Only retrieve password policies in pam_auth when WBFLAG_PAM_GET_PWD_POLICY is set.

This essentially re-establishes r14496 (2155bb0535656f294bd054d6a0a7d16a9a71c31b)
which was undone in r17723 (43bd8c00abb38eb23a1497a255d194fb1bbffffb) for
reasons that are unclear to me. Maybe I am being too naive.

Now we do again only retrieve the password policy when called from
the pam_winbind module. This fixes logons delegated to AD trusted
domain controllers: We need to connect to the sam to retrieve the
password policy. But auhtenticated session setup is not possible
when contacting the trusted domain dc and afterwards, SamrConnect
also fails with whatever credentials and method used.

Michael
(This used to be commit 6d765e0de523211a2d0b43a2c4c4117f5f0c662f)

1 files changed, 9 insertions, 6 deletions

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5133239258..7a9014a82f 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1593,13 +1593,16 @@ process_result:
 			}
 		}
 
-		result = fillup_password_policy(domain, state);
 
-		if (!NT_STATUS_IS_OK(result) 
-		    && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) 
-		{
-			DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
-			goto done;
+		if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
+			result = fillup_password_policy(domain, state);
+
+			if (!NT_STATUS_IS_OK(result) 
+			    && !NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED) ) 
+			{
+				DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
+				goto done;
+			}
 		}
 
 		result = NT_STATUS_OK;