diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-19 12:51:50 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-20 10:11:47 +0200 |
commit | 6c722d1125ee285d72fb4d7444b8cefc6db33a0b (patch) | |
tree | 567d965088fd58be42f0ffd6b88a99a689a8b45f | |
parent | 383fa7e69136ce27031d7d0b9b9b8e5b0392bfee (diff) | |
download | sssd-6c722d1125ee285d72fb4d7444b8cefc6db33a0b.tar.gz sssd-6c722d1125ee285d72fb4d7444b8cefc6db33a0b.tar.bz2 sssd-6c722d1125ee285d72fb4d7444b8cefc6db33a0b.zip |
KRB5 child: handle more error codes gracefully
This patch changes handling of krb5 child error codes so that it's on
par with the 1.8 branch after Joschi Brauchle reviewed the 1.8 backport.
-rw-r--r-- | src/providers/krb5/krb5_child.c | 57 |
1 files changed, 26 insertions, 31 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 9665f45b..6987d2b9 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -923,40 +923,45 @@ done: } -static int kerr_to_status(krb5_error_code kerr) +static int kerr_handle_error(krb5_error_code kerr) { - int pam_status = PAM_SYSTEM_ERR; - - if (kerr == 0) { - return PAM_SUCCESS; - } + int pam_status; KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); switch (kerr) { case KRB5_LIBOS_CANTREADPWD: - pam_status = PAM_CRED_UNAVAIL; - break; + pam_status = PAM_CRED_UNAVAIL; + break; case KRB5_KDC_UNREACH: - pam_status = PAM_AUTHINFO_UNAVAIL; - break; + pam_status = PAM_AUTHINFO_UNAVAIL; + break; case KRB5KDC_ERR_KEY_EXP: - pam_status = PAM_NEW_AUTHTOK_REQD; - break; + pam_status = PAM_NEW_AUTHTOK_REQD; + break; case KRB5KRB_AP_ERR_BAD_INTEGRITY: - pam_status = PAM_AUTH_ERR; - break; + pam_status = PAM_AUTH_ERR; + break; case KRB5_PREAUTH_FAILED: case KRB5KDC_ERR_PREAUTH_FAILED: - pam_status = PAM_CRED_ERR; - break; + pam_status = PAM_CRED_ERR; + break; default: - pam_status = PAM_SYSTEM_ERR; - break; + pam_status = PAM_SYSTEM_ERR; + break; } return pam_status; } +static int kerr_to_status(krb5_error_code kerr) +{ + if (kerr == 0) { + return PAM_SUCCESS; + } + + return kerr_handle_error(kerr); +} + static errno_t changepw_child(int fd, struct krb5_req *kr) { int ret; @@ -1015,8 +1020,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) changepw_princ, kr->options); if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - pam_status = kerr_to_status(kerr); + pam_status = kerr_handle_error(kerr); goto sendresponse; } @@ -1104,12 +1108,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) talloc_zfree(newpass_str); memset(kr->pd->newauthtok, 0, kr->pd->newauthtok_size); - if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - if (kerr == KRB5_KDC_UNREACH) { - pam_status = PAM_AUTHINFO_UNAVAIL; - } - } + pam_status = kerr_to_status(kerr); sendresponse: ret = sendresponse(fd, kerr, pam_status, kr); @@ -1264,11 +1263,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); if (kerr != 0) { - KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr); - if (kerr == KRB5_KDC_UNREACH) { - status = PAM_AUTHINFO_UNAVAIL; - DEBUG(SSSDBG_TRACE_ALL, ("kdc unreachable for renewed creds.\n")); - } + status = kerr_handle_error(kerr); goto done; } |