Update memory and cached creds when changing password from gdm or xdm

Jeremy Allison jra at samba.org
Wed Jul 2 01:21:53 GMT 2008

On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote:
> Hi, All:
>     There is a lot of pain when changing password from 
>     gdm or xdm. Ie, When users try to login from gdm or
>     xdm, and password expires.
>     1. because user didn't login(PAM_AUTH returns 
>     NT_STATUS_PASSWORD_EXPIRED), thus ther is no memory
>     creds, which causes winbindd_replace_memory_creds()
>     fail. It will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
>     which is not a real failure. Because changing password
>     succeeded.
>     2. And there can be no cached creds(If it has been deleted
>     if cached creds reach the maximum cached number. Thus
>     Updating cached creds will probably fail with NT_STATUS_NO_SUCH_USER.
>     It is not a real failure too because changing password succeed.
>     3. When login from gdm or xdm with passthrough authentication.
>     there is no memory creds. Therefore, we should authenticate with
>     new password even for passthrough authentication to update memory
>     creds.
>     4. because updating cached creds in winbindd_dual_pam_chauthtok()
>     can probably fail. Therefore we should set WINBIND_CACHED_LOGIN
>     bit in the authentication immediately after changing password
>     to cover the hole of the possible failure of updating creds
>     in winbindd_dual_pam_chauthtok.
>     Please correct if there is anything wrong.
>     Patch for v3-[023]-test in the attachment. Please review them.

I'll review this tomorrow (2nd July Pacific time). Hopefully
we'll get this done for 3.0.31.



More information about the samba-technical mailing list