r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain password

policies when requested.

No panic, the flags is uint32 so we are not running out of WBFLAG bits.

Guenther
(This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)

3 files changed, 9 insertions, 5 deletions

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index df5fc11d3e..b09e974d07 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -321,7 +321,7 @@ static int winbind_auth_request(pam_handle_t * pamh,
 	request.data.auth.krb5_cc_type[0] = '\0';
 	request.data.auth.uid = -1;
 	
-	request.flags = WBFLAG_PAM_INFO3_TEXT;
+	request.flags = WBFLAG_PAM_INFO3_TEXT | WBFLAG_PAM_GET_PWD_POLICY;
 
 	if (ctrl & WINBIND_KRB5_AUTH) {
 
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index b01053d63c..c5ca507bda 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -179,6 +179,7 @@ typedef struct winbindd_gr {
 #define WBFLAG_PAM_KRB5			0x1000
 #define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x2000
 #define WBFLAG_PAM_CACHED_LOGIN		0x4000
+#define WBFLAG_PAM_GET_PWD_POLICY	0x8000
 
 #define WINBINDD_MAX_EXTRA_DATA (128*1024)
 
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 9cd2dd9c0c..12455db8f6 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1210,11 +1210,14 @@ process_result:
 
 		}
 
-		result = fillup_password_policy(domain, state);
+		/* this is required to provide password expiry warning */ 
+		if (state->request.flags & WBFLAG_PAM_GET_PWD_POLICY) {
+			result = fillup_password_policy(domain, state);
 
-		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
-			goto done;
+			if (!NT_STATUS_IS_OK(result)) {
+				DEBUG(10,("Failed to get password policies: %s\n", nt_errstr(result)));
+				goto done;
+			}
 		}
 	
 	}