From 19e44537c28f6d5f011cd7ac885c74c1e892605f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 13 Jan 2016 14:34:33 -0500
Subject: Krb5/PAM: Fix account lockout error handling

The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as
ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is
returned by the KDC when an account lockout is in effect. When an account is
expired the kdc returns KRB5KDC_ERR_NAME_EXP.

Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code.

Resolves:
https://fedorahosted.org/sssd/ticket/2924

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/util/util_errors.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/util/util_errors.c')

diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index ed19346d..e7f30ab3 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -82,6 +82,7 @@ struct err_string error_to_str[] = {
     { "Address family not supported" }, /* ERR_ADDR_FAMILY_NOT_SUPPORTED */
     { "Message sender is the bus" }, /* ERR_SBUS_SENDER_BUS */
     { "Subdomain is inactive" }, /* ERR_SUBDOM_INACTIVE */
+    { "Account is locked" }, /* ERR_ACCOUNT_LOCKED */
     { "ERR_LAST" } /* ERR_LAST */
 };
 
-- 
cgit