r21161: Another fix for pam_winbind: Move the entire pwd expiry handling into

the PAM_SUCCESS block.

Guenther
(This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)

1 files changed, 14 insertions, 14 deletions

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 1a1d7ffcdd..1ee5dba457 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -1091,22 +1091,22 @@ static int winbind_auth_request(pam_handle_t * pamh,
 		PAM_WB_REMARK_CHECK_RESPONSE_RET(pamh, ctrl, response, "NT_STATUS_ACCESS_DENIED");
 	}
 
-	/* warn a user if the password is about to expire soon */
-	_pam_warn_password_expiry(pamh, ctrl, &response, &already_expired);
-	
-	if (already_expired == True) {
-		_pam_log_debug(pamh, ctrl, LOG_DEBUG, "Password has expired "
-			       "(Password was last set: %d, the policy says "
-			       "it should expire here %d (now it's: %d)\n",
-			       response.data.auth.info3.pass_last_set_time, 
-			       response.data.auth.info3.pass_last_set_time +
-			       response.data.auth.policy.expire,
-			       time(NULL));
+	if (ret == PAM_SUCCESS) {
 
-		return PAM_AUTHTOK_EXPIRED;
-	}
+		/* warn a user if the password is about to expire soon */
+		_pam_warn_password_expiry(pamh, ctrl, &response, &already_expired);
 
-	if (ret == PAM_SUCCESS) {
+		if (already_expired == True) {
+			_pam_log_debug(pamh, ctrl, LOG_DEBUG, "Password has expired "
+				       "(Password was last set: %d, the policy says "
+				       "it should expire here %d (now it's: %d))\n",
+				       response.data.auth.info3.pass_last_set_time, 
+				       response.data.auth.info3.pass_last_set_time +
+				       response.data.auth.policy.expire,
+				       time(NULL));
+
+			return PAM_AUTHTOK_EXPIRED;
+		}
 
 		/* inform about logon type */
 		_pam_warn_logon_type(pamh, ctrl, user, response.data.auth.info3.user_flgs);