summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-05-28 14:35:11 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-05-28 14:35:11 +0000
commite066e5e614f4072384b704c628b35b91fb52ffe3 (patch)
tree7342a6cb0f0db9cc82c4789635ebe0b72a35325d
parent742ed34e470cf1e9c406b5a06a3274146d26b2d5 (diff)
downloadsamba-e066e5e614f4072384b704c628b35b91fb52ffe3.tar.gz
samba-e066e5e614f4072384b704c628b35b91fb52ffe3.tar.bz2
samba-e066e5e614f4072384b704c628b35b91fb52ffe3.zip
Updates to better report some NTSTATUS errors into PAM, and update to PAM
to correctly allow password changes on expired passwords. (No security implications, as its just a 'will I let you talk to the server' check). pam_winbind checks the password prior to changing it, so that users don't have to make up and type their new password when they havn't even got the old one right. This also helps with stacking etc. Andrew Bartlett (This used to be commit 2b78d493002a3ba13533429c6a14f5c0a92f43d1)
-rw-r--r--source3/lib/pam_errors.c1
-rw-r--r--source3/nsswitch/pam_winbind.c9
2 files changed, 10 insertions, 0 deletions
diff --git a/source3/lib/pam_errors.c b/source3/lib/pam_errors.c
index f74e4bf176..e1d02151a6 100644
--- a/source3/lib/pam_errors.c
+++ b/source3/lib/pam_errors.c
@@ -67,6 +67,7 @@ const static struct {
{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+ {NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
{NT_STATUS_OK, PAM_SUCCESS}
};
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index b192a347f4..4739cfbf7a 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -155,6 +155,14 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
/* incorrect password */
_pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", user);
return retval;
+ case PAM_ACCT_EXPIRED:
+ /* account expired */
+ _pam_log(LOG_WARNING, "user `%s' account expired", user);
+ return retval;
+ case PAM_AUTHTOK_EXPIRED:
+ /* password expired */
+ _pam_log(LOG_WARNING, "user `%s' password expired", user);
+ return retval;
case PAM_USER_UNKNOWN:
/* the user does not exist */
if (ctrl & WINBIND_DEBUG_ARG)
@@ -577,6 +585,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
retval = winbind_auth_request(user, pass_old, ctrl);
if (retval != PAM_ACCT_EXPIRED
+ && retval != PAM_AUTHTOK_EXPIRED
&& retval != PAM_NEW_AUTHTOK_REQD
&& retval != PAM_SUCCESS) {
pass_old = NULL;