Passkey: Warning display for fallback

Warn the user before and after login that Kerberos ticket may not have been granted.

src/responder/pam/pamsrv_cmd.c

@@ -1623,6 +1623,18 @@ void pam_reply(struct pam_auth_req *preq)
         goto done;
     }
 
+    /* Passkey auth user notification if no TGT is granted */
+    if (pd->cmd == SSS_PAM_AUTHENTICATE &&
+        pd->pam_status == PAM_SUCCESS &&
+        preq->pd->passkey_local_done) {
+            user_info_type = SSS_PAM_USER_INFO_NO_KRB_TGT;
+            pam_add_response(pd, SSS_PAM_USER_INFO,
+            sizeof(uint32_t), (const uint8_t *) &user_info_type);
+            DEBUG(SSSDBG_IMPORTANT_INFO,
+                  "User [%s] logged in with local passkey authentication, single "
+                  "sign on ticket is not obtained.\n", pd->user);
+    }
+
     /* Account expiration warning is printed for sshd. If pam_verbosity
      * is equal or above PAM_VERBOSITY_INFO then all services are informed
      * about account expiration.

src/responder/pam/pamsrv_passkey.c

@@ -438,6 +438,8 @@ void pam_forwarder_passkey_cb(struct tevent_req *req)
         goto done;
     }
 
+    preq->pd->passkey_local_done = true;
+
     DEBUG(SSSDBG_TRACE_FUNC, "passkey child finished with status [%d]\n", child_status);
     preq->pd->pam_status = PAM_SUCCESS;
     pam_reply(preq);

src/sss_client/pam_sss.c

@@ -68,6 +68,7 @@
 
 #define EXP_ACC_MSG _("Permission denied. ")
 #define SRV_MSG     _("Server message: ")
+#define PASSKEY_LOCAL_AUTH_MSG      _("Kerberos TGT will not be granted upon login, user experience will be affected.")
 #define PASSKEY_DEFAULT_PIN_MSG     _("Enter PIN:")
 
 #define DEBUG_MGS_LEN 1024
@@ -736,6 +737,24 @@ static int user_info_pin_locked(pam_handle_t *pamh)
     return PAM_SUCCESS;
 }
 
+static int user_info_no_krb_tgt(pam_handle_t *pamh)
+{
+    int ret;
+
+    ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
+                              _("No Kerberos TGT granted as "
+                                "the server does not support this method. "
+                                "Your single-sign on(SSO) experience will "
+                                "be affected."),
+                              NULL, NULL);
+    if (ret != PAM_SUCCESS) {
+        D(("do_pam_conversation failed."));
+        return PAM_SYSTEM_ERR;
+    }
+
+    return PAM_SUCCESS;
+}
+
 static int user_info_account_expired(pam_handle_t *pamh, size_t buflen,
                                      uint8_t *buf)
 {
@@ -889,6 +908,9 @@ static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
         case SSS_PAM_USER_INFO_ACCOUNT_EXPIRED:
             ret = user_info_account_expired(pamh, buflen, buf);
             break;
+        case SSS_PAM_USER_INFO_NO_KRB_TGT:
+            ret = user_info_no_krb_tgt(pamh);
+            break;
         default:
             D(("Unknown user info type [%d]", type));
             ret = PAM_SYSTEM_ERR;
@@ -1846,6 +1868,12 @@ static int prompt_passkey(pam_handle_t *pamh, struct pam_items *pi,
     }
 
     kerberos_preauth = pi->passkey_key != NULL ? true : false;
+    if (!kerberos_preauth) {
+        m[msg_idx].msg_style = PAM_TEXT_INFO;
+        m[msg_idx].msg = PASSKEY_LOCAL_AUTH_MSG;
+        msg_idx++;
+    }
+
     if ((strcasecmp(pi->passkey_prompt_pin, "false")) == 0) {
         prompt_pin = false;
     } else {

src/sss_client/sss_cli.h

@@ -637,6 +637,9 @@ enum user_info_type {
                                         * specified length. */
 
     SSS_PAM_USER_INFO_PIN_LOCKED, /**< Tell the user that the PIN is locked */
+    SSS_PAM_USER_INFO_NO_KRB_TGT, /**< Tell the user that Kerberos local/offline
+                                       auth was performed, therefore no TGT
+                                       is granted */
 };
 /**
  * @}

src/util/sss_pam_data.h

@@ -74,6 +74,7 @@ struct pam_data {
 #ifdef USE_KEYRING
     key_serial_t key_serial;
 #endif
+    bool passkey_local_done;
 };
 
 /**