[PATCH] pam: map more NT password errors to PAM errors
Björn Jacke
bj at sernet.de
Thu Dec 8 17:33:09 UTC 2016
NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION, NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_TOO_SHORT now map to
PAM_AUTHTOK_ERR (Authentication token manipulation error), which is the closest
match.
Signed-off-by: Bjoern Jacke <bj at sernet.de>
---
libcli/auth/pam_errors.c | 6 +++++-
nsswitch/pam_winbind.c | 4 ++++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ff..5592d39 100644
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+ {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
{NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
{NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
- {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+ {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+ {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
{NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
{NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 42c4f8e..88a3088 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -775,6 +775,10 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
return PAM_IGNORE;
}
return retval;
+ case PAM_AUTHTOK_ERR:
+ /* Authentication token manipulation error */
+ _pam_log(LOG_WARNING, "user `%s' authentication token change failed (pwd complexity/history/min_age not met?)", user);
+ return retval;
case PAM_SUCCESS:
/* Otherwise, the authentication looked good */
if (strcmp(fn, "wbcLogonUser") == 0) {
--
2.7.4
More information about the samba-technical
mailing list