diff options
Diffstat (limited to 'src/providers/krb5/krb5_child.c')
-rw-r--r-- | src/providers/krb5/krb5_child.c | 17 |
1 files changed, 15 insertions, 2 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index b973c134..335da423 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -1046,12 +1046,14 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_CCFILE) { DEBUG(1, ("Unsupported authtok type for TGT renewal [%d].\n", kr->pd->authtok_type)); + kerr = EINVAL; goto done; } ccname = talloc_strndup(kr, (char *) kr->pd->authtok, kr->pd->authtok_size); if (ccname == NULL) { DEBUG(1, ("talloc_strndup failed.\n")); + kerr = ENOMEM; goto done; } @@ -1064,6 +1066,9 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); if (kerr != 0) { KRB5_DEBUG(1, kerr); + if (kerr == KRB5_KDC_UNREACH) { + status = PAM_AUTHINFO_UNAVAIL; + } goto done; } @@ -1085,6 +1090,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) ret = become_user(kr->uid, kr->gid); if (ret != EOK) { DEBUG(1, ("become_user failed.\n")); + kerr = ret; goto done; } } @@ -1107,6 +1113,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) } status = PAM_SUCCESS; + kerr = 0; done: krb5_free_cred_contents(kr->ctx, kr->creds); @@ -1115,7 +1122,7 @@ done: krb5_cc_close(kr->ctx, ccache); } - ret = sendresponse(fd, 0, status, kr); + ret = sendresponse(fd, kerr, status, kr); if (ret != EOK) { DEBUG(1, ("sendresponse failed.\n")); } @@ -1424,7 +1431,13 @@ static int krb5_child_setup(struct krb5_req *kr, uint32_t offline) kr->child_req = kuserok_child; break; case SSS_CMD_RENEW: - kr->child_req = renew_tgt_child; + if (!offline) { + kr->child_req = renew_tgt_child; + } else { + DEBUG(1, ("Cannot renew TGT while offline.\n")); + kerr = KRB5_KDC_UNREACH; + goto failed; + } break; default: DEBUG(1, ("PAM command [%d] not supported.\n", kr->pd->cmd)); |