memory and cached credentials problem after password is
changed, rethinking the way to updated memory and cached creds.
Bo Yang
boyang at novell.com
Fri Jun 13 09:39:56 GMT 2008
Hi, All:
memory and cached credentials updating code causes pain, there are cases that password change succeeded,
but updating creds failed.
In winbindd/winbindd_pam.c, function winbindd_dual_pam_chauthtok(), the creds updating code has the following problems:
1. creds for the user does not exist in memory if the user
login and password expired. winbindd_dual_pam_auth() returned
NT_STATUS_PASSWORD_EXPIRED, creds for the user was not stored
in memory. Thus, winbindd_replace_memory_creds() failed.
2. creds for the user doesn't exist in the cache. This happens
when user first login and password expires. Thus,
winbindd_update_creds_by_name() failed.
There is no problem if the user has logged in and use tools like passwd to change password.
Therefore, I suggest authentication with new password after password change.( even for pass through(samlogon)
authentication).
The logical here is:
change password ---> set WINBIND_CACHED_LOGIN flag and perform authentication immediately after password
change to update memory and cached credentials. This can be finished in pam_sm_chauthtok().
I have done some test, and it worked as expected.
Patch for v3-[023]-test in the attachment. Please review them.
Thanks!
Best
Regards
BoYang
6.13
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_memory_and_cached_creds-v3-0-test.diff
Type: application/octet-stream
Size: 4604 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080613/82eead46/update_memory_and_cached_creds-v3-0-test.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_memory_and_cached_creds-v3-2-test.diff
Type: application/octet-stream
Size: 4535 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080613/82eead46/update_memory_and_cached_creds-v3-2-test.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_memory_and_cached_creds-v3-3-test.diff
Type: application/octet-stream
Size: 4535 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080613/82eead46/update_memory_and_cached_creds-v3-3-test.obj
More information about the samba-technical
mailing list