Display a message if a password reset by root fails

2 files changed, 15 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 6a57fe5f..e1aaebf4 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -635,7 +635,14 @@ void krb5_pam_handler(struct be_req *be_req)
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
         case SSS_PAM_CHAUTHTOK:
+            break;
         case SSS_PAM_CHAUTHTOK_PRELIM:
+            if (pd->priv == 1 && pd->authtok_size == 0) {
+                DEBUG(4, ("Password reset by root is not supported.\n"));
+                pam_status = PAM_PERM_DENIED;
+                dp_err = DP_ERR_OK;
+                goto done;
+            }
             break;
         case SSS_PAM_ACCT_MGMT:
         case SSS_PAM_SETCRED:
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e0935da3..95931ac9 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -636,6 +636,14 @@ void sdap_pam_chpass_handler(struct be_req *breq)
         goto done;
     }
 
+    if (pd->priv == 1 && pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM &&
+        pd->authtok_size == 0) {
+        DEBUG(4, ("Password reset by root is not supported.\n"));
+        pd->pam_status = PAM_PERM_DENIED;
+        dp_err = DP_ERR_OK;
+        goto done;
+    }
+
     DEBUG(2, ("starting password change request for user [%s].\n", pd->user));
 
     pd->pam_status = PAM_SYSTEM_ERR;