From e1ad152a8a5b305f5a0267eba7fc9d300d19a4f1 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Mar 2015 12:04:57 +0100
Subject: [PATCH 111/114] krb5: try delayed online authentication only for
 single factor auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
(cherry picked from commit 2d0e7658198d1aa6e3926bf967ff683660249114)
---
 src/providers/krb5/krb5_auth.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index b003a8a000117722078d299127cf60337a016ca5..91989df428b2a574a0e45ec01569cf94f7841725 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -207,6 +207,13 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
     const char *password = NULL;
     errno_t ret;
 
+    if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+        DEBUG(SSSDBG_MINOR_FAILURE,
+              "Delayed authentication is only available for password "
+              "authentication (single factor).\n");
+        return;
+    }
+
     ret = sss_authtok_get_password(pd->authtok, &password, NULL);
     if (ret != EOK) {
         DEBUG(SSSDBG_FATAL_FAILURE,
-- 
2.4.0