From 0e4eba0a994d286ae0832adc1731ab2dc10c5ff9 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 4 Nov 2009 12:39:00 +0100 Subject: Add ipa_auth To support IPA DS to Kerberos password migration a seperate authentication target is added. It calls the Kerberos authentication target and in the case of a 'Preauthentication Error' the LDAP authentication target. On success the Kerberos target is called again to request the TGT. --- server/providers/krb5/krb5_child.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'server/providers/krb5') diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 5a1bf374e..f7809d2c6 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -582,6 +582,9 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) case KRB5KDC_ERR_KEY_EXP: pam_status = PAM_AUTHTOK_EXPIRED; break; + case KRB5KDC_ERR_PREAUTH_FAILED: + pam_status = PAM_CRED_ERR; + break; default: pam_status = PAM_SYSTEM_ERR; } -- cgit