[PATCH] pam: map more NT password errors to PAM errors

Thu Dec 8 17:33:09 UTC 2016

NT_STATUS_ACCOUNT_DISABLED,

NT_STATUS_PASSWORD_RESTRICTION, NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_TOO_SHORT now map to
PAM_AUTHTOK_ERR (Authentication token manipulation error), which is the closest
match.

Signed-off-by: Bjoern Jacke <bj at sernet.de>
---
 libcli/auth/pam_errors.c | 6 +++++-
 nsswitch/pam_winbind.c   | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ff..5592d39 100644
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
 	{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
 	{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
 	{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+	{NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
 	{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
 	{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
 	{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
 	{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
-	{NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+	{NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+	{NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+	{NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+	{NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
 	{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
 	{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
 	{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 42c4f8e..88a3088 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -775,6 +775,10 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
 			return PAM_IGNORE;
 		}
 		return retval;
+	case PAM_AUTHTOK_ERR:
+		/* Authentication token manipulation error */ 
+		_pam_log(LOG_WARNING, "user `%s' authentication token change failed (pwd complexity/history/min_age not met?)", user);
+		return retval;
 	case PAM_SUCCESS:
 		/* Otherwise, the authentication looked good */
 		if (strcmp(fn, "wbcLogonUser") == 0) {
-- 
2.7.4


