On Thu, Sep 4, 2014 at 3:08 AM, Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
I did see those messages, thanks! I had been monitoring the mailing
list archive just in case.
Expanding on some of what Stephen wrote in his reply to me:
John and I debugged this some today on #sssd. It turns out that the
Samba 4 DC (and we suspect the Active Directory DC) returns the KRB5KDC_ERR_PREAUTH_FAILED
on an incorrect password, and not KRB5KRB_AP_ERR_BAD_INTEGRITY like the MIT KDC does.
I verified this morning that real Active Directory DCs are also
returning KDC_ERR_PREAUTH_FAILED. Tested with the Cygwin build of
kinit. Does the MIT KDC also return KDC_ERR_PREAUTH_FAILED if
preauthentication is enabled? I believe it does.
PAM_CRED_ERR should indicate that
the password failed to validate for some other reason.
I think during our discussion on IRC yesterday we reached a consensus
that PAM_CRED_ERR is not the appropriate return code for
authentication failing, per my original message. It may be worthwhile
to review what errors are being returned by pam_sss and ensure they
are compliant with the documentation.
Are you using FAST on your setup? (The option krb5_use_fast = True)
FAST is not enabled.
It sounds like most of the issue with my patch is that it has
implications for migrating to FreeIPA. If I get an opportunity I'll
see if I can revise the patch, but I am outside my wheelhouse so no
promises there. However, if anybody needs a patch tested, let me know.
I would be happy to help.