From fd5ff711b6fa4b1146776ba6f915a20e64786c53 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 6 May 2007 20:33:33 +0000 Subject: r22712: Inform the user when logging in via pam_winbind and the krb5 tkt cache could not be created due to clock skew. (This used to be commit 24616f7d6be40b090dc74851b1ea7d09d6976811) --- source3/nsswitch/pam_winbind.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'source3/nsswitch/pam_winbind.c') diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index ec6361e52b..6734cba0c4 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -927,6 +927,30 @@ static void _pam_warn_logon_type(pam_handle_t *pamh, int ctrl, const char *usern } } +/** + * Send PAM_ERROR_MSG for krb5 errors. + * + * @param pamh PAM handle + * @param ctrl PAM winbind options. + * @param username User in PAM request. + * @param info3_user_flgs Info3 flags containing logon type bits. + * + * @return void. + */ + +static void _pam_warn_krb5_failure(pam_handle_t *pamh, int ctrl, const char *username, uint32 info3_user_flgs) +{ + if (PAM_WB_KRB5_CLOCK_SKEW(info3_user_flgs)) { + _make_remark(pamh, ctrl, PAM_ERROR_MSG, + "Failed to establish your Kerberos Ticket cache " + "due time differences\n" + "with the domain controller. " + "Please verify the system time.\n"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, + "User %s: Clock skew when getting Krb5 TGT\n", username); + } +} + /** * Compose Password Restriction String for a PAM_ERROR_MSG conversation. * @@ -1125,6 +1149,9 @@ static int winbind_auth_request(pam_handle_t * pamh, /* inform about logon type */ _pam_warn_logon_type(pamh, ctrl, user, response.data.auth.info3.user_flgs); + /* inform about krb5 failures */ + _pam_warn_krb5_failure(pamh, ctrl, user, response.data.auth.info3.user_flgs); + /* set some info3 info for other modules in the stack */ _pam_set_data_info3(pamh, ctrl, &response); -- cgit