diff options
author | Björn Jacke <bj@sernet.de> | 2015-11-25 14:04:24 +0100 |
---|---|---|
committer | Bjoern Jacke <bj@sernet.de> | 2016-12-13 14:12:06 +0100 |
commit | 69f10080c3765a9b139fbad7f3dc633066fdded2 (patch) | |
tree | f410fee5a7579c98cefd47e510d5e2493517be16 | |
parent | dcd4fed82d25c40ac61fe3aa42083b47eca94389 (diff) | |
download | samba-69f10080c3765a9b139fbad7f3dc633066fdded2.tar.gz |
pam: map more NT password errors to PAM errors
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT
now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210
Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
-rw-r--r-- | libcli/auth/pam_errors.c | 6 | ||||
-rw-r--r-- | nsswitch/pam_winbind.c | 5 |
2 files changed, 10 insertions, 1 deletions
diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c index 978f8ffdde3..5592d39dd80 100644 --- a/libcli/auth/pam_errors.c +++ b/libcli/auth/pam_errors.c @@ -71,11 +71,15 @@ static const struct { {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR}, {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR}, {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED}, + {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED}, {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED}, {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD}, {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES}, {NT_STATUS_NO_MEMORY, PAM_BUF_ERR}, - {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED}, + {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR}, {NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL}, diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 42c4f8e5964..4ae78b35f00 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -775,6 +775,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx, return PAM_IGNORE; } return retval; + case PAM_AUTHTOK_ERR: + /* Authentication token manipulation error */ + _pam_log(ctx, LOG_WARNING, "user `%s' authentication token change failed " + "(pwd complexity/history/min_age not met?)", user); + return retval; case PAM_SUCCESS: /* Otherwise, the authentication looked good */ if (strcmp(fn, "wbcLogonUser") == 0) { |