summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2007-12-19 17:53:14 +0100
committerGünther Deschner <gd@samba.org>2007-12-20 02:05:55 +0100
commite3bb148b941e67b5caea3db2c8ef9efc984598fa (patch)
tree96dbc4df9e9d995479c1e4b025a89377349d2ef3
parent233eb0e560acb26f8706fd3ab96d4c6379458414 (diff)
downloadsamba-e3bb148b941e67b5caea3db2c8ef9efc984598fa.tar.gz
samba-e3bb148b941e67b5caea3db2c8ef9efc984598fa.tar.bz2
samba-e3bb148b941e67b5caea3db2c8ef9efc984598fa.zip
Only retrieve password policies in pam_auth when WBFLAG_PAM_GET_PWD_POLICY is set.
This essentially re-establishes r14496 (2155bb0535656f294bd054d6a0a7d16a9a71c31b) which was undone in r17723 (43bd8c00abb38eb23a1497a255d194fb1bbffffb) for reasons that are unclear to me. Maybe I am being too naive. Now we do again only retrieve the password policy when called from the pam_winbind module. This fixes logons delegated to AD trusted domain controllers: We need to connect to the sam to retrieve the password policy. But auhtenticated session setup is not possible when contacting the trusted domain dc and afterwards, SamrConnect also fails with whatever credentials and method used. Michael (This used to be commit 6d765e0de523211a2d0b43a2c4c4117f5f0c662f)
-rw-r--r--source3/nsswitch/pam_winbind.c1
-rw-r--r--source3/nsswitch/winbind_struct_protocol.h2
-rw-r--r--source3/winbindd/winbindd_pam.c15
3 files changed, 11 insertions, 7 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index f00db39b45..4d019072ac 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -1201,6 +1201,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
request.data.auth.uid = -1;
request.flags = WBFLAG_PAM_INFO3_TEXT |
+ WBFLAG_PAM_GET_PWD_POLICY |
WBFLAG_PAM_CONTACT_TRUSTDOM;
if (ctrl & (WINBIND_KRB5_AUTH|WINBIND_CACHED_LOGIN)) {
diff --git a/source3/nsswitch/winbind_struct_protocol.h b/source3/nsswitch/winbind_struct_protocol.h
index 5b663c63f7..12ca1e55c8 100644
--- a/source3/nsswitch/winbind_struct_protocol.h
+++ b/source3/nsswitch/winbind_struct_protocol.h
@@ -194,7 +194,7 @@ typedef struct winbindd_gr {
#define WBFLAG_PAM_KRB5 0x00001000
#define WBFLAG_PAM_FALLBACK_AFTER_KRB5 0x00002000
#define WBFLAG_PAM_CACHED_LOGIN 0x00004000
-#define WBFLAG_PAM_GET_PWD_POLICY 0x00008000 /* not used */
+#define WBFLAG_PAM_GET_PWD_POLICY 0x00008000
/* generic request flags */
#define WBFLAG_QUERY_ONLY 0x00000020 /* not used */
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5133239258..7a9014a82f 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1593,13 +1593,16 @@ process_result:
}
}
- result = fillup_password_policy(domain, state);
- if (!NT_STATUS_IS_OK(result)
- && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
- {
- DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
- goto done;
+ if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
+ result = fillup_password_policy(domain, state);
+
+ if (!NT_STATUS_IS_OK(result)
+ && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) )
+ {
+ DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
+ goto done;
+ }
}
result = NT_STATUS_OK;