From 3d44710c2a2539c726141aa8cfd8aa09a6f03953 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Jacke?= Date: Wed, 25 Nov 2015 14:04:24 +0100 Subject: [PATCH] pam: map more NT password errors to PAM errors NT_STATUS_ACCOUNT_DISABLED, NT_STATUS_PASSWORD_RESTRICTION, NT_STATUS_PWD_HISTORY_CONFLICT, NT_STATUS_PWD_TOO_RECENT, NT_STATUS_PWD_TOO_SHORT now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is the closest match. BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210 Signed-off-by: Bjoern Jacke --- libcli/auth/pam_errors.c | 6 +++++- nsswitch/pam_winbind.c | 4 ++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c index 978f8ff..5592d39 100644 --- a/libcli/auth/pam_errors.c +++ b/libcli/auth/pam_errors.c @@ -71,11 +71,15 @@ static const struct { {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR}, {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR}, {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED}, + {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED}, {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED}, {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD}, {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES}, {NT_STATUS_NO_MEMORY, PAM_BUF_ERR}, - {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED}, + {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR}, + {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR}, {NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL}, {NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL}, diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 42c4f8e..88a3088 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -775,6 +775,10 @@ static int pam_winbind_request_log(struct pwb_context *ctx, return PAM_IGNORE; } return retval; + case PAM_AUTHTOK_ERR: + /* Authentication token manipulation error */ + _pam_log(LOG_WARNING, "user `%s' authentication token change failed (pwd complexity/history/min_age not met?)", user); + return retval; case PAM_SUCCESS: /* Otherwise, the authentication looked good */ if (strcmp(fn, "wbcLogonUser") == 0) { -- 2.7.4