Changeset 140 for branches/samba-3.0/source/nsswitch/pam_winbind.c

Timestamp:

Jul 11, 2008, 1:13:42 AM (17 years ago)

Author:

Paul Smedley

Message:

Update branch to 3.0.31 release

File:

• branches/samba-3.0/source/nsswitch/pam_winbind.c (modified) (6 diffs)

branches/samba-3.0/source/nsswitch/pam_winbind.c

@@ -1182 +1182 @@
         }
 
+        if (ctrl & WINBIND_CACHED_LOGIN) {
+                request.flags |= WBFLAG_PAM_CACHED_LOGIN;
+        }
+
         ret = pam_winbind_request_log(pamh, ctrl, WINBINDD_PAM_CHAUTHTOK, &request, &response, user);
 
@@ -1908 +1912 @@
 {
 
-        /* Make sure that we only do this if 
+        /* Make sure that we only do this if
          * a) the chauthtok got initiated during a logon attempt (authenticate->acct_mgmt->chauthtok)
          * b) any later password change via the "passwd" command if done by the user itself 
-         */
-                
+         *
+         * NB. If we login from gdm or xdm and the password expires,
+         * we change the password, but there is no memory cache.
+         * Thus, even for passthrough login, we should do the
+         * authentication again to update memory cache.
+         * --- BoYang
+         * */
+
         char *new_authtok_reqd_during_auth = NULL;
         struct passwd *pwd = NULL;
-
-        if (!(ctrl & WINBIND_KRB5_AUTH)) {
-                return False;
-        }
 
         _pam_get_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD_DURING_AUTH, &new_authtok_reqd_during_auth);
@@ -1947 +1953 @@
         int ret;
         unsigned int ctrl;
+        bool cached_login = False;
 
         /* <DO NOT free() THESE> */
@@ -1970 +1977 @@
         _PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", pamh, ctrl, flags);
 
-        /* clearing offline bit for the auth in the password change */
+        cached_login = (ctrl & WINBIND_CACHED_LOGIN);
+
+        /* clearing offline bit for auth */
         ctrl &= ~WINBIND_CACHED_LOGIN;
 
@@ -2118 +2127 @@
                                &pwdlastset_update);
 
+                /*
+                 * if cached creds were enabled, make sure to set the
+                 * WINBIND_CACHED_LOGIN bit here in order to have winbindd
+                 * update the cached creds storage - gd
+                 */
+                if (cached_login) {
+                        ctrl |= WINBIND_CACHED_LOGIN;
+                }
+
                 ret = winbind_chauthtok_request(pamh, ctrl, user, pass_old, pass_new, pwdlastset_update);
                 if (ret) {
@@ -2130 +2148 @@
                         const char *member = get_member_from_config(pamh, argc, argv, ctrl, d);
                         const char *cctype = get_krb5_cc_type_from_config(pamh, argc, argv, ctrl, d);
+
+                        /* Keep the WINBIND_CACHED_LOGIN bit for
+                         * authentication after changing the password.
+                         * This will update the cached credentials in case
+                         * that winbindd_dual_pam_chauthtok() fails
+                         * to update them.
+                         * --- BoYang
+                         * */
 
                         ret = winbind_auth_request(pamh, ctrl, user, pass_new,