KRB5: Do not attempt to get a TGT after a password change using OTP

https://fedorahosted.org/sssd/ticket/2271

The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
PAM information instructing the user to log out and back in manually.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 3 insertions, 0 deletions

diff --git a/src/sss_client/sss_cli.h b/src/sss_client/sss_cli.h
index 285a2979a..16a08e186 100644
--- a/src/sss_client/sss_cli.h
+++ b/src/sss_client/sss_cli.h
@@ -451,6 +451,9 @@ enum user_info_type {
                                        * possible to change the password while
                                        * the system is offline. This message
                                        * is generated by the PAM responder. */
+    SSS_PAM_USER_INFO_OTP_CHPASS,   /**< Tell the user that he needs to kinit
+                                      * or login and logout to get a TGT after
+                                      * an OTP password change */
     SSS_PAM_USER_INFO_CHPASS_ERROR, /**< Tell the user that a password change
                                      * failed and optionally give a reason.
                                      * @param Size of the message as unsigned