Update memory and cached creds when changing password from gdm
boyang at novell.com
Wed Jul 2 01:55:29 GMT 2008
Jeremy Allison wrote:
> On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote:
>> Hi, All:
>> There is a lot of pain when changing password from
>> gdm or xdm. Ie, When users try to login from gdm or
>> xdm, and password expires.
>> 1. because user didn't login(PAM_AUTH returns
>> NT_STATUS_PASSWORD_EXPIRED), thus ther is no memory
>> creds, which causes winbindd_replace_memory_creds()
>> fail. It will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
>> which is not a real failure. Because changing password
>> 2. And there can be no cached creds(If it has been deleted
>> if cached creds reach the maximum cached number. Thus
>> Updating cached creds will probably fail with NT_STATUS_NO_SUCH_USER.
>> It is not a real failure too because changing password succeed.
>> 3. When login from gdm or xdm with passthrough authentication.
>> there is no memory creds. Therefore, we should authenticate with
>> new password even for passthrough authentication to update memory
>> 4. because updating cached creds in winbindd_dual_pam_chauthtok()
>> can probably fail. Therefore we should set WINBIND_CACHED_LOGIN
>> bit in the authentication immediately after changing password
>> to cover the hole of the possible failure of updating creds
>> in winbindd_dual_pam_chauthtok.
>> Please correct if there is anything wrong.
>> Patch for v3--test in the attachment. Please review them.
> I'll review this tomorrow (2nd July Pacific time). Hopefully
> we'll get this done for 3.0.31.
Thanks for spending time on this. :-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 209 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080702/bf5ba9dc/boyang.vcf
More information about the samba-technical