Handle expired passwords like other PAM modules

So far we handled expired password during authentication. Other PAM
modules typically detect expired password during account management and
return PAM_NEW_AUTHTOK_REQD if the password is expired and should be
changed. The PAM library then calls the change password routines. To
meet these standards pam_sss is change accordingly.

As a result it is now possible to update an expired password via ssh if
sssd is running with PasswordAuthentication=yes. One drawback due to
limitations of PAM is that the user now has to type his current password
again before setting a new one.

2 files changed, 2 insertions, 2 deletions

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index d1cc53fd4..08df59845 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -688,7 +688,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
                     pam_status = PAM_AUTHINFO_UNAVAIL;
                     break;
             case KRB5KDC_ERR_KEY_EXP:
-                    pam_status = PAM_AUTHTOK_EXPIRED;
+                    pam_status = PAM_NEW_AUTHTOK_REQD;
                     break;
             case KRB5KDC_ERR_PREAUTH_FAILED:
                     pam_status = PAM_CRED_ERR;
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index cfe8adb97..ba1136bdd 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -983,7 +983,7 @@ static void sdap_pam_auth_done(struct tevent_req *req)
         state->pd->pam_status = PAM_ACCT_EXPIRED;
         break;
     case SDAP_AUTH_PW_EXPIRED:
-        state->pd->pam_status = PAM_AUTHTOK_EXPIRED;
+        state->pd->pam_status = PAM_NEW_AUTHTOK_REQD;
         break;
     default:
         state->pd->pam_status = PAM_SYSTEM_ERR;