>From 79a19271200823506963f5300517d0ecf4202c8b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 9 Sep 2012 08:56:13 -0400
Subject: [PATCH] KRB5: Return PAM_AUTH_ERR on incorrect password

https://fedorahosted.org/sssd/ticket/1515
---
 src/providers/krb5/krb5_child.c | 51 ++++++++++++++++++++++++++---------------
 1 file changed, 32 insertions(+), 19 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 08e525ce258e1b4bd9f529c97242b5859e65ea31..9f5c4b89449fe85a10d6956e00b1bb76b69a189d 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -728,6 +728,36 @@ done:
 
 }
 
+static int kerr_to_status(krb5_error_code kerr)
+{
+    int pam_status = PAM_SYSTEM_ERR;
+
+    if (kerr == 0) {
+        return PAM_SUCCESS;
+    }
+
+    KRB5_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+    switch (kerr) {
+        case KRB5_KDC_UNREACH:
+                pam_status = PAM_AUTHINFO_UNAVAIL;
+                break;
+        case KRB5KDC_ERR_KEY_EXP:
+                pam_status = PAM_NEW_AUTHTOK_REQD;
+                break;
+        case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+                pam_status = PAM_AUTH_ERR;
+                break;
+        case KRB5KDC_ERR_PREAUTH_FAILED:
+                pam_status = PAM_CRED_ERR;
+                break;
+        default:
+                pam_status = PAM_SYSTEM_ERR;
+                break;
+    }
+
+    return pam_status;
+}
+
 static errno_t changepw_child(int fd, struct krb5_req *kr)
 {
     int ret;
@@ -777,9 +807,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
                                         kr->options);
     if (kerr != 0) {
         KRB5_DEBUG(1, kerr);
-        if (kerr == KRB5_KDC_UNREACH) {
-            pam_status = PAM_AUTHINFO_UNAVAIL;
-        }
+        pam_status = kerr_to_status(kerr);
         goto sendresponse;
     }
 
@@ -940,22 +968,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
     talloc_zfree(pass_str);
     memset(kr->pd->authtok, 0, kr->pd->authtok_size);
 
-    if (kerr != 0) {
-        KRB5_DEBUG(1, kerr);
-        switch (kerr) {
-            case KRB5_KDC_UNREACH:
-                    pam_status = PAM_AUTHINFO_UNAVAIL;
-                    break;
-            case KRB5KDC_ERR_KEY_EXP:
-                    pam_status = PAM_NEW_AUTHTOK_REQD;
-                    break;
-            case KRB5KDC_ERR_PREAUTH_FAILED:
-                    pam_status = PAM_CRED_ERR;
-                    break;
-            default:
-                    pam_status = PAM_SYSTEM_ERR;
-        }
-    }
+    pam_status = kerr_to_status(kerr);
 
 sendresponse:
     ret = sendresponse(fd, kerr, pam_status, kr);
-- 
1.7.11.4