From 8948c89c132d31c8cffd55d60e46a506eb00bbd2 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 7 Sep 2018 22:16:50 +0200
Subject: [PATCH 15/19] PAM: use better PAM error code for failed Smartcard
 authentication

If the user enters a wrong PIN the PAM responder currently returns
PAM_USER_UNKNOWN better is PAM_AUTH_ERR.

Related to https://pagure.io/SSSD/sssd/issue/3500

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 442ae7b1d0704cdd667d4f1ba4c165ce3f3ffed4)
---
 src/responder/pam/pamsrv_cmd.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index ed9ad57bd6d8c4eda30d8e18f83aeea96474551f..817f3c5134ba4c7358ffb4fbf3c6008fa23ffe0e 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1436,7 +1436,9 @@ static void pam_forwarder_cert_cb(struct tevent_req *req)
             if (pd->cmd == SSS_PAM_AUTHENTICATE) {
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       "No certificate returned, authentication failed.\n");
-                ret = ENOENT;
+                preq->pd->pam_status = PAM_AUTH_ERR;
+                pam_reply(preq);
+                return;
             } else {
                 ret = pam_check_user_search(preq);
             }
-- 
2.14.4