On Fri, Sep 07, 2012 at 05:44:59PM +0200, Joschi Brauchle wrote: > Hello, > > I noticed a problem when using pam_sss (1.8.3) under OpenSUSE 12.2 + > KDE and filed a bugreport there: > https://bugzilla.novell.com/show_bug.cgi?id=779246 > > When a Kerberos user enters a wrong password, a KDM "Critical error" > message pops up (see link above for a screenshot). > > In /var/log/messages, there is > ------ > Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check > failed > Sep 7 11:34:03 test-os122 [sssd[krb5_child[1102]]]: Decrypt integrity check > failed > Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): system info: > [Decrypt integrity check failed] > Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): authentication > failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=testuser > Sep 7 11:34:03 test-os122 kdm: :0[1085]: pam_sss(xdm:auth): > received for user > testuser: 4 (System error) > ------ > > As far as I know, "decrypt integrity fails" is the default Kerberos > error message for a wrong password. Hence, this is not a "System > error", but rather an authentication error. > > When looking at the code of "krb5_child.c", it seems like the > default return code when checking the Kerberos TGT is > "PAM_SYSTEM_ERR", which also gets returned in the event of a simply > wrong password. > > I guess, pam_sss should instead return "PAM_AUTH_ERR", is that correct? > Has this been fixed in versions > 1.8.3? >
You are absolutely correct, nice catch Joschi. It has not been fixed so, far, I have filed https://fedorahosted.org/sssd/ticket/1515 to track this _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
