Updates to better report some NTSTATUS errors into PAM, and update to PAM

to correctly allow password changes on expired passwords.  (No security
implications, as its just a 'will I let you talk to the server' check).

pam_winbind checks the password prior to changing it, so that users don't
have to make up and type their new password when they havn't even got the
old one right.  This also helps with stacking etc.

Andrew Bartlett

source/lib/pam_errors.c

@@ -67,6 +67,7 @@ const static struct {
 	{NT_STATUS_WRONG_PASSWORD, PAM_AUTH_ERR},
 	{NT_STATUS_LOGON_FAILURE, PAM_AUTH_ERR},
 	{NT_STATUS_ACCOUNT_EXPIRED, PAM_ACCT_EXPIRED},
+	{NT_STATUS_PASSWORD_EXPIRED, PAM_AUTHTOK_EXPIRED},
 	{NT_STATUS_PASSWORD_MUST_CHANGE, PAM_NEW_AUTHTOK_REQD},
 	{NT_STATUS_OK, PAM_SUCCESS}
 };

source/nsswitch/pam_winbind.c

@@ -155,6 +155,14 @@ static int winbind_auth_request(const char *user, const char *pass, int ctrl)
 		/* incorrect password */
 		_pam_log(LOG_WARNING, "user `%s' denied access (incorrect password)", user);
 		return retval;
+	case PAM_ACCT_EXPIRED:
+		/* account expired */
+		_pam_log(LOG_WARNING, "user `%s' account expired", user);
+		return retval;
+	case PAM_AUTHTOK_EXPIRED:
+		/* password expired */
+		_pam_log(LOG_WARNING, "user `%s' password expired", user);
+		return retval;
 	case PAM_USER_UNKNOWN:
 		/* the user does not exist */
 		if (ctrl & WINBIND_DEBUG_ARG)
@@ -577,6 +585,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		retval = winbind_auth_request(user, pass_old, ctrl);
 		
 		if (retval != PAM_ACCT_EXPIRED 
+		    && retval != PAM_AUTHTOK_EXPIRED
 		    && retval != PAM_NEW_AUTHTOK_REQD 
 		    && retval != PAM_SUCCESS) {
 			pass_old = NULL;