Update memory and cached creds when changing password from gdm
or xdm
Jeremy Allison
jra at samba.org
Wed Jul 2 01:21:53 GMT 2008
On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote:
> Hi, All:
> There is a lot of pain when changing password from
> gdm or xdm. Ie, When users try to login from gdm or
> xdm, and password expires.
>
> 1. because user didn't login(PAM_AUTH returns
> NT_STATUS_PASSWORD_EXPIRED), thus ther is no memory
> creds, which causes winbindd_replace_memory_creds()
> fail. It will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
> which is not a real failure. Because changing password
> succeeded.
>
> 2. And there can be no cached creds(If it has been deleted
> if cached creds reach the maximum cached number. Thus
> Updating cached creds will probably fail with NT_STATUS_NO_SUCH_USER.
> It is not a real failure too because changing password succeed.
>
> 3. When login from gdm or xdm with passthrough authentication.
> there is no memory creds. Therefore, we should authenticate with
> new password even for passthrough authentication to update memory
> creds.
>
> 4. because updating cached creds in winbindd_dual_pam_chauthtok()
> can probably fail. Therefore we should set WINBIND_CACHED_LOGIN
> bit in the authentication immediately after changing password
> to cover the hole of the possible failure of updating creds
> in winbindd_dual_pam_chauthtok.
>
> Please correct if there is anything wrong.
>
> Patch for v3-[023]-test in the attachment. Please review them.
I'll review this tomorrow (2nd July Pacific time). Hopefully
we'll get this done for 3.0.31.
Thanks,
Jeremy.
More information about the samba-technical
mailing list