Updates to better report some NTSTATUS errors into PAM, and update to PAM

to correctly allow password changes on expired passwords.  (No security
implications, as its just a 'will I let you talk to the server' check).

pam_winbind checks the password prior to changing it, so that users don't
have to make up and type their new password when they havn't even got the
old one right.  This also helps with stacking etc.

Andrew Bartlett
(This used to be commit 2b78d493002a3ba13533429c6a14f5c0a92f43d1)

1 files changed, 9 insertions, 0 deletions

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index b192a347f4..4739cfbf7a 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -155,6 +155,14 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
 		/* incorrect password */
 		_pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", user);
 		return retval;
+	case PAM_ACCT_EXPIRED:
+		/* account expired */
+		_pam_log(LOG_WARNING, "user `%s' account expired", user);
+		return retval;
+	case PAM_AUTHTOK_EXPIRED:
+		/* password expired */
+		_pam_log(LOG_WARNING, "user `%s' password expired", user);
+		return retval;
 	case PAM_USER_UNKNOWN:
 		/* the user does not exist */
 		if (ctrl & WINBIND_DEBUG_ARG)
@@ -577,6 +585,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		retval = winbind_auth_request(user, pass_old, ctrl);
 		
 		if (retval != PAM_ACCT_EXPIRED 
+		    && retval != PAM_AUTHTOK_EXPIRED
 		    && retval != PAM_NEW_AUTHTOK_REQD 
 		    && retval != PAM_SUCCESS) {
 			pass_old = NULL;