From e30fbb81f5406ed8556df06288e97a39b54c843c Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 8 Oct 2013 18:25:20 +0200 Subject: KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack. --- src/providers/krb5/krb5_child.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/providers/krb5/krb5_child.c') diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 16ab4dbbb..20fb76318 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -991,6 +991,9 @@ static errno_t map_krb5_error(krb5_error_code kerr) case KRB5_REALM_CANT_RESOLVE: return ERR_NETWORK_IO; + case KRB5KDC_ERR_CLIENT_REVOKED: + return ERR_ACCOUNT_EXPIRED; + case KRB5KDC_ERR_KEY_EXP: return ERR_CREDS_EXPIRED; -- cgit