2 files changed, 12 insertions, 6 deletions

diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index c6fcd5f8..1daf0c9f 100644
--- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c
@@ -184,8 +184,12 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 
 	    if ( impression == _PAM_UNDEF
 		 || (impression == _PAM_POSITIVE && status == PAM_SUCCESS) ) {
-		impression = _PAM_POSITIVE;
-		status = retval;
+                /* in case of using cached chain
+                   we could get here with PAM_IGNORE - don't return it */
+                if ( retval != PAM_IGNORE || cached_retval == retval ) {
+		    impression = _PAM_POSITIVE;
+                    status = retval;
+                }
 	    }
 	    if ( impression == _PAM_POSITIVE && action == _PAM_ACTION_DONE ) {
 		goto decision_made;
@@ -227,8 +231,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 		    if (impression == _PAM_UNDEF
 			|| (impression == _PAM_POSITIVE
 			    && status == PAM_SUCCESS) ) {
-			impression = _PAM_POSITIVE;
-			status = retval;
+                	if ( retval != PAM_IGNORE || cached_retval == retval ) {
+			    impression = _PAM_POSITIVE;
+                    	    status = retval;
+                	}
 		    }
 		}
 		
diff --git a/libpam/pam_strerror.c b/libpam/pam_strerror.c
index de857fd8..b2c6775a 100644
--- a/libpam/pam_strerror.c
+++ b/libpam/pam_strerror.c
@@ -48,7 +48,7 @@ const char *pam_strerror(pam_handle_t *pamh, int errnum)
     case PAM_USER_UNKNOWN:
 	return "User not known to the underlying authentication module";
     case PAM_MAXTRIES:
-	return "Have exhasted maximum number of retries for service.";
+	return "Have exhausted maximum number of retries for service.";
     case PAM_NEW_AUTHTOK_REQD:
 	return "Authentication token is no longer valid; new one required.";
     case PAM_ACCT_EXPIRED:
@@ -78,7 +78,7 @@ const char *pam_strerror(pam_handle_t *pamh, int errnum)
     case PAM_TRY_AGAIN:
 	return "Failed preliminary check by password service";
     case PAM_IGNORE:
-	return "Please ignore underlying account module";
+	return "The return value should be ignored by PAM dispatch";
     case PAM_MODULE_UNKNOWN:
 	return "Module is unknown";
     case PAM_AUTHTOK_EXPIRED: