diff options
Diffstat (limited to 'source3/nsswitch/pam_winbind.c')
-rw-r--r-- | source3/nsswitch/pam_winbind.c | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index e42199cd0f..95b3d23dd4 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -2384,15 +2384,17 @@ static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx, /* Make sure that we only do this if a) the chauthtok got initiated * during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any * later password change via the "passwd" command if done by the user - * itself */ + * itself + * NB. If we login from gdm or xdm and the password expires, + * we change the password, but there is no memory cache. + * Thus, even for passthrough login, we should do the + * authentication again to update memory cache. + * --- BoYang + * */ char *new_authtok_reqd_during_auth = NULL; struct passwd *pwd = NULL; - if (!(ctx->ctrl & WINBIND_KRB5_AUTH)) { - return false; - } - _pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, &new_authtok_reqd_during_auth); pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, @@ -2630,8 +2632,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, cctype = get_krb5_cc_type_from_config(ctx); warn_pwd_expire = get_warn_pwd_expire_from_config(ctx); - /* clearing offline bit for auth */ - ctx->ctrl &= ~WINBIND_CACHED_LOGIN; + /* Keep WINBIND_CACHED_LOGIN bit for + * authentication after changing the password. + * This will update the cached credentials in case + * that winbindd_dual_pam_chauthtok() fails + * to update them. + * --- BoYang + * */ ret = winbind_auth_request(ctx, user, pass_new, member, cctype, 0, &response, |