diff options
| author | Günther Deschner <gd@samba.org> | 2007-01-11 15:41:02 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:17:02 -0500 |
| commit | 0d538f7370f13b175f127f061d5bff18e631cd5e (patch) | |
| tree | 6ed7999cab70207a63907d17c2184e033acd335c /source3/nsswitch/winbindd_pam.c | |
| parent | b79629fcc431764f1ec34876e7a28e242d205ac8 (diff) | |
| download | samba-0d538f7370f13b175f127f061d5bff18e631cd5e.tar.gz samba-0d538f7370f13b175f127f061d5bff18e631cd5e.tar.bz2 samba-0d538f7370f13b175f127f061d5bff18e631cd5e.zip | |
r20687: Implement grace logons for offline authentications in pam_winbind.
In case a user authenticated sucessfully and his password just expired
while beeing disconnected, we should allow a user to logon (given a
clear warning). We currently forced the user into a password change
dialogue in that scenario; this did not make much sense while offline.
Guenther
(This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 40 |
1 files changed, 22 insertions, 18 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 47721b1bb0..70007d481c 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -826,26 +826,12 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, must_change_time = nt_time_to_unix(my_info3->pass_must_change_time); if (must_change_time != 0 && must_change_time < time(NULL)) { - return NT_STATUS_PASSWORD_EXPIRED; + /* we allow grace logons when the password has expired */ + my_info3->user_flgs |= LOGON_GRACE_LOGON; + /* return NT_STATUS_PASSWORD_EXPIRED; */ + goto success; } - /* FIXME: we possibly should handle logon hours as well (does xp when - * offline?) see auth/auth_sam.c:sam_account_ok for details */ - - unix_to_nt_time(&my_info3->logon_time, time(NULL)); - my_info3->bad_pw_count = 0; - - result = winbindd_update_creds_by_info3(domain, - state->mem_ctx, - state->request.data.auth.user, - state->request.data.auth.pass, - my_info3); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n", - nt_errstr(result))); - return result; - } - #ifdef HAVE_KRB5 /* FIXME: what else points out that the remote domain is AD ? */ if (!strequal(domain->name, domain->alt_name) && @@ -909,6 +895,24 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, } } #endif /* HAVE_KRB5 */ + success: + /* FIXME: we possibly should handle logon hours as well (does xp when + * offline?) see auth/auth_sam.c:sam_account_ok for details */ + + unix_to_nt_time(&my_info3->logon_time, time(NULL)); + my_info3->bad_pw_count = 0; + + result = winbindd_update_creds_by_info3(domain, + state->mem_ctx, + state->request.data.auth.user, + state->request.data.auth.pass, + my_info3); + if (!NT_STATUS_IS_OK(result)) { + DEBUG(1,("winbindd_dual_pam_auth_cached: failed to update creds: %s\n", + nt_errstr(result))); + return result; + } + return NT_STATUS_OK; } |