user-accounts: When enterprise account disabled, join as admin

When an enterprise login user account is disabled, or needs to have
its password change, just prompt for the administrator to do the join
to the domain. This is exactly the same fall through as if the user
does not have permission to join a machine to a domain.

https://bugzilla.gnome.org/show_bug.cgi?id=699293

panels/user-accounts/um-account-dialog.c

@@ -648,9 +648,19 @@ on_realm_login (GObject *source,
 {
         UmAccountDialog *self = UM_ACCOUNT_DIALOG (user_data);
         GError *error = NULL;
-        GBytes *creds;
+        GBytes *creds = NULL;
 
         um_realm_login_finish (result, &creds, &error);
+
+        /*
+         * User login is valid, but cannot authenticate right now (eg: user needs
+         * to change password at next login etc.)
+         */
+        if (g_error_matches (error, UM_REALM_ERROR, UM_REALM_ERROR_CANNOT_AUTH)) {
+                g_clear_error (&error);
+                creds = NULL;
+        }
+
         if (error == NULL) {
 
                 /* Already joined to the domain, just register this user */
@@ -659,7 +669,8 @@ on_realm_login (GObject *source,
                         enterprise_permit_user_login (self);
 
                 /* Join the domain, try using the user's creds */
-                } else if (!um_realm_join_as_user (self->selected_realm,
+                } else if (creds == NULL ||
+                           !um_realm_join_as_user (self->selected_realm,
                                                    gtk_entry_get_text (self->enterprise_login),
                                                    gtk_entry_get_text (self->enterprise_password),
                                                    creds, self->cancellable,

panels/user-accounts/um-realm-manager.c

@@ -809,10 +809,7 @@ kinit_thread_func (GSimpleAsyncResult *async,
                 break;
 
         case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN:
-        case KRB5KDC_ERR_CLIENT_REVOKED:
-        case KRB5KDC_ERR_KEY_EXP:
         case KRB5KDC_ERR_POLICY:
-        case KRB5KDC_ERR_ETYPE_NOSUPP:
                 g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_BAD_LOGIN,
                                                  _("Cannot log in as %s at the %s domain"),
                                                  login->user, login->domain);
@@ -822,6 +819,15 @@ kinit_thread_func (GSimpleAsyncResult *async,
                 g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_BAD_PASSWORD,
                                                  _("Invalid password, please try again"));
                 break;
+        case KRB5_PREAUTH_FAILED:
+        case KRB5KDC_ERR_KEY_EXP:
+        case KRB5KDC_ERR_CLIENT_REVOKED:
+        case KRB5KDC_ERR_ETYPE_NOSUPP:
+        case KRB5_PROG_ETYPE_NOSUPP:
+                g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_CANNOT_AUTH,
+                                                 _("Cannot log in as %s at the %s domain"),
+                                                 login->user, login->domain);
+                break;
         default:
                 g_simple_async_result_set_error (async, UM_REALM_ERROR, UM_REALM_ERROR_GENERIC,
                                                  _("Couldn't connect to the %s domain: %s"),

panels/user-accounts/um-realm-manager.h

@@ -29,6 +29,7 @@ G_BEGIN_DECLS
 typedef enum {
 	UM_REALM_ERROR_BAD_LOGIN,
 	UM_REALM_ERROR_BAD_PASSWORD,
+	UM_REALM_ERROR_CANNOT_AUTH,
 	UM_REALM_ERROR_GENERIC,
 } UmRealmErrors;