pam: map more NT password errors to PAM errors

NT_STATUS_ACCOUNT_DISABLED,
NT_STATUS_PASSWORD_RESTRICTION,
NT_STATUS_PWD_HISTORY_CONFLICT,
NT_STATUS_PWD_TOO_RECENT,
NT_STATUS_PWD_TOO_SHORT

now map to PAM_AUTHTOK_ERR (Authentication token manipulation error), which is
the closest match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=2210

Signed-off-by: Bjoern Jacke <bj@sernet.de>
Reviewed by: Jeremy Allison <jra@samba.org>

(cherry picked from commit 69f10080c3765a9b139fbad7f3dc633066fdded2)

diff --git a/libcli/auth/pam_errors.c b/libcli/auth/pam_errors.c
index 978f8ffdde322982312ec0d6c57f3909d2c37156..5592d39dd8065a26bab7f1d5a0915ac78f565993 100644 (file)
--- a/libcli/auth/pam_errors.c
+++ b/libcli/auth/pam_errors.c
@@ -71,11 +71,15 @@ static const struct {
        {NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
        {NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
        {NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+       {NT_STATUS_ACCOUNT_DISABLED, PAM_ACCT_EXPIRED},
        {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
        {NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
        {NT_STATUS_ACCOUNT_LOCKED_OUT, PAM_MAXTRIES},
        {NT_STATUS_NO_MEMORY, PAM_BUF_ERR},
-       {NT_STATUS_PASSWORD_RESTRICTION, PAM_PERM_DENIED},
+       {NT_STATUS_PASSWORD_RESTRICTION, PAM_AUTHTOK_ERR},
+       {NT_STATUS_PWD_HISTORY_CONFLICT, PAM_AUTHTOK_ERR},
+       {NT_STATUS_PWD_TOO_RECENT, PAM_AUTHTOK_ERR},
+       {NT_STATUS_PWD_TOO_SHORT, PAM_AUTHTOK_ERR},
        {NT_STATUS_BACKUP_CONTROLLER, PAM_AUTHINFO_UNAVAIL},
        {NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND, PAM_AUTHINFO_UNAVAIL},
        {NT_STATUS_NO_LOGON_SERVERS, PAM_AUTHINFO_UNAVAIL},

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index b83a276209282238c0366eb0553729b3ddd21e31..f5a5b99e809d1060815335c3f57a5443f06c7caf 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -765,6 +765,11 @@ static int pam_winbind_request_log(struct pwb_context *ctx,
                        return PAM_IGNORE;
                }
                return retval;
+       case PAM_AUTHTOK_ERR:
+               /* Authentication token manipulation error */
+               _pam_log(ctx, LOG_WARNING, "user `%s' authentication token change failed "
+                       "(pwd complexity/history/min_age not met?)", user);
+               return retval;
        case PAM_SUCCESS:
                /* Otherwise, the authentication looked good */
                if (strcmp(fn, "wbcLogonUser") == 0) {