On (29/10/13 10:08), Jakub Hrozek wrote:
The Kerberos provider didn't handle ERR_CHPASS_FAILED at all,
which
resulted in the default return code (System Error) to be returned if
password change failed for pretty much any reason, including password
too recent etc.
>From a43544b15e75d1c3c10e842df713ea87f139dfd3 Mon Sep 17 00:00:00 2001
>From: Jakub Hrozek <jhrozek(a)redhat.com>
>Date: Tue, 29 Oct 2013 05:05:29 +0100
>Subject: [PATCH] KRB5: Handle ERR_CHPASS_FAILED
>
The Kerberos provider didn't handle ERR_CHPASS_FAILED at all,
which
resulted in the default return code (System Error) to be returned if
password change failed for pretty much any reason, including password
too recent etc.
>---
> src/providers/krb5/krb5_auth.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
>diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
>index
b4c205789dd2bc6afe0dba911f0303a83b826e92..ce461f5adefc6e42fdc69726ff71d23526375c0c 100644
>--- a/src/providers/krb5/krb5_auth.c
>+++ b/src/providers/krb5/krb5_auth.c
>@@ -1024,6 +1024,12 @@ static void krb5_auth_done(struct tevent_req *subreq)
> ret = EOK;
> goto done;
>
>+ case ERR_CHPASS_FAILED:
>+ state->pam_status = PAM_AUTHTOK_ERR;
>+ state->dp_err = DP_ERR_OK;
>+ ret = EOK;
>+ goto done;
>+
> default:
> state->pam_status = PAM_SYSTEM_ERR;
> state->dp_err = DP_ERR_OK;
>--
>1.8.3.1
>
ACK, works fine.
LS