[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-29-82-ga56de3c

Jeremy Allison jra at samba.org
Mon Jul 7 18:19:44 GMT 2008 

The branch, v3-0-test has been updated
       via  a56de3ce7051deed5f36b03186bccac6ea0d2ce4 (commit)
      from  fbb1e2e358af892e121bb3e5e8587d4d5ace4132 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit a56de3ce7051deed5f36b03186bccac6ea0d2ce4
Author: Jeremy Allison <jra at samba.org>
Date:   Mon Jul 7 11:18:30 2008 -0700

    Allow authentication and memory credential refresh after password change from gdm/xdm. Patch from boyang <boyang at novell.com>.
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/nsswitch/pam_winbind.c  |   25 ++++++++++++++++---------
 source/nsswitch/winbindd_pam.c |   24 ++++++++++++++++++++++--
 2 files changed, 38 insertions(+), 11 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index eff9101..85621f0 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -1911,18 +1911,20 @@ out:
 static BOOL _pam_require_krb5_auth_after_chauthtok(pam_handle_t *pamh, int ctrl, const char *user)
 {
 
-	/* Make sure that we only do this if 
+	/* Make sure that we only do this if
 	 * a) the chauthtok got initiated during a logon attempt (authenticate->acct_mgmt->chauthtok)
 	 * b) any later password change via the "passwd" command if done by the user itself 
-	 */
-		
+	 *
+	 * NB. If we login from gdm or xdm and the password expires,
+	 * we change the password, but there is no memory cache.
+	 * Thus, even for passthrough login, we should do the
+	 * authentication again to update memory cache.
+	 * --- BoYang
+	 * */
+
 	char *new_authtok_reqd_during_auth = NULL;
 	struct passwd *pwd = NULL;
 
-	if (!(ctrl & WINBIND_KRB5_AUTH)) {
-		return False;
-	}
-
 	_pam_get_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, &new_authtok_reqd_during_auth);
 	pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, NULL, NULL);
 
@@ -2146,8 +2148,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 			const char *member = get_member_from_config(pamh, argc, argv, ctrl, d);
 			const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
 
-			/* clearing offline bit for auth */
-			ctrl &= ~WINBIND_CACHED_LOGIN;
+                        /* Keep the WINBIND_CACHED_LOGIN bit for
+                         * authentication after changing the password.
+                         * This will update the cached credentials in case
+                         * that winbindd_dual_pam_chauthtok() fails
+                         * to update them.
+                         * --- BoYang
+                         * */
 
 			ret = winbind_auth_request(pamh, ctrl, user, pass_new,
 							member, cctype, &response, NULL, &username_ret);
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 42540a6..8751c18 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -2048,11 +2048,21 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
 done: 
 
 	if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
-		
+
 		/* Update the single sign-on memory creds. */
 		result = winbindd_replace_memory_creds(state->request.data.chauthtok.user,
 							newpass);
 
+		/* When we login from gdm or xdm and password expires,
+		 * we change the password, but there are no memory crendentials.
+		 * So, winbindd_replace_memory_creds() returns
+		 * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
+		 * --- BoYang
+		 * */
+		if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+			result = NT_STATUS_OK;
+		}
+
 		if (!NT_STATUS_IS_OK(result)) {
 			DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
 			goto process_result;
@@ -2062,12 +2072,22 @@ done:
 			result = winbindd_update_creds_by_name(contact_domain,
 							 state->mem_ctx, user,
 							 newpass);
+			/* Again, this happens when we login from gdm or xdm
+			 * and the password expires, *BUT* cached crendentials
+			 * don't exist. winbindd_update_creds_by_name()
+			 * returns NT_STATUS_NO_SUCH_USER.
+			 * This is not a failure.
+			 * --- BoYang
+			 * */
+			if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
+				result = NT_STATUS_OK;
+			}
 			if (!NT_STATUS_IS_OK(result)) {
 				DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
 				goto process_result;
 			}
 		}
-	}		
+	}
 
 	if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
 


-- 
Samba Shared Repository

More information about the samba-cvs mailing list