[Freeipa-devel] [PATCH] fix return code of krb5 child to indicate that the kdc is unavailable

[Sumit Bose]

Hi,

this patch let the kerberos child process indicate that the KDC is not
available, i.e. the client is offline. This is necessary to tell sssd to
use the cached passwords, if available. I will send a patch which will
actually store the passwords, when the needed sysdb calls are available.

bye,
Sumit
-------------- next part --------------
>From e56ea0f7c694ad496d53ce205b28a1c8d766337a Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Wed, 8 Jul 2009 20:09:56 +0200
Subject: [PATCH] fix return code of krb5 child to indicate that the kdc is unavailable

---
 server/providers/krb5/tgt_req_child.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/server/providers/krb5/tgt_req_child.c b/server/providers/krb5/tgt_req_child.c
index edb3d18..af9f52f 100644
--- a/server/providers/krb5/tgt_req_child.c
+++ b/server/providers/krb5/tgt_req_child.c
@@ -66,6 +66,7 @@ void tgt_req_child(int fd, struct krb5_req *kr)
     const char *cc_name;
     char *env;
     const char *krb5_error_msg;
+    int pam_status = PAM_SYSTEM_ERR;
 
     ret = setgid(kr->pd->gr_gid);
     if (ret == -1) {
@@ -103,6 +104,9 @@ void tgt_req_child(int fd, struct krb5_req *kr)
                                         kr->options);
     if (kerr != 0) {
         KRB5_DEBUG(1, kerr);
+        if (kerr == KRB5_KDC_UNREACH) {
+            pam_status = PAM_AUTHINFO_UNAVAIL;
+        }
         goto childfailed;
     }
 
@@ -155,7 +159,7 @@ void tgt_req_child(int fd, struct krb5_req *kr)
 childfailed:
     if (kerr != 0 ) {
         krb5_error_msg = krb5_get_error_message(krb5_error_ctx, kerr);
-        size = pack_response_packet(buf, PAM_SYSTEM_ERR, PAM_USER_INFO,
+        size = pack_response_packet(buf, pam_status, PAM_USER_INFO,
                                     krb5_error_msg);
         if (size < 0) {
             DEBUG(1, ("failed to create response message.\n"));
-- 
1.6.2.5