Hello,I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + KDE and filed a bugreport there: https://bugzilla.novell.com/show_bug.cgi?id=779246
When a Kerberos user enters a wrong password, a KDM "Critical error" message pops up (see link above for a screenshot).
In /var/log/messages, there is ------ Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check failed Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: [Decrypt integrity check failed] Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuserSep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): received for user
testuser: 4 (System error) ------As far as I know, "decrypt integrity fails" is the default Kerberos error message for a wrong password. Hence, this is not a "System error", but rather an authentication error.
When looking at the code of "krb5_child.c", it seems like the default return code when checking the Kerberos TGT is "PAM_SYSTEM_ERR", which also gets returned in the event of a simply wrong password.
I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? Has this been fixed in versions > 1.8.3? Best regards, Joschi Brauchle
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
