On 06/25/2013 02:55 PM, Lukas Slebodnik wrote:
I tried this patch and you did not reach krb5 authentication in krb5_child, but reason is: #>[krb5_auth_send] (0x0020): Wrong authtok type for user [usersssd01]. #> Expected [1], got [0] So it failed in sssd_beI tried next patch: + if (auth_token_length == 0) { + ret = sss_authtok_set_password(tok, "", 0); + } else { + ret = sss_authtok_set_password(tok, (const char *)auth_token_data, + auth_token_length); + } and then it will fail in sssd_pam #> [pam_parse_in_data_v3] (0x0020): pam_parse_in_data_v2 failed, because sss_authtok_set_password could not be run with empty password. So there is question: where should we fail? (in sssd_be or sssd_pam) LS
Previously (before the authtok commit), the failure occured while trying to get TGT with empty password, which is bad, we shouldn't try to get TGT with empty password. However, we can check for the length of the authtok, but my opinion is we should handle this situation like the patch suggests - sending authtok_type = NONE and then failing because expected was type PASSWORD.
-- Ondrej Kos Associate Software Engineer Identity Management - SSSD Red Hat Czech _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
