[PATCH] Re: W2K Domain Login Problem with 2.2.0
Steve Langasek
vorlon at netexpress.net
Tue Apr 24 23:15:52 GMT 2001
On Wed, 25 Apr 2001, Andrew Bartlett wrote:
> > What problem does the code below fix? If you are concerned that some modules
> > will change passwords without checking the old password when called as root,
> > you should call pam_authenticate() first rather than trying to fake up a
> > set-uid /bin/passwd. It is /not/ reasonable to expect pam_chauthtok() to
> > authenticate the user for you. Some modules will authenticate the user
> > because they have to, some will do so as a convenience for the application
> > writer. It's possible that some modules will /not/ take this as a cue to
> > authenticate the user before updating the authentication token, so the safest
> > way to handle this is simply to always ensure the user has been authenticated
> > (with pam_authenticate() or otherwise) before pam_chauthtok() is called.
> We already authenticate the user well before we get to the unix password
> sync code (against our encrypted db). In my latest patch I've dropped
> the other (not as_root) stuff - as I can't tell you its perfecty
> correct, or even tested. See http://samba.org/samba-patches?findid=355
Ok -- sorry about that, I missed that it had been superseded by a later patch.
Steve Langasek
postmodern programmer
More information about the samba-technical
mailing list