Update memory and cached creds when changing password from gdm or xdm

boyang boyang at novell.com
Wed Jul 2 01:55:29 GMT 2008

Jeremy Allison wrote:
> On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote:
>> Hi, All:
>>     There is a lot of pain when changing password from 
>>     gdm or xdm. Ie, When users try to login from gdm or
>>     xdm, and password expires.
>>     1. because user didn't login(PAM_AUTH returns 
>>     NT_STATUS_PASSWORD_EXPIRED), thus ther is no memory
>>     creds, which causes winbindd_replace_memory_creds()
>>     fail. It will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
>>     which is not a real failure. Because changing password
>>     succeeded.
>>     2. And there can be no cached creds(If it has been deleted
>>     if cached creds reach the maximum cached number. Thus
>>     Updating cached creds will probably fail with NT_STATUS_NO_SUCH_USER.
>>     It is not a real failure too because changing password succeed.
>>     3. When login from gdm or xdm with passthrough authentication.
>>     there is no memory creds. Therefore, we should authenticate with
>>     new password even for passthrough authentication to update memory
>>     creds.
>>     4. because updating cached creds in winbindd_dual_pam_chauthtok()
>>     can probably fail. Therefore we should set WINBIND_CACHED_LOGIN
>>     bit in the authentication immediately after changing password
>>     to cover the hole of the possible failure of updating creds
>>     in winbindd_dual_pam_chauthtok.
>>     Please correct if there is anything wrong.
>>     Patch for v3-[023]-test in the attachment. Please review them.
> I'll review this tomorrow (2nd July Pacific time). Hopefully
> we'll get this done for 3.0.31.

Thanks for spending time on this. :-)

> Thanks,
> Jeremy.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: boyang.vcf
Type: text/x-vcard
Size: 209 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080702/bf5ba9dc/boyang.vcf

More information about the samba-technical mailing list