memory and cached credentials problem after password is changed, rethinking the way to updated memory and cached creds.

Bo Yang boyang at novell.com
Fri Jun 13 09:39:56 GMT 2008 

Hi, All:

     memory and cached credentials updating code causes pain, there are cases that password change succeeded,
but updating creds failed.
    In winbindd/winbindd_pam.c, function winbindd_dual_pam_chauthtok(), the creds updating code has the following problems:

   
1. creds for the user does not exist in memory if the user
    login and password expired. winbindd_dual_pam_auth() returned
    NT_STATUS_PASSWORD_EXPIRED, creds for the user was not stored
    in memory. Thus, winbindd_replace_memory_creds() failed.

2. creds for the user doesn't exist in the cache. This happens
    when user first login and password expires. Thus,
    winbindd_update_creds_by_name() failed.

   There is no problem if the user has logged in and use tools like passwd to change password.

   Therefore, I suggest authentication with new password after password change.( even for pass through(samlogon)
 authentication).

    The logical here is:
    change password ---> set WINBIND_CACHED_LOGIN flag and perform authentication immediately after password
change to update memory and cached credentials. This can be finished in pam_sm_chauthtok().

    I have done some test, and it worked as expected.

Patch for v3-[023]-test in the attachment. Please review them.

Thanks!
Best
        Regards
BoYang
6.13

-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_memory_and_cached_creds-v3-0-test.diff
Type: application/octet-stream
Size: 4604 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080613/82eead46/update_memory_and_cached_creds-v3-0-test.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_memory_and_cached_creds-v3-2-test.diff
Type: application/octet-stream
Size: 4535 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080613/82eead46/update_memory_and_cached_creds-v3-2-test.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update_memory_and_cached_creds-v3-3-test.diff
Type: application/octet-stream
Size: 4535 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080613/82eead46/update_memory_and_cached_creds-v3-3-test.obj

More information about the samba-technical mailing list