KRB: Handle preauthentication error correctly

https://fedorahosted.org/sssd/ticket/1873

KRB preauthentication error was later mishandled like authentication error.

2 files changed, 9 insertions, 1 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f65e5993..f6acfb48 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1026,6 +1026,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
         ret = EOK;
         goto done;
 
+    case ERR_CREDS_INVALID:
+        state->pam_status = PAM_CRED_ERR;
+        state->dp_err = DP_ERR_OK;
+        ret = EOK;
+        goto done;
+
     case ERR_NO_CREDS:
         state->pam_status = PAM_CRED_UNAVAIL;
         state->dp_err = DP_ERR_OK;
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 8f746a8d..74d730aa 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -1172,9 +1172,11 @@ static errno_t map_krb5_error(krb5_error_code kerr)
         return ERR_CREDS_EXPIRED;
 
     case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+        return ERR_AUTH_FAILED;
+
     case KRB5_PREAUTH_FAILED:
     case KRB5KDC_ERR_PREAUTH_FAILED:
-        return ERR_AUTH_FAILED;
+        return ERR_CREDS_INVALID;
 
     default:
         return ERR_INTERNAL;