From 06b3a79d1fb2b66c39e0d8667c5904bfaff26b03 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 7 Jul 2008 11:26:16 -0700 Subject: Allow authentication and memory credential refresh after password change from gdm/xdm. Patch from boyang . Jeremy. (This used to be commit 8cfc6afc7b4a6af9aea5f5a7cb5af7e3218c2d75) --- source3/nsswitch/pam_winbind.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'source3/nsswitch/pam_winbind.c') diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index e42199cd0f..95b3d23dd4 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -2384,15 +2384,17 @@ static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx, /* Make sure that we only do this if a) the chauthtok got initiated * during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any * later password change via the "passwd" command if done by the user - * itself */ + * itself + * NB. If we login from gdm or xdm and the password expires, + * we change the password, but there is no memory cache. + * Thus, even for passthrough login, we should do the + * authentication again to update memory cache. + * --- BoYang + * */ char *new_authtok_reqd_during_auth = NULL; struct passwd *pwd = NULL; - if (!(ctx->ctrl & WINBIND_KRB5_AUTH)) { - return false; - } - _pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, &new_authtok_reqd_during_auth); pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, @@ -2630,8 +2632,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, cctype = get_krb5_cc_type_from_config(ctx); warn_pwd_expire = get_warn_pwd_expire_from_config(ctx); - /* clearing offline bit for auth */ - ctx->ctrl &= ~WINBIND_CACHED_LOGIN; + /* Keep WINBIND_CACHED_LOGIN bit for + * authentication after changing the password. + * This will update the cached credentials in case + * that winbindd_dual_pam_chauthtok() fails + * to update them. + * --- BoYang + * */ ret = winbind_auth_request(ctx, user, pass_new, member, cctype, 0, &response, -- cgit