4 files changed, 11 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 7657b4de..f69245ef 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1006,6 +1006,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
         ret = EOK;
         goto done;
 
+    case ERR_ACCOUNT_LOCKED:
+        state->pam_status = PAM_PERM_DENIED;
+        state->dp_err = DP_ERR_OK;
+        ret = EOK;
+        goto done;
+
     case ERR_NO_CREDS:
         state->pam_status = PAM_CRED_UNAVAIL;
         state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index c8b8a005..12eb9e20 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1316,6 +1316,9 @@ static errno_t map_krb5_error(krb5_error_code kerr)
         return ERR_NETWORK_IO;
 
     case KRB5KDC_ERR_CLIENT_REVOKED:
+        return ERR_ACCOUNT_LOCKED;
+
+    case KRB5KDC_ERR_NAME_EXP:
         return ERR_ACCOUNT_EXPIRED;
 
     case KRB5KDC_ERR_KEY_EXP:
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index ed19346d..e7f30ab3 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -82,6 +82,7 @@ struct err_string error_to_str[] = {
     { "Address family not supported" }, /* ERR_ADDR_FAMILY_NOT_SUPPORTED */
     { "Message sender is the bus" }, /* ERR_SBUS_SENDER_BUS */
     { "Subdomain is inactive" }, /* ERR_SUBDOM_INACTIVE */
+    { "Account is locked" }, /* ERR_ACCOUNT_LOCKED */
     { "ERR_LAST" } /* ERR_LAST */
 };
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index c1d08191..a1c822c4 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -104,6 +104,7 @@ enum sssd_errors {
     ERR_ADDR_FAMILY_NOT_SUPPORTED,
     ERR_SBUS_SENDER_BUS,
     ERR_SUBDOM_INACTIVE,
+    ERR_ACCOUNT_LOCKED,
     ERR_LAST            /* ALWAYS LAST */
 };