diff options
author | Sumit Bose <sbose@redhat.com> | 2013-06-24 14:44:00 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-06-24 16:59:53 +0200 |
commit | 6bfbfefd65a7875a1fb28631d581eec11a758975 (patch) | |
tree | 2e5b38af3ba6845eaed321a957fde3c4a132c904 /src/providers | |
parent | 1190b58239b305d88f0937b5aadd8b7db47bc581 (diff) | |
download | sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.gz sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.tar.bz2 sssd-6bfbfefd65a7875a1fb28631d581eec11a758975.zip |
KRB5: use the right authtok type for renewals
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index f6acfb48..dfd22f7a 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -493,10 +493,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, switch (pd->cmd) { case SSS_PAM_AUTHENTICATE: - case SSS_CMD_RENEW: case SSS_PAM_CHAUTHTOK: if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { - DEBUG(1, ("Missing authtok for user [%s].\n", pd->user)); + DEBUG(SSSDBG_CRIT_FAILURE, + ("Wrong authtok type for user [%s]. " \ + "Expected [%d], got [%d]\n", pd->user, + SSS_AUTHTOK_TYPE_PASSWORD, + sss_authtok_get_type(pd->authtok))); state->pam_status = PAM_SYSTEM_ERR; state->dp_err = DP_ERR_FATAL; ret = EINVAL; @@ -506,13 +509,27 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case SSS_PAM_CHAUTHTOK_PRELIM: if (pd->priv == 1 && sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { - DEBUG(4, ("Password reset by root is not supported.\n")); + DEBUG(SSSDBG_MINOR_FAILURE, + ("Password reset by root is not supported.\n")); state->pam_status = PAM_PERM_DENIED; state->dp_err = DP_ERR_OK; ret = EOK; goto done; } break; + case SSS_CMD_RENEW: + if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_CCFILE) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Wrong authtok type for user [%s]. " \ + "Expected [%d], got [%d]\n", pd->user, + SSS_AUTHTOK_TYPE_CCFILE, + sss_authtok_get_type(pd->authtok))); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_FATAL; + ret = EINVAL; + goto done; + } + break; default: DEBUG(4, ("Unexpected pam task %d.\n", pd->cmd)); state->pam_status = PAM_SYSTEM_ERR; |