svn commit: samba r13375 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch

gd at samba.org gd at samba.org
Tue Feb 7 17:18:30 GMT 2006 

Author: gd
Date: 2006-02-07 17:18:29 +0000 (Tue, 07 Feb 2006)
New Revision: 13375

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13375

Log:
Match XP behaviour: Don't force 'Administrator' to change an expired
password on logon. (this might be true for all domain admins as well).

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
   branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   trunk/source/nsswitch/pam_winbind.c
   trunk/source/nsswitch/winbindd_nss.h
   trunk/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/pam_winbind.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2006-02-07 00:50:38 UTC (rev 13374)
+++ branches/SAMBA_3_0/source/nsswitch/pam_winbind.c	2006-02-07 17:18:29 UTC (rev 13375)
@@ -419,7 +419,8 @@
 
 	/* handle the case where the auth was ok, but the password must expire right now */
 	/* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
-	if ((response.data.auth.policy.expire > 0) && 
+	if ((response.data.auth.info3.user_rid != DOMAIN_USER_RID_ADMIN ) &&
+	    (response.data.auth.policy.expire > 0) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) {
 
 		ret = PAM_AUTHTOK_EXPIRED;
@@ -435,7 +436,8 @@
 	}
 
 	/* warn a user if the password is about to expire soon */
-	if ((response.data.auth.policy.expire) && 
+	if ((response.data.auth.info3.user_rid != DOMAIN_USER_RID_ADMIN ) &&
+	    (response.data.auth.policy.expire) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire > time(NULL) ) ) {
 
 		int days = response.data.auth.policy.expire / SECONDS_PER_DAY;

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h	2006-02-07 00:50:38 UTC (rev 13374)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_nss.h	2006-02-07 17:18:29 UTC (rev 13375)
@@ -338,8 +338,8 @@
 				time_t pass_must_change_time;
 				uint16 logon_count;
 				uint16 bad_pw_count;
-				fstring user_sid;
-				fstring group_sid;
+				uint32 user_rid;
+				uint32 group_rid;
 				fstring dom_sid;
 				uint32 num_groups;
 				uint32 user_flgs;

Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-02-07 00:50:38 UTC (rev 13374)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-02-07 17:18:29 UTC (rev 13375)
@@ -32,7 +32,6 @@
 				    struct winbindd_cli_state *state, 
 				    NET_USER_INFO_3 *info3) 
 {
-	DOM_SID user_sid, group_sid;
 	fstring str_sid;
 
 	state->response.data.auth.info3.logon_time = 
@@ -51,18 +50,8 @@
 	state->response.data.auth.info3.logon_count = info3->logon_count;
 	state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
 
-	sid_copy(&user_sid, &(info3->dom_sid.sid));
-	sid_append_rid(&user_sid, info3->user_rid);
-
-	sid_to_string(str_sid, &user_sid);
-	fstrcpy(state->response.data.auth.info3.user_sid, str_sid);
-
-	sid_copy(&group_sid, &(info3->dom_sid.sid));
-	sid_append_rid(&group_sid, info3->group_rid);
-
-	sid_to_string(str_sid, &group_sid);
-	fstrcpy(state->response.data.auth.info3.group_sid, str_sid);
-
+	state->response.data.auth.info3.user_rid = info3->user_rid;
+	state->response.data.auth.info3.group_rid = info3->group_rid;
 	sid_to_string(str_sid, &(info3->dom_sid.sid));
 	fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);
 

Modified: trunk/source/nsswitch/pam_winbind.c
===================================================================
--- trunk/source/nsswitch/pam_winbind.c	2006-02-07 00:50:38 UTC (rev 13374)
+++ trunk/source/nsswitch/pam_winbind.c	2006-02-07 17:18:29 UTC (rev 13375)
@@ -419,7 +419,8 @@
 
 	/* handle the case where the auth was ok, but the password must expire right now */
 	/* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
-	if ((response.data.auth.policy.expire > 0) && 
+	if ((response.data.auth.info3.user_rid != DOMAIN_USER_RID_ADMIN ) &&
+	    (response.data.auth.policy.expire > 0) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) {
 
 		ret = PAM_AUTHTOK_EXPIRED;
@@ -435,7 +436,8 @@
 	}
 
 	/* warn a user if the password is about to expire soon */
-	if ((response.data.auth.policy.expire) && 
+	if ((response.data.auth.info3.user_rid != DOMAIN_USER_RID_ADMIN ) &&
+	    (response.data.auth.policy.expire) && 
 	    (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire > time(NULL) ) ) {
 
 		int days = response.data.auth.policy.expire / SECONDS_PER_DAY;

Modified: trunk/source/nsswitch/winbindd_nss.h
===================================================================
--- trunk/source/nsswitch/winbindd_nss.h	2006-02-07 00:50:38 UTC (rev 13374)
+++ trunk/source/nsswitch/winbindd_nss.h	2006-02-07 17:18:29 UTC (rev 13375)
@@ -338,8 +338,8 @@
 				time_t pass_must_change_time;
 				uint16 logon_count;
 				uint16 bad_pw_count;
-				fstring user_sid;
-				fstring group_sid;
+				uint32 user_rid;
+				uint32 group_rid;
 				fstring dom_sid;
 				uint32 num_groups;
 				uint32 user_flgs;

Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c	2006-02-07 00:50:38 UTC (rev 13374)
+++ trunk/source/nsswitch/winbindd_pam.c	2006-02-07 17:18:29 UTC (rev 13375)
@@ -32,7 +32,6 @@
 				    struct winbindd_cli_state *state, 
 				    NET_USER_INFO_3 *info3) 
 {
-	DOM_SID user_sid, group_sid;
 	fstring str_sid;
 
 	state->response.data.auth.info3.logon_time = 
@@ -51,18 +50,8 @@
 	state->response.data.auth.info3.logon_count = info3->logon_count;
 	state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
 
-	sid_copy(&user_sid, &(info3->dom_sid.sid));
-	sid_append_rid(&user_sid, info3->user_rid);
-
-	sid_to_string(str_sid, &user_sid);
-	fstrcpy(state->response.data.auth.info3.user_sid, str_sid);
-
-	sid_copy(&group_sid, &(info3->dom_sid.sid));
-	sid_append_rid(&group_sid, info3->group_rid);
-
-	sid_to_string(str_sid, &group_sid);
-	fstrcpy(state->response.data.auth.info3.group_sid, str_sid);
-
+	state->response.data.auth.info3.user_rid = info3->user_rid;
+	state->response.data.auth.info3.group_rid = info3->group_rid;
 	sid_to_string(str_sid, &(info3->dom_sid.sid));
 	fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);

More information about the samba-cvs mailing list