From 6bfbfefd65a7875a1fb28631d581eec11a758975 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 24 Jun 2013 14:44:00 +0200
Subject: KRB5: use the right authtok type for renewals

---
 src/providers/krb5/krb5_auth.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

(limited to 'src/providers/krb5/krb5_auth.c')

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f6acfb48..dfd22f7a 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -493,10 +493,13 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
 
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
-        case SSS_CMD_RENEW:
         case SSS_PAM_CHAUTHTOK:
             if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-                DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("Wrong authtok type for user [%s]. " \
+                       "Expected [%d], got [%d]\n", pd->user,
+                          SSS_AUTHTOK_TYPE_PASSWORD,
+                          sss_authtok_get_type(pd->authtok)));
                 state->pam_status = PAM_SYSTEM_ERR;
                 state->dp_err = DP_ERR_FATAL;
                 ret = EINVAL;
@@ -506,13 +509,27 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
         case SSS_PAM_CHAUTHTOK_PRELIM:
             if (pd->priv == 1 &&
                 sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
-                DEBUG(4, ("Password reset by root is not supported.\n"));
+                DEBUG(SSSDBG_MINOR_FAILURE,
+                      ("Password reset by root is not supported.\n"));
                 state->pam_status = PAM_PERM_DENIED;
                 state->dp_err = DP_ERR_OK;
                 ret = EOK;
                 goto done;
             }
             break;
+        case SSS_CMD_RENEW:
+            if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_CCFILE) {
+                DEBUG(SSSDBG_CRIT_FAILURE,
+                      ("Wrong authtok type for user [%s]. " \
+                       "Expected [%d], got [%d]\n", pd->user,
+                          SSS_AUTHTOK_TYPE_CCFILE,
+                          sss_authtok_get_type(pd->authtok)));
+                state->pam_status = PAM_SYSTEM_ERR;
+                state->dp_err = DP_ERR_FATAL;
+                ret = EINVAL;
+                goto done;
+            }
+            break;
         default:
             DEBUG(4, ("Unexpected pam task %d.\n", pd->cmd));
             state->pam_status = PAM_SYSTEM_ERR;
-- 
cgit