|
|
11749ff |
From 22a21e910fd216ec1468fe769dcc29f1621a52a4 Mon Sep 17 00:00:00 2001
|
|
|
11749ff |
From: Ondrej Kos <okos@redhat.com>
|
|
|
11749ff |
Date: Thu, 13 Jun 2013 15:28:23 +0200
|
|
|
11749ff |
Subject: [PATCH 08/12] KRB: Handle preauthentication error correctly
|
|
|
11749ff |
|
|
|
11749ff |
https://fedorahosted.org/sssd/ticket/1873
|
|
|
11749ff |
|
|
|
11749ff |
KRB preauthentication error was later mishandled like authentication error.
|
|
|
11749ff |
---
|
|
|
11749ff |
src/providers/krb5/krb5_auth.c | 6 ++++++
|
|
|
11749ff |
src/providers/krb5/krb5_child.c | 4 +++-
|
|
|
11749ff |
src/util/util_errors.c | 1 +
|
|
|
11749ff |
src/util/util_errors.h | 1 +
|
|
|
11749ff |
4 files changed, 11 insertions(+), 1 deletion(-)
|
|
|
11749ff |
|
|
|
11749ff |
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
|
11749ff |
index f65e5993d54a5a265e4217e7f23d9549915c6b32..f6acfb4891cf5e99878ccfa7994ffeddf5447e2c 100644
|
|
|
11749ff |
--- a/src/providers/krb5/krb5_auth.c
|
|
|
11749ff |
+++ b/src/providers/krb5/krb5_auth.c
|
|
|
11749ff |
@@ -1026,6 +1026,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
|
|
11749ff |
ret = EOK;
|
|
|
11749ff |
goto done;
|
|
|
11749ff |
|
|
|
11749ff |
+ case ERR_CREDS_INVALID:
|
|
|
11749ff |
+ state->pam_status = PAM_CRED_ERR;
|
|
|
11749ff |
+ state->dp_err = DP_ERR_OK;
|
|
|
11749ff |
+ ret = EOK;
|
|
|
11749ff |
+ goto done;
|
|
|
11749ff |
+
|
|
|
11749ff |
case ERR_NO_CREDS:
|
|
|
11749ff |
state->pam_status = PAM_CRED_UNAVAIL;
|
|
|
11749ff |
state->dp_err = DP_ERR_OK;
|
|
|
11749ff |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
11749ff |
index 8f746a8db561928349ffed8b7434db2a113a1f86..74d730aaa2e84af111982a450dafd524d411f472 100644
|
|
|
11749ff |
--- a/src/providers/krb5/krb5_child.c
|
|
|
11749ff |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
11749ff |
@@ -1172,9 +1172,11 @@ static errno_t map_krb5_error(krb5_error_code kerr)
|
|
|
11749ff |
return ERR_CREDS_EXPIRED;
|
|
|
11749ff |
|
|
|
11749ff |
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
|
|
|
11749ff |
+ return ERR_AUTH_FAILED;
|
|
|
11749ff |
+
|
|
|
11749ff |
case KRB5_PREAUTH_FAILED:
|
|
|
11749ff |
case KRB5KDC_ERR_PREAUTH_FAILED:
|
|
|
11749ff |
- return ERR_AUTH_FAILED;
|
|
|
11749ff |
+ return ERR_CREDS_INVALID;
|
|
|
11749ff |
|
|
|
11749ff |
default:
|
|
|
11749ff |
return ERR_INTERNAL;
|
|
|
11749ff |
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
|
|
11749ff |
index b617f540691a245d1132469a1f019bcb0eb6e775..22a3045a6f9656d9ab8fe66673301a508e444771 100644
|
|
|
11749ff |
--- a/src/util/util_errors.c
|
|
|
11749ff |
+++ b/src/util/util_errors.c
|
|
|
11749ff |
@@ -31,6 +31,7 @@ struct err_string error_to_str[] = {
|
|
|
11749ff |
{ "Invalid credential type" }, /* ERR_INVALID_CRED_TYPE */
|
|
|
11749ff |
{ "No credentials available" }, /* ERR_NO_CREDS */
|
|
|
11749ff |
{ "Credentials are expired" }, /* ERR_CREDS_EXPIRED */
|
|
|
11749ff |
+ { "Failure setting user credentials"}, /* ERR_CREDS_INVALID */
|
|
|
11749ff |
{ "No cached credentials available" }, /* ERR_NO_CACHED_CREDS */
|
|
|
11749ff |
{ "Cached credentials are expired" }, /* ERR_CACHED_CREDS_EXPIRED */
|
|
|
11749ff |
{ "Authentication Denied" }, /* ERR_AUTH_DENIED */
|
|
|
11749ff |
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
|
|
11749ff |
index a602a6ea92f72a51f5e21342940b2072bbe9296d..65d37aedb544bb303d7540fc59e1a802aee11898 100644
|
|
|
11749ff |
--- a/src/util/util_errors.h
|
|
|
11749ff |
+++ b/src/util/util_errors.h
|
|
|
11749ff |
@@ -53,6 +53,7 @@ enum sssd_errors {
|
|
|
11749ff |
ERR_INVALID_CRED_TYPE,
|
|
|
11749ff |
ERR_NO_CREDS,
|
|
|
11749ff |
ERR_CREDS_EXPIRED,
|
|
|
11749ff |
+ ERR_CREDS_INVALID,
|
|
|
11749ff |
ERR_NO_CACHED_CREDS,
|
|
|
11749ff |
ERR_CACHED_CREDS_EXPIRED,
|
|
|
11749ff |
ERR_AUTH_DENIED,
|
|
|
11749ff |
--
|
|
|
11749ff |
1.8.2.1
|
|
|
11749ff |
|