Hey folks,
Some quick background on this small patch I prepared. I run sssd on my
desktop (and servers) to authenticate against a Samba 4 DC. I found
that when I attempted to log in via KDM and misentered my password, I
got an error about the authentication system failing. Similarly, `su`
would return an error message I was not familar with: "Failure setting
user credentials".
After some inspection of the sssd sources, I found that per
http://pubs.opengroup.org/onlinepubs/8329799/pam_sm_authenticate.htm,
sssd's PAM module is returning the wrong error code when a user
entered bad credentials. PAM_CRED_ERR is being returned instead of
PAM_AUTH_ERR.
Applying the attached patch and recompliing sssd brought back the more
familiar "Authentication failure" when su'ing with a bad password. KDM
also doesn't freak out when I enter an incorrect password.
If you have any questions about the patch, please be sure to include
me in the reply as I'm not on the sssd-devel list.
Thanks for sssd, it has been awesome!
From bc34f1890de9e144a1c6999cc95cee52a7cd09f2 Mon Sep 17 00:00:00 2001
From: John Koelndorfer <jkoelndor...@gmail.com>
Date: Thu, 28 Aug 2014 18:25:32 -0500
Subject: [PATCH] On auth failure, return PAM_AUTH_ERR.
PAM_CRED_ERR is not the correct return code when a user fails to
authenticate.
---
src/providers/ipa/ipa_auth.c | 4 ++--
src/providers/krb5/krb5_auth.c | 2 +-
src/sss_client/pam_sss.c | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index f9a0706..f2a6853 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -250,7 +250,7 @@ static void ipa_auth_handler_done(struct tevent_req *req)
ret = krb5_auth_recv(req, &pam_status, &dp_err);
talloc_zfree(req);
state->pd->pam_status = pam_status;
- if (ret != EOK && pam_status != PAM_CRED_ERR) {
+ if (ret != EOK && pam_status != PAM_AUTH_ERR) {
DEBUG(SSSDBG_OP_FAILURE, "krb5_auth_recv request failed.\n");
dp_err = DP_ERR_OK;
goto done;
@@ -261,7 +261,7 @@ static void ipa_auth_handler_done(struct tevent_req *req)
}
if (state->pd->cmd == SSS_PAM_AUTHENTICATE &&
- state->pd->pam_status == PAM_CRED_ERR) {
+ state->pd->pam_status == PAM_AUTH_ERR) {
req = get_password_migration_flag_send(state, state->ev,
state->ipa_auth_ctx->sdap_id_ctx,
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index f539d50..965a668 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1016,7 +1016,7 @@ static void krb5_auth_done(struct tevent_req *subreq)
goto done;
case ERR_CREDS_INVALID:
- state->pam_status = PAM_CRED_ERR;
+ state->pam_status = PAM_AUTH_ERR;
state->dp_err = DP_ERR_OK;
ret = EOK;
goto done;
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index d2502d1..f457bad 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -388,7 +388,7 @@ static int do_pam_conversation(pam_handle_t *pamh, const int msg_style,
ret = PAM_SYSTEM_ERR;
goto failed;
}
- ret = PAM_CRED_ERR;
+ ret = PAM_AUTH_ERR;
goto failed;
}
_pam_overwrite((void *)resp[0].resp);
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
