summaryrefslogtreecommitdiff
path: root/src/providers
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-06-24 14:44:00 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-06-24 16:59:53 +0200
commit6bfbfefd65a7875a1fb28631d581eec11a758975 (patch)
tree2e5b38af3ba6845eaed321a957fde3c4a132c904 /src/providers
parent1190b58239b305d88f0937b5aadd8b7db47bc581 (diff)
downloadsssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.gz
sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.bz2
sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.zip
KRB5: use the right authtok type for renewals
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_auth.c23
1 files changed, 20 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f6acfb48..dfd22f7a 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -493,10 +493,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
- case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK:
if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
- DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Wrong authtok type for user [%s]. " \
+ "Expected [%d], got [%d]\n", pd->user,
+ SSS_AUTHTOK_TYPE_PASSWORD,
+ sss_authtok_get_type(pd->authtok)));
state->pam_status = PAM_SYSTEM_ERR;
state->dp_err = DP_ERR_FATAL;
ret = EINVAL;
@@ -506,13 +509,27 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pd->priv == 1 &&
sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
- DEBUG(4, ("Password reset by root is not supported.\n"));
+ DEBUG(SSSDBG_MINOR_FAILURE,
+ ("Password reset by root is not supported.\n"));
state->pam_status = PAM_PERM_DENIED;
state->dp_err = DP_ERR_OK;
ret = EOK;
goto done;
}
break;
+ case SSS_CMD_RENEW:
+ if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_CCFILE) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Wrong authtok type for user [%s]. " \
+ "Expected [%d], got [%d]\n", pd->user,
+ SSS_AUTHTOK_TYPE_CCFILE,
+ sss_authtok_get_type(pd->authtok)));
+ state->pam_status = PAM_SYSTEM_ERR;
+ state->dp_err = DP_ERR_FATAL;
+ ret = EINVAL;
+ goto done;
+ }
+ break;
default:
DEBUG(4, ("Unexpected pam task %d.\n", pd->cmd));
state->pam_status = PAM_SYSTEM_ERR;