diff options
| author | Günther Deschner <gd@samba.org> | 2007-02-22 13:35:01 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:18:08 -0500 |
| commit | 9684e353a16cd18424f5b35a5d84ae3c2a03ae70 (patch) | |
| tree | f254fcf8660eb7988d1b1f58168f1fbd7df7f81a /source3/nsswitch/pam_winbind.h | |
| parent | ca229b0980b5c78f140180db764b3229d5ccb078 (diff) | |
| download | samba-9684e353a16cd18424f5b35a5d84ae3c2a03ae70.tar.gz samba-9684e353a16cd18424f5b35a5d84ae3c2a03ae70.tar.bz2 samba-9684e353a16cd18424f5b35a5d84ae3c2a03ae70.zip | |
r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user
changed a password via pam_chauthtok. Only do this if
a) a user logs on using an expired password (or a password that needs to
be changed immediately) or
b) the user itself changes his password.
Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).
Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).
Guenther
(This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
Diffstat (limited to 'source3/nsswitch/pam_winbind.h')
| -rw-r--r-- | source3/nsswitch/pam_winbind.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/source3/nsswitch/pam_winbind.h b/source3/nsswitch/pam_winbind.h index 05fc2e128e..73da2826ca 100644 --- a/source3/nsswitch/pam_winbind.h +++ b/source3/nsswitch/pam_winbind.h @@ -99,6 +99,7 @@ do { \ #define off(x, y) (!(x & y)) #define PAM_WINBIND_NEW_AUTHTOK_REQD "PAM_WINBIND_NEW_AUTHTOK_REQD" +#define PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH "PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH" #define PAM_WINBIND_HOMEDIR "PAM_WINBIND_HOMEDIR" #define PAM_WINBIND_LOGONSCRIPT "PAM_WINBIND_LOGONSCRIPT" #define PAM_WINBIND_LOGONSERVER "PAM_WINBIND_LOGONSERVER" |