diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-07 18:28:29 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-11-12 11:09:26 +0100 |
commit | 6c7584a32899bf573f62cf8c3fb37410a8ec05bb (patch) | |
tree | 04a08d87f1113a292a326fc3a4ce73929c4bc609 /src/responder/pam | |
parent | 891370856f6c797f959dab06b194e34102185d53 (diff) | |
download | sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.gz sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.tar.bz2 sssd-6c7584a32899bf573f62cf8c3fb37410a8ec05bb.zip |
Do not always return PAM_SYSTEM_ERR when offline krb5 authentication fails
Diffstat (limited to 'src/responder/pam')
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index bb0d8db3..1702a0e9 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -23,6 +23,7 @@ #include <time.h> #include "util/util.h" #include "util/sss_selinux.h" +#include "util/auth_utils.h" #include "db/sysdb.h" #include "confdb/confdb.h" #include "responder/common/responder_packet.h" @@ -716,8 +717,8 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, } static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); -static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, - time_t expire_date, time_t delayed_until); +static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, + time_t expire_date, time_t delayed_until); static void pam_reply(struct pam_auth_req *preq) { @@ -768,7 +769,7 @@ static void pam_reply(struct pam_auth_req *preq) pctx->rctx->cdb, false, &exp_date, &delay_until); - pam_cache_auth_done(preq, ret, exp_date, delay_until); + pam_handle_cached_login(preq, ret, exp_date, delay_until); return; } break; @@ -913,18 +914,18 @@ done: sss_cmd_done(cctx, preq); } -static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, - time_t expire_date, time_t delayed_until) +static void pam_handle_cached_login(struct pam_auth_req *preq, int ret, + time_t expire_date, time_t delayed_until) { uint32_t resp_type; size_t resp_len; uint8_t *resp; int64_t dummy; - switch (ret) { - case EOK: - preq->pd->pam_status = PAM_SUCCESS; + preq->pd->pam_status = cached_login_pam_status(ret); + switch (preq->pd->pam_status) { + case PAM_SUCCESS: resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH; resp_len = sizeof(uint32_t) + sizeof(int64_t); resp = talloc_size(preq->pd, resp_len); @@ -941,14 +942,7 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, } } break; - case ENOENT: - preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL; - break; - case EINVAL: - preq->pd->pam_status = PAM_AUTH_ERR; - break; - case EACCES: - preq->pd->pam_status = PAM_PERM_DENIED; + case PAM_PERM_DENIED: if (delayed_until >= 0) { resp_type = SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED; resp_len = sizeof(uint32_t) + sizeof(int64_t); @@ -968,7 +962,8 @@ static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, } break; default: - preq->pd->pam_status = PAM_SYSTEM_ERR; + DEBUG(SSSDBG_TRACE_LIBS, + ("cached login returned: %d\n", preq->pd->pam_status)); } pam_reply(preq); |