sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-03 12:58:35 +03:00
Code

pam_winbind: add new pwd_change_prompt option (defaults to off).

Browse Source 
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184
This commit is contained in:
Günther Deschner 2021-11-17 09:56:09 +01:00 committed by Jeremy Allison
parent eae4c54e2b
commit 20c85cc1da
3 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
docs-xml/manpages/pam_winbind.conf.5.xml
View File

@ -194,6 +194,13 @@
</para></listitem>
</varlistentry>
<varlistentry>
<term>pwd_change_prompt = yes|no</term>
<listitem><para>
Generate prompt for changing an expired password. Defaults to "no".
</para></listitem>
</varlistentry>
</variablelist>
</para>

12
nsswitch/pam_winbind.c
View File

@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
ctrl |= WINBIND_MKHOMEDIR;
}
if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
ctrl |= WINBIND_PWD_CHANGE_PROMPT;
}
config_from_pam:
/* step through arguments */
for (i=argc,v=argv; i-- > 0; ++v) {
@ -522,6 +526,8 @@ config_from_pam:
else if (!strncasecmp(*v, "warn_pwd_expire",
strlen("warn_pwd_expire")))
ctrl |= WINBIND_WARN_PWD_EXPIRE;
else if (!strcasecmp(*v, "pwd_change_prompt"))
ctrl |= WINBIND_PWD_CHANGE_PROMPT;
else if (type != PAM_WINBIND_CLEANUP) {
__pam_log(pamh, ctrl, LOG_ERR,
"pam_parse: unknown option: %s", *v);
@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
if (ret == PAM_SUCCESS) {
if (ret == PAM_SUCCESS &&
(ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {
@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
* successfully sent the warning message.
* Give the user a chance to change pwd.
*/
if (ret == PAM_SUCCESS) {
if (ret == PAM_SUCCESS &&
(ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
if (change_pwd) {
retval = _pam_winbind_change_pwd(ctx);
if (retval) {

1
nsswitch/pam_winbind.h
View File

@ -157,6 +157,7 @@ do { \
#define WINBIND_WARN_PWD_EXPIRE 0x00002000
#define WINBIND_MKHOMEDIR 0x00004000
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000
#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
#define _(string) dgettext(MODULE_NAME, string)