From 58e75994a4c03057072c0ed54cefe0965a6a4057 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Wed, 4 Jan 2012 10:11:37 -0500
Subject: Do not call krb5_child when changing passwords and provider went
 offline

https://fedorahosted.org/sssd/ticket/1131
---
 src/providers/krb5/krb5_auth.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/providers/krb5/krb5_auth.c')

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 66cee473..14a7c547 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -542,9 +542,19 @@ static void krb5_resolve_kdc_done(struct tevent_req *subreq)
         /* all servers have been tried and none
          * was found good, setting offline,
          * but we still have to call the child to setup
-         * the ccache file. */
+         * the ccache file if we are performing auth */
         be_mark_offline(state->be_ctx);
         kr->is_offline = true;
+
+        if (kr->pd->cmd == SSS_PAM_CHAUTHTOK ||
+            kr->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM) {
+            DEBUG(SSSDBG_TRACE_FUNC,
+                  ("No KDC suitable for password change is available\n"));
+            state->pam_status = PAM_AUTHTOK_LOCK_BUSY;
+            state->dp_err = DP_ERR_OK;
+            tevent_req_done(req);
+            return;
+        }
     } else {
         if (kr->krb5_ctx->kpasswd_service != NULL) {
             subreq = be_resolve_server_send(state, state->ev, state->be_ctx,
-- 
cgit