KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD userHEAD master

If an expired AD user logs in, the SSSD receives KRB5KDC_ERR_CLIENT_REVOKED from the KDC. This error code was not handled by the SSSD which resulted in System Error being returned to the PAM stack.
author: Jakub Hrozek <jhrozek@redhat.com> 2013-10-08 18:25:20 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-10-17 13:38:51 +0200
commit: 2105a6a63cb74bf009fb6e723e74f6ec075e1238 (patch)
tree: 377e16606c23fbcfbaea6c3c8535aa95fa0ae3cd /src/providers/krb5/krb5_child.c
parent: 569bbc59e4060160a986d0fea31601a7b7d998fe (diff)
download: sssd-2105a6a63cb74bf009fb6e723e74f6ec075e1238.tar.gz
sssd-2105a6a63cb74bf009fb6e723e74f6ec075e1238.tar.bz2
sssd-2105a6a63cb74bf009fb6e723e74f6ec075e1238.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 24a1fe1b..42cfbbfe 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -991,6 +991,9 @@ static errno_t map_krb5_error(krb5_error_code kerr)
     case KRB5_REALM_CANT_RESOLVE:
         return ERR_NETWORK_IO;
 
+    case KRB5KDC_ERR_CLIENT_REVOKED:
+        return ERR_ACCOUNT_EXPIRED;
+
     case KRB5KDC_ERR_KEY_EXP:
         return ERR_CREDS_EXPIRED;
author	Jakub Hrozek <jhrozek@redhat.com>	2013-10-08 18:25:20 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-10-17 13:38:51 +0200
commit	2105a6a63cb74bf009fb6e723e74f6ec075e1238 (patch)
tree	377e16606c23fbcfbaea6c3c8535aa95fa0ae3cd /src/providers/krb5/krb5_child.c
parent	569bbc59e4060160a986d0fea31601a7b7d998fe (diff)
download	sssd-2105a6a63cb74bf009fb6e723e74f6ec075e1238.tar.gz sssd-2105a6a63cb74bf009fb6e723e74f6ec075e1238.tar.bz2 sssd-2105a6a63cb74bf009fb6e723e74f6ec075e1238.zip