From bd290f62727b8903d889705a9d129ee6c9d62bc9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 21 Apr 2010 14:42:34 +0200
Subject: Display a message if a password reset by root fails

---
 src/providers/krb5/krb5_auth.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/providers/krb5/krb5_auth.c')

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 6a57fe5f..e1aaebf4 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -635,7 +635,14 @@ void krb5_pam_handler(struct be_req *be_req)
     switch (pd->cmd) {
         case SSS_PAM_AUTHENTICATE:
         case SSS_PAM_CHAUTHTOK:
+            break;
         case SSS_PAM_CHAUTHTOK_PRELIM:
+            if (pd->priv == 1 && pd->authtok_size == 0) {
+                DEBUG(4, ("Password reset by root is not supported.\n"));
+                pam_status = PAM_PERM_DENIED;
+                dp_err = DP_ERR_OK;
+                goto done;
+            }
             break;
         case SSS_PAM_ACCT_MGMT:
         case SSS_PAM_SETCRED:
-- 
cgit