KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD userHEADmaster

If an expired AD user logs in, the SSSD receives
KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled
by the SSSD which resulted in System Error being returned to the PAM
stack.

2 files changed, 9 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index a4183dca..b4c20578 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1006,6 +1006,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
         ret = EOK;
         goto done;
 
+    case ERR_ACCOUNT_EXPIRED:
+        state->pam_status = PAM_ACCT_EXPIRED;
+        state->dp_err = DP_ERR_OK;
+        ret = EOK;
+        goto done;
+
     case ERR_NO_CREDS:
         state->pam_status = PAM_CRED_UNAVAIL;
         state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 24a1fe1b..42cfbbfe 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -991,6 +991,9 @@ static errno_t map_krb5_error(krb5_error_code kerr)
     case KRB5_REALM_CANT_RESOLVE:
         return ERR_NETWORK_IO;
 
+    case KRB5KDC_ERR_CLIENT_REVOKED:
+        return ERR_ACCOUNT_EXPIRED;
+
     case KRB5KDC_ERR_KEY_EXP:
         return ERR_CREDS_EXPIRED;