[SCM] Samba Shared Repository - branch v3-3-test updated -
release-3-2-0pre2-3094-g8cfc6af
Jeremy Allison
jra at samba.org
Mon Jul 7 18:26:46 GMT 2008
The branch, v3-3-test has been updated
via 8cfc6afc7b4a6af9aea5f5a7cb5af7e3218c2d75 (commit)
from 50a347f5503ebed0fcc7b9de60f8368677585bb1 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-test
- Log -----------------------------------------------------------------
commit 8cfc6afc7b4a6af9aea5f5a7cb5af7e3218c2d75
Author: Jeremy Allison <jra at samba.org>
Date: Mon Jul 7 11:26:16 2008 -0700
Allow authentication and memory credential refresh after password change from gdm/xdm. Patch from boyang <boyang at novell.com>.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/nsswitch/pam_winbind.c | 21 ++++++++++++++-------
source/winbindd/winbindd_pam.c | 25 +++++++++++++++++++++++--
2 files changed, 37 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index e42199c..95b3d23 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -2384,15 +2384,17 @@ static bool _pam_require_krb5_auth_after_chauthtok(struct pwb_context *ctx,
/* Make sure that we only do this if a) the chauthtok got initiated
* during a logon attempt (authenticate->acct_mgmt->chauthtok) b) any
* later password change via the "passwd" command if done by the user
- * itself */
+ * itself
+ * NB. If we login from gdm or xdm and the password expires,
+ * we change the password, but there is no memory cache.
+ * Thus, even for passthrough login, we should do the
+ * authentication again to update memory cache.
+ * --- BoYang
+ * */
char *new_authtok_reqd_during_auth = NULL;
struct passwd *pwd = NULL;
- if (!(ctx->ctrl & WINBIND_KRB5_AUTH)) {
- return false;
- }
-
_pam_get_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
&new_authtok_reqd_during_auth);
pam_set_data(ctx->pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH,
@@ -2630,8 +2632,13 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
cctype = get_krb5_cc_type_from_config(ctx);
warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
- /* clearing offline bit for auth */
- ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
+ /* Keep WINBIND_CACHED_LOGIN bit for
+ * authentication after changing the password.
+ * This will update the cached credentials in case
+ * that winbindd_dual_pam_chauthtok() fails
+ * to update them.
+ * --- BoYang
+ * */
ret = winbind_auth_request(ctx, user, pass_new,
member, cctype, 0, &response,
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index f7001f7..c26f552 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -2114,11 +2114,21 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
done:
if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
-
+
/* Update the single sign-on memory creds. */
result = winbindd_replace_memory_creds(state->request.data.chauthtok.user,
newpass);
+ /* When we login from gdm or xdm and password expires,
+ * we change password, but there are no memory crendentials
+ * So, winbindd_replace_memory_creds() returns
+ * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
+ * --- BoYang
+ * */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ result = NT_STATUS_OK;
+ }
+
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
goto process_result;
@@ -2128,12 +2138,23 @@ done:
result = winbindd_update_creds_by_name(contact_domain,
state->mem_ctx, user,
newpass);
+ /* Again, this happens when we login from gdm or xdm
+ * and the password expires, *BUT* cached crendentials
+ * doesn't exist. winbindd_update_creds_by_name()
+ * returns NT_STATUS_NO_SUCH_USER.
+ * This is not a failure.
+ * --- BoYang
+ * */
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER)) {
+ result = NT_STATUS_OK;
+ }
+
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
goto process_result;
}
}
- }
+ }
if (!NT_STATUS_IS_OK(result) && !got_info && contact_domain) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list