[PATCH] pam: map more NT password errors to PAM errors
Andrew Bartlett
abartlet at samba.org
Thu Dec 8 17:59:17 UTC 2016
On Thu, 2016-12-08 at 18:33 +0100, Björn Jacke wrote:
> NT_STATUS_ACCOUNT_DISABLED,
Is that really best mapped to ACCT_EXPIRED?
> NT_STATUS_PASSWORD_RESTRICTION, NT_STATUS_PWD_HISTORY_CONFLICT,
> NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_TOO_SHORT now map to
> PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
> the closest
> match.
These look OK.
Thanks,
Andrew Bartlett
> Signed-off-by: Bjoern Jacke <bj at sernet.de>
> ---
> libcli/auth/pam_errors.c | 6 +++++-
> nsswitch/pam_winbind.c | 4 ++++
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
> index 978f8ff..5592d39 100644
> --- a/libcli/auth/pam_errors.c
> +++ b/libcli/auth/pam_errors.c
> @@ -71,11 +71,15 @@ static const struct {
> {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
> {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
> {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
> + {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
> {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
> {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
> {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
> {NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
> - {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
> + {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
> + {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
> + {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
> + {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
> {NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
> {NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND,
> PAM_AUTHINFO_UNAVAIL},
> {NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},
> diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
> index 42c4f8e..88a3088 100644
> --- a/nsswitch/pam_winbind.c
> +++ b/nsswitch/pam_winbind.c
> @@ -775,6 +775,10 @@ static int pam_winbind_request_log(struct
> pwb_context *ctx,
> return PAM_IGNORE;
> }
> return retval;
> + case PAM_AUTHTOK_ERR:
> + /* Authentication token manipulation error */
> + _pam_log(LOG_WARNING, "user `%s' authentication
> token change failed (pwd complexity/history/min_age not met?)",
> user);
> + return retval;
> case PAM_SUCCESS:
> /* Otherwise, the authentication looked good */
> if (strcmp(fn, "wbcLogonUser") == 0) {
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list