1 files changed, 14 insertions, 7 deletions

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index e42199cd0f..95b3d23dd4 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -2384,15 +2384,17 @@ static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx,
 	/* Make sure that we only do this if a) the chauthtok got initiated
 	 * during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any
 	 * later password change via the "passwd" command if done by the user
-	 * itself */
+	 * itself
+	 * NB. If we login from gdm or xdm and the password expires,
+	 * we change the password, but there is no memory cache.
+	 * Thus, even for passthrough login, we should do the
+	 * authentication again to update memory cache.
+	 * --- BoYang
+	 * */
 
 	char *new_authtok_reqd_during_auth = NULL;
 	struct passwd *pwd = NULL;
 
-	if (!(ctx->ctrl & WINBIND_KRB5_AUTH)) {
-		return false;
-	}
-
 	_pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
 		      &new_authtok_reqd_during_auth);
 	pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
@@ -2630,8 +2632,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 			cctype = get_krb5_cc_type_from_config(ctx);
 			warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
 
-			/* clearing offline bit for auth */
-			ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
+			/* Keep WINBIND_CACHED_LOGIN bit for
+			 * authentication after changing the password.
+			 * This will update the cached credentials in case
+			 * that winbindd_dual_pam_chauthtok() fails
+			 * to update them.
+			 * --- BoYang
+			 * */
 
 			ret = winbind_auth_request(ctx, user, pass_new,
 						   member, cctype, 0, &response,