From 19e44537c28f6d5f011cd7ac885c74c1e892605f Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 13 Jan 2016 14:34:33 -0500
Subject: Krb5/PAM: Fix account lockout error handling

The krb5 provider was mapping KRB5KDC_ERR_CLIENT_REVOKED as
ERR_ACCOUNT_EXPIRED. This is incorrect as KRB5KDC_ERR_CLIENT_REVOKED is
returned by the KDC when an account lockout is in effect. When an account is
expired the kdc returns KRB5KDC_ERR_NAME_EXP.

Fix the mapping by adding a new ERR_ACCOUNT_LOCKOUT sssd_error code.

Resolves:
https://fedorahosted.org/sssd/ticket/2924

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/util/util_errors.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/util/util_errors.h')

diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index c1d08191..a1c822c4 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -104,6 +104,7 @@ enum sssd_errors {
     ERR_ADDR_FAMILY_NOT_SUPPORTED,
     ERR_SBUS_SENDER_BUS,
     ERR_SUBDOM_INACTIVE,
+    ERR_ACCOUNT_LOCKED,
     ERR_LAST            /* ALWAYS LAST */
 };
 
-- 
cgit