If pam_acct_mgmt() returns PAM_AUTH_ERR print a (hopefully) more useful

message and return AUTH_FATAL so sudo does not keep trying to validate
the user.

diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c
index 53cf6349c9647c8cf0f4437686b08ac2789b0074..d828e03f5172b9f1e3c111992623359c91317ee7 100644 (file)
--- a/plugins/sudoers/auth/pam.c
+++ b/plugins/sudoers/auth/pam.c
@@ -140,9 +140,9 @@ pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth)
                case PAM_SUCCESS:
                    return(AUTH_SUCCESS);
                case PAM_AUTH_ERR:
-                   log_error(NO_EXIT|NO_MAIL, "pam_acct_mgmt: %d",
-                       *pam_status);
-                   return(AUTH_FAILURE);
+                   log_error(NO_EXIT|NO_MAIL,
+                       "account validation failure, is your account locked?");
+                   return(AUTH_FATAL);
                case PAM_NEW_AUTHTOK_REQD:
                    log_error(NO_EXIT|NO_MAIL, "%s, %s",
                        "Account or password is expired",