On Fri, Nov 07, 2014 at 12:10:26PM +0100, Joschi Brauchle wrote:
On 11/06/2014 07:13 PM, Jakub Hrozek wrote:
>On Thu, Nov 06, 2014 at 05:08:35PM +0100, Joschi Brauchle wrote:
>>On 11/06/2014 09:02 AM, Lukas Slebodnik wrote:
>>>On (06/11/14 08:35), Joschi Brauchle wrote:
>>>>Hello,
>>>>
>>>>trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured
and
>>>>a *wrong* passwort results in a "A critical error occured"
dialog box, see
>>>>attached screenshot.
>>>>
>>>>This looks very much like SSSD is returning the wrong exit code to PAM
(i.e.
>>>>PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here:
>>>>https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty
>>>>passwords)
>>>>
>>>PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO.
>>>By default is GPO in permissive mode, but if rules cannot be downloaded (or
any
>>>other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong)
>>>
>>>The problem is fixed in 1.12.2, but I would need to see sssd log files to be
>>>sure you have the same issue.
>>>
>>>LS
>>
>>I updated the machine to 1.12.2 and tested with
>>
>>1) ad_gpo_access_control = permissive (i.e. default)
>>2) ad_gpo_access_control = false
>>
>>but the problem persists when entering a wrong password.
>>
>>I will send log files with debug_level=9 off-list as I dont want them in the
>>list archive...
>>
>>J Brauchle
>>
>
>Thank you for the logs!
>
>This thread sounds a bit similar and also you reminded me to take a look
>into it again as we're changing the krb5_child code anyway:
>https://patchwork.acksyn.org/patch/7382/
Hello Jakub,
yes that is exactly the same as my problem!
I'm not a PAM expert at all,
but according to the PAM_*_ERR explanations I found
---------------
#define PAM_AUTH_ERR 7 /* Authentication failure */
#define PAM_CRED_ERR 17 /* Failure setting user credentials */
---------------
it sounds like a wrong password should result in PAM_AUTH_ERR rather than
PAM_CRED_ERR.
J Brauchle
The problem is that different Kerberos servers send the same error codes
to differentiate between different conditions. For instance, an error
code that indicates a genuine failure with AD might indicate a password
migration with IPA.
We need to add better logic around the error code in krb5_auth.c ...