On Fri, Nov 07, 2014 at 12:10:26PM +0100, Joschi Brauchle wrote: > > > On 11/06/2014 07:13 PM, Jakub Hrozek wrote: > >On Thu, Nov 06, 2014 at 05:08:35PM +0100, Joschi Brauchle wrote: > >>On 11/06/2014 09:02 AM, Lukas Slebodnik wrote: > >>>On (06/11/14 08:35), Joschi Brauchle wrote: > >>>>Hello, > >>>> > >>>>trying to log into Xdm on a box with SSSD 1.12.1 with sssd-ad configured > >>>>and > >>>>a *wrong* passwort results in a "A critical error occured" dialog box, see > >>>>attached screenshot. > >>>> > >>>>This looks very much like SSSD is returning the wrong exit code to PAM > >>>>(i.e. > >>>>PAM_SYSTEM_ERR instead of PAM_AUTH_ERR like here: > >>>>https://bugzilla.novell.com/show_bug.cgi?id=779246 for the case of empty > >>>>passwords) > >>>> > >>>PAM_SYSTEM_ERR could be returned from sssd in case of problems with GPO. > >>>By default is GPO in permissive mode, but if rules cannot be downloaded > >>>(or any > >>>other problem with GPO) sssd will returned PAM_SYSTEM_ERR. (which was > >>>wrong) > >>> > >>>The problem is fixed in 1.12.2, but I would need to see sssd log files to > >>>be > >>>sure you have the same issue. > >>> > >>>LS > >> > >>I updated the machine to 1.12.2 and tested with > >> > >>1) ad_gpo_access_control = permissive (i.e. default) > >>2) ad_gpo_access_control = false > >> > >>but the problem persists when entering a wrong password. > >> > >>I will send log files with debug_level=9 off-list as I dont want them in the > >>list archive... > >> > >>J Brauchle > >> > > > >Thank you for the logs! > > > >This thread sounds a bit similar and also you reminded me to take a look > >into it again as we're changing the krb5_child code anyway: > >https://patchwork.acksyn.org/patch/7382/ > > Hello Jakub, > yes that is exactly the same as my problem! > > I'm not a PAM expert at all, > but according to the PAM_*_ERR explanations I found > --------------- > #define PAM_AUTH_ERR 7 /* Authentication failure */ > #define PAM_CRED_ERR 17 /* Failure setting user credentials */ > --------------- > it sounds like a wrong password should result in PAM_AUTH_ERR rather than > PAM_CRED_ERR. > > J Brauchle
The problem is that different Kerberos servers send the same error codes to differentiate between different conditions. For instance, an error code that indicates a genuine failure with AD might indicate a password migration with IPA. We need to add better logic around the error code in krb5_auth.c ... _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
