1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

pam: map more NT password errors to PAM errors

NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT

now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Björn Jacke 2015-11-25 14:04:24 +01:00 committed by Bjoern Jacke
parent dcd4fed82d
commit 69f10080c3
2 changed files with 10 additions and 1 deletions

View File

@ -71,11 +71,15 @@ static const struct {
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR}, {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR}, {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED}, {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
{NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED}, {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD}, {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES}, {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
{NT_STATUS_NO_MEMORY, PAM_BUF_ERR}, {NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
{NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED}, {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
{NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
{NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
{NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},

View File

@ -775,6 +775,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
return PAM_IGNORE; return PAM_IGNORE;
} }
return retval; return retval;
case PAM_AUTHTOK_ERR:
/* Authentication token manipulation error */
_pam_log(ctx, LOG_WARNING, "user `%s' authentication token change failed "
"(pwd complexity/history/min_age not met?)", user);
return retval;
case PAM_SUCCESS: case PAM_SUCCESS:
/* Otherwise, the authentication looked good */ /* Otherwise, the authentication looked good */
if (strcmp(fn, "wbcLogonUser") == 0) { if (strcmp(fn, "wbcLogonUser") == 0) {