From 06b3a79d1fb2b66c39e0d8667c5904bfaff26b03 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 7 Jul 2008 11:26:16 -0700 Subject: Allow authentication and memory credential refresh after password change from gdm/xdm. Patch from boyang . Jeremy. (This used to be commit 8cfc6afc7b4a6af9aea5f5a7cb5af7e3218c2d75) --- source3/nsswitch/pam_winbind.c | 21 ++++++++++++++------- source3/winbindd/winbindd_pam.c | 25 +++++++++++++++++++++++-- 2 files changed, 37 insertions(+), 9 deletions(-) (limited to 'source3') diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index e42199cd0f..95b3d23dd4 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -2384,15 +2384,17 @@ static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx, /* Make sure that we only do this if a) the chauthtok got initiated * during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any * later password change via the "passwd" command if done by the user - * itself */ + * itself + * NB. If we login from gdm or xdm and the password expires, + * we change the password, but there is no memory cache. + * Thus, even for passthrough login, we should do the + * authentication again to update memory cache. + * --- BoYang + * */ char *new_authtok_reqd_during_auth = NULL; struct passwd *pwd = NULL; - if (!(ctx->ctrl & WINBIND_KRB5_AUTH)) { - return false; - } - _pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, &new_authtok_reqd_during_auth); pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, @@ -2630,8 +2632,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, cctype = get_krb5_cc_type_from_config(ctx); warn_pwd_expire = get_warn_pwd_expire_from_config(ctx); - /* clearing offline bit for auth */ - ctx->ctrl &= ~WINBIND_CACHED_LOGIN; + /* Keep WINBIND_CACHED_LOGIN bit for + * authentication after changing the password. + * This will update the cached credentials in case + * that winbindd_dual_pam_chauthtok() fails + * to update them. + * --- BoYang + * */ ret = winbind_auth_request(ctx, user, pass_new, member, cctype, 0, &response, diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index f7001f7716..c26f552d31 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2114,11 +2114,21 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact done: if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) { - + /* Update the single sign-on memory creds. */ result = winbindd_replace_memory_creds(state->request.data.chauthtok.user, newpass); + /* When we login from gdm or xdm and password expires, + * we change password, but there are no memory crendentials + * So, winbindd_replace_memory_creds() returns + * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure. + * --- BoYang + * */ + if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { + result = NT_STATUS_OK; + } + if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result))); goto process_result; @@ -2128,12 +2138,23 @@ done: result = winbindd_update_creds_by_name(contact_domain, state->mem_ctx, user, newpass); + /* Again, this happens when we login from gdm or xdm + * and the password expires, *BUT* cached crendentials + * doesn't exist. winbindd_update_creds_by_name() + * returns NT_STATUS_NO_SUCH_USER. + * This is not a failure. + * --- BoYang + * */ + if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) { + result = NT_STATUS_OK; + } + if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result))); goto process_result; } } - } + } if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) { -- cgit