diff options
| author | Simo Sorce <simo@redhat.com> | 2016-01-13 14:34:33 -0500 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-01-14 18:34:06 +0100 |
| commit | 19e44537c28f6d5f011cd7ac885c74c1e892605f (patch) | |
| tree | 84d790ce62902c56894d593bc365d6d436ab8d94 /src | |
| parent | 684191e61d891b1c34f3742a40d5a2ed6a1192dd (diff) | |
| download | sssd-19e44537c28f6d5f011cd7ac885c74c1e892605f.tar.gz sssd-19e44537c28f6d5f011cd7ac885c74c1e892605f.tar.xz sssd-19e44537c28f6d5f011cd7ac885c74c1e892605f.zip | |
Krb5/PAM: Fix account lockout error handling
The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as
ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is
returned by the KDC when an account lockout is in effect. When an account is
expired the kdc returns KRB5KDC_ERR_NAME_EXP.
Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code.
Resolves:
https://fedorahosted.org/sssd/ticket/2924
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/krb5/krb5_auth.c | 6 | ||||
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 3 | ||||
| -rw-r--r-- | src/util/util_errors.c | 1 | ||||
| -rw-r--r-- | src/util/util_errors.h | 1 |
4 files changed, 11 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 7657b4de..f69245ef 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1006,6 +1006,12 @@ static void krb5_auth_done(struct tevent_req *subreq) ret = EOK; goto done; + case ERR_ACCOUNT_LOCKED: + state->pam_status = PAM_PERM_DENIED; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + case ERR_NO_CREDS: state->pam_status = PAM_CRED_UNAVAIL; state->dp_err = DP_ERR_OK; diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index c8b8a005..12eb9e20 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1316,6 +1316,9 @@ static errno_t map_krb5_error(krb5_error_code kerr) return ERR_NETWORK_IO; case KRB5KDC_ERR_CLIENT_REVOKED: + return ERR_ACCOUNT_LOCKED; + + case KRB5KDC_ERR_NAME_EXP: return ERR_ACCOUNT_EXPIRED; case KRB5KDC_ERR_KEY_EXP: diff --git a/src/util/util_errors.c b/src/util/util_errors.c index ed19346d..e7f30ab3 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -82,6 +82,7 @@ struct err_string error_to_str[] = { { "Address family not supported" }, /* ERR_ADDR_FAMILY_NOT_SUPPORTED */ { "Message sender is the bus" }, /* ERR_SBUS_SENDER_BUS */ { "Subdomain is inactive" }, /* ERR_SUBDOM_INACTIVE */ + { "Account is locked" }, /* ERR_ACCOUNT_LOCKED */ { "ERR_LAST" } /* ERR_LAST */ }; diff --git a/src/util/util_errors.h b/src/util/util_errors.h index c1d08191..a1c822c4 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -104,6 +104,7 @@ enum sssd_errors { ERR_ADDR_FAMILY_NOT_SUPPORTED, ERR_SBUS_SENDER_BUS, ERR_SUBDOM_INACTIVE, + ERR_ACCOUNT_LOCKED, ERR_LAST /* ALWAYS LAST */ }; |