On 11/06/2014 07:13 PM, Jakub Hrozek wrote:
On Thu, Nov 06, 2014 at 05:08:35PM +0100, Joschi Brauchle wrote:On 11/06/2014 09:02 AM, Lukas Slebodnik wrote:On (06/11/14 08:35), Joschi Brauchle wrote:Hello, trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured and a *wrong* passwort results in a "A critical error occured" dialog box, see attached screenshot. This looks very much like SSSD is returning the wrong exit code to PAM (i.e. PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty passwords)PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. By default is GPO in permissive mode, but if rules cannot be downloaded (or any other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was wrong) The problem is fixed in 1.12.2, but I would need to see sssd log files to be sure you have the same issue. LSI updated the machine to 1.12.2 and tested with 1) ad_gpo_access_control = permissive (i.e. default) 2) ad_gpo_access_control = false but the problem persists when entering a wrong password. I will send log files with debug_level=9 off-list as I dont want them in the list archive... J BrauchleThank you for the logs! This thread sounds a bit similar and also you reminded me to take a look into it again as we're changing the krb5_child code anyway: https://patchwork.acksyn.org/patch/7382/
Hello Jakub, yes that is exactly the same as my problem! I'm not a PAM expert at all, but according to the PAM_*_ERR explanations I found --------------- #define PAM_AUTH_ERR 7 /* Authentication failure */ #define PAM_CRED_ERR 17 /* Failure setting user credentials */ ---------------it sounds like a wrong password should result in PAM_AUTH_ERR rather than PAM_CRED_ERR.
J Brauchle
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
