT_RESOLVE: return ERR_NETWORK_IO; + case KRB5KDC_ERR_CLIENT_REVOKED: + return ERR_ACCOUNT_EXPIRED; + case KRB5KDC_ERR_KEY_EXP: return ERR_CREDS_EXPIRED; |