From fa0f0f255039d4f905d4c2b1e113347014c32eee Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 7 Nov 2012 18:28:29 +0100
Subject: Do not always return PAM_SYSTEM_ERR when offline krb5 authentication
 fails

---
 src/providers/krb5/krb5_auth.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/providers')

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f2e00fac1..a4bd631cb 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -34,6 +34,7 @@
 
 #include "util/util.h"
 #include "util/find_uid.h"
+#include "util/auth_utils.h"
 #include "db/sysdb.h"
 #include "util/child_common.h"
 #include "providers/krb5/krb5_auth.h"
@@ -1127,7 +1128,7 @@ static void krb5_pam_handler_cache_auth_step(struct tevent_req *req)
                            NULL);
     if (ret != EOK) {
         DEBUG(1, ("Offline authentication failed\n"));
-        state->pam_status = PAM_SYSTEM_ERR;
+        state->pam_status = cached_login_pam_status(ret);
         state->dp_err = DP_ERR_OK;
     } else {
         ret = add_user_to_delayed_online_authentication(krb5_ctx, pd,
-- 
cgit