[PATCH] Re: W2K Domain Login Problem with 2.2.0

Steve Langasek vorlon at netexpress.net
Tue Apr 24 23:15:52 GMT 2001

On Wed, 25 Apr 2001, Andrew Bartlett wrote:

> > What problem does the code below fix?  If you are concerned that some modules
> > will change passwords without checking the old password when called as root,
> > you should call pam_authenticate() first rather than trying to fake up a
> > set-uid /bin/passwd.  It is /not/ reasonable to expect pam_chauthtok() to
> > authenticate the user for you.  Some modules will authenticate the user
> > because they have to, some will do so as a convenience for the application
> > writer.  It's possible that some modules will /not/ take this as a cue to
> > authenticate the user before updating the authentication token, so the safest
> > way to handle this is simply to always ensure the user has been authenticated
> > (with pam_authenticate() or otherwise) before pam_chauthtok() is called.

> We already authenticate the user well before we get to the unix password
> sync code (against our encrypted db).  In my latest patch I've dropped
> the other (not as_root) stuff - as I can't tell you its perfecty
> correct, or even tested.  See http://samba.org/samba-patches?findid=355

Ok -- sorry about that, I missed that it had been superseded by a later patch.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list