sssd/0028-PAM-use-better-PAM-error-code-for-failed-Smartcard-a.patch

From 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:16:50 +0200
Subject: [PATCH 33/83] PAM: use better PAM error code for failed Smartcard
 authentication

If the user enters a wrong PIN the PAM responder currently returns
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
 src/responder/pam/pamsrv_cmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ed9ad57..817f3c5 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
             if (pd->cmd == SSS_PAM_AUTHENTICATE) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "No certificate returned, authentication failed.\n");
-                ret = ENOENT;
+                preq->pd->pam_status = PAM_AUTH_ERR;
+                pam_reply(preq);
+                return;
             } else {
                 ret = pam_check_user_search(preq);
             }
-- 
2.9.5