From e2a53a2455ae7f3154d25fa0d02f024069cc1d6d Mon Sep 17 00:00:00 2001
From: Mathieu Parent <math.parent@gmail.com>
Date: Thu, 12 Apr 2018 11:57:15 +0200
Subject: [PATCH] nsswitch: Add try_authok option to pam_winbind

Same as the use_authtok option, except that if the new password is not
valid, PAM will prompt for a password.

Bug-Debian: https://bugs.debian.org/858923
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944

Signed-off-by: Mathieu Parent <math.parent@gmail.com>
---
 docs-xml/manpages/pam_winbind.8.xml | 8 ++++++++
 nsswitch/pam_winbind.c              | 5 +++++
 nsswitch/pam_winbind.h              | 1 +
 3 files changed, 14 insertions(+)

diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml
index f57a9286a6c..b8af5b54c58 100644
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -122,6 +122,14 @@
 		</para></listitem>
 		</varlistentry>
 
+		<varlistentry>
+		<term>try_authtok</term>
+		<listitem><para>
+		Same as the use_authtok option (previous item), except that if the new password is not
+		valid, PAM will prompt for a password.
+		</para></listitem>
+		</varlistentry>
+
 		<varlistentry>
 		<term>krb5_auth</term>
 		<listitem><para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 63fede87c78..184f55579fd 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -492,6 +492,8 @@ static int _pam_parse(const pam_handle_t *pamh,
 			ctrl |= WINBIND_SILENT;
 		else if (!strcasecmp(*v, "use_authtok"))
 			ctrl |= WINBIND_USE_AUTHTOK_ARG;
+		else if (!strcasecmp(*v, "try_authtok"))
+			ctrl |= WINBIND_TRY_AUTHTOK_ARG;
 		else if (!strcasecmp(*v, "use_first_pass"))
 			ctrl |= WINBIND_USE_FIRST_PASS_ARG;
 		else if (!strcasecmp(*v, "try_first_pass"))
@@ -3181,6 +3183,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
 			lctrl |= WINBIND_USE_FIRST_PASS_ARG;
 		}
+		if (on(WINBIND_TRY_AUTHTOK_ARG, lctrl)) {
+			lctrl |= WINBIND_TRY_FIRST_PASS_ARG;
+		}
 		retry = 0;
 		ret = PAM_AUTHTOK_ERR;
 		while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index d468efbb56a..c6786d65a4d 100644
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -156,6 +156,7 @@ do {                             \
 #define WINBIND_DEBUG_STATE		0x00001000
 #define WINBIND_WARN_PWD_EXPIRE		0x00002000
 #define WINBIND_MKHOMEDIR		0x00004000
+#define WINBIND_TRY_AUTHTOK_ARG		0x00008000
 
 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
 #define _(string) dgettext(MODULE_NAME, string)