localauth: make plugin non-authoritative on failures

According to the documentation in localauth_plugin.h "aname will be
considered authorized if at least one module returns 0 and all other
modules return KRB5_PLUGIN_NO_HANDLE." So it is safe to always return
KRB5_PLUGIN_NO_HANDLE because a different plugin has to return 0 to
allow access to the given principal.

Resolves https://fedorahosted.org/sssd/ticket/2788

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/src/krb5_plugin/sssd_krb5_localauth_plugin.c b/src/krb5_plugin/sssd_krb5_localauth_plugin.c
index 1e77d5227..13ab07d13 100644
--- a/src/krb5_plugin/sssd_krb5_localauth_plugin.c
+++ b/src/krb5_plugin/sssd_krb5_localauth_plugin.c
@@ -49,7 +49,8 @@ static krb5_error_code sss_userok(krb5_context context,
 
     kerr = krb5_unparse_name(context, aname, &princ_str);
     if (kerr != 0) {
-        return kerr;
+        ret = kerr;
+        goto done;
     }
 
     if (strcasecmp(princ_str, lname) == 0) {
@@ -98,6 +99,10 @@ done:
     krb5_free_unparsed_name(context, princ_str);
     free(buffer);
 
+    if (ret != 0) {
+        return KRB5_PLUGIN_NO_HANDLE;
+    }
+
     return ret;
 }