From 80959e30ce7c57b5865f5358c42a7bcffe450d4d Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 20 May 2024 17:22:36 +0200
Subject: Merging upstream version 2.9.5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 src/providers/ipa/ipa_auth.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/providers/ipa')

diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 1d61a10..e5e1bf3 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -258,6 +258,19 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
     if (dp_err != DP_ERR_OK) {
         goto done;
     }
+    if (state->pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM
+        && state->pd->pam_status == PAM_TRY_AGAIN) {
+        /* Reset this to fork a new krb5_child in handle_child_send() */
+        state->pd->child_pid = 0;
+        subreq = krb5_auth_queue_send(state, state->ev, state->be_ctx, state->pd,
+                                      state->auth_ctx->krb5_auth_ctx);
+        if (subreq == NULL) {
+            goto done;
+        }
+
+        tevent_req_set_callback(subreq, ipa_pam_auth_handler_retry_done, req);
+        return;
+    }
 
     if (state->pd->cmd == SSS_PAM_AUTHENTICATE
             && state->pd->pam_status == PAM_CRED_ERR
-- 
cgit v1.2.3