diff options
author | Günther Deschner <gd@samba.org> | 2021-11-17 09:56:09 +0100 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2021-12-16 03:05:30 +0000 |
commit | 20c85cc1da8d8c7f1932fbdd92128bb6dafad472 (patch) | |
tree | fc5257267a08549a1cebd35bff49fc525d1e9ad9 /nsswitch | |
parent | eae4c54e2b15c0022010b75c3117edce39d6c204 (diff) | |
download | samba-20c85cc1da8d8c7f1932fbdd92128bb6dafad472.tar.gz |
pam_winbind: add new pwd_change_prompt option (defaults to off).
This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184
Diffstat (limited to 'nsswitch')
-rw-r--r-- | nsswitch/pam_winbind.c | 12 | ||||
-rw-r--r-- | nsswitch/pam_winbind.h | 1 |
2 files changed, 11 insertions, 2 deletions
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 5d168e2715e..e7ae605b341 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, ctrl |= WINBIND_MKHOMEDIR; } + if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { + ctrl |= WINBIND_PWD_CHANGE_PROMPT; + } + config_from_pam: /* step through arguments */ for (i=argc,v=argv; i-- > 0; ++v) { @@ -522,6 +526,8 @@ config_from_pam: else if (!strncasecmp(*v, "warn_pwd_expire", strlen("warn_pwd_expire"))) ctrl |= WINBIND_WARN_PWD_EXPIRE; + else if (!strcasecmp(*v, "pwd_change_prompt")) + ctrl |= WINBIND_PWD_CHANGE_PROMPT; else if (type != PAM_WINBIND_CLEANUP) { __pam_log(pamh, ctrl, LOG_ERR, "pam_parse: unknown option: %s", *v); @@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, * successfully sent the warning message. * Give the user a chance to change pwd. */ - if (ret == PAM_SUCCESS) { + if (ret == PAM_SUCCESS && + (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { if (change_pwd) { retval = _pam_winbind_change_pwd(ctx); if (retval) { @@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, * successfully sent the warning message. * Give the user a chance to change pwd. */ - if (ret == PAM_SUCCESS) { + if (ret == PAM_SUCCESS && + (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { if (change_pwd) { retval = _pam_winbind_change_pwd(ctx); if (retval) { diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h index c6786d65a4d..2f4a25729bd 100644 --- a/nsswitch/pam_winbind.h +++ b/nsswitch/pam_winbind.h @@ -157,6 +157,7 @@ do { \ #define WINBIND_WARN_PWD_EXPIRE 0x00002000 #define WINBIND_MKHOMEDIR 0x00004000 #define WINBIND_TRY_AUTHTOK_ARG 0x00008000 +#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) #define _(string) dgettext(MODULE_NAME, string) |