summaryrefslogtreecommitdiff
path: root/src/responder/pam
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-11-07 18:28:29 +0100
committerJakub Hrozek <jhrozek@redhat.com>2012-11-12 11:09:26 +0100
commit6c7584a32899bf573f62cf8c3fb37410a8ec05bb (patch)
tree04a08d87f1113a292a326fc3a4ce73929c4bc609 /src/responder/pam
parent891370856f6c797f959dab06b194e34102185d53 (diff)
downloadsssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.gz
sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.bz2
sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.zip
Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
Diffstat (limited to 'src/responder/pam')
-rw-r--r--src/responder/pam/pamsrv_cmd.c29
1 files changed, 12 insertions, 17 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index bb0d8db3..1702a0e9 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -23,6 +23,7 @@
#include <time.h>
#include "util/util.h"
#include "util/sss_selinux.h"
+#include "util/auth_utils.h"
#include "db/sysdb.h"
#include "confdb/confdb.h"
#include "responder/common/responder_packet.h"
@@ -716,8 +717,8 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te,
}
static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd);
-static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
- time_t expire_date, time_t delayed_until);
+static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
+ time_t expire_date, time_t delayed_until);
static void pam_reply(struct pam_auth_req *preq)
{
@@ -768,7 +769,7 @@ static void pam_reply(struct pam_auth_req *preq)
pctx->rctx->cdb, false,
&exp_date, &delay_until);
- pam_cache_auth_done(preq, ret, exp_date, delay_until);
+ pam_handle_cached_login(preq, ret, exp_date, delay_until);
return;
}
break;
@@ -913,18 +914,18 @@ done:
sss_cmd_done(cctx, preq);
}
-static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
- time_t expire_date, time_t delayed_until)
+static void pam_handle_cached_login(struct pam_auth_req *preq, int ret,
+ time_t expire_date, time_t delayed_until)
{
uint32_t resp_type;
size_t resp_len;
uint8_t *resp;
int64_t dummy;
- switch (ret) {
- case EOK:
- preq->pd->pam_status = PAM_SUCCESS;
+ preq->pd->pam_status = cached_login_pam_status(ret);
+ switch (preq->pd->pam_status) {
+ case PAM_SUCCESS:
resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH;
resp_len = sizeof(uint32_t) + sizeof(int64_t);
resp = talloc_size(preq->pd, resp_len);
@@ -941,14 +942,7 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
}
}
break;
- case ENOENT:
- preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
- break;
- case EINVAL:
- preq->pd->pam_status = PAM_AUTH_ERR;
- break;
- case EACCES:
- preq->pd->pam_status = PAM_PERM_DENIED;
+ case PAM_PERM_DENIED:
if (delayed_until >= 0) {
resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED;
resp_len = sizeof(uint32_t) + sizeof(int64_t);
@@ -968,7 +962,8 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret,
}
break;
default:
- preq->pd->pam_status = PAM_SYSTEM_ERR;
+ DEBUG(SSSDBG_TRACE_LIBS,
+ ("cached login returned: %d\n", preq->pd->pam_status));
}
pam_reply(preq);