diff options
author | Mathieu Parent <math.parent@gmail.com> | 2018-04-12 11:57:15 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-10-02 14:12:13 +0200 |
commit | ad5debcbe5215e9a45f92ea45f20cc93781e93fa (patch) | |
tree | 49a46dd2f1c7dd8cd05c2773fac93b48bf042ee1 /nsswitch | |
parent | 7dd388a1f9fa30beb2f814bd16463d1643638587 (diff) | |
download | samba-ad5debcbe5215e9a45f92ea45f20cc93781e93fa.tar.gz |
nsswitch: Add try_authtok option to pam_winbind
Same as the use_authtok option, except that if the new password is not
valid, PAM will prompt for a password.
Bug-Debian: https://bugs.debian.org/858923
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/570944
Signed-off-by: Mathieu Parent <math.parent@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Diffstat (limited to 'nsswitch')
-rw-r--r-- | nsswitch/pam_winbind.c | 5 | ||||
-rw-r--r-- | nsswitch/pam_winbind.h | 1 |
2 files changed, 6 insertions, 0 deletions
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c index 7ac5bb08181..1a58ba49c48 100644 --- a/nsswitch/pam_winbind.c +++ b/nsswitch/pam_winbind.c @@ -492,6 +492,8 @@ config_from_pam: ctrl |= WINBIND_SILENT; else if (!strcasecmp(*v, "use_authtok")) ctrl |= WINBIND_USE_AUTHTOK_ARG; + else if (!strcasecmp(*v, "try_authtok")) + ctrl |= WINBIND_TRY_AUTHTOK_ARG; else if (!strcasecmp(*v, "use_first_pass")) ctrl |= WINBIND_USE_FIRST_PASS_ARG; else if (!strcasecmp(*v, "try_first_pass")) @@ -3181,6 +3183,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags, if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) { lctrl |= WINBIND_USE_FIRST_PASS_ARG; } + if (on(WINBIND_TRY_AUTHTOK_ARG, lctrl)) { + lctrl |= WINBIND_TRY_FIRST_PASS_ARG; + } retry = 0; ret = PAM_AUTHTOK_ERR; while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) { diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h index d468efbb56a..c6786d65a4d 100644 --- a/nsswitch/pam_winbind.h +++ b/nsswitch/pam_winbind.h @@ -156,6 +156,7 @@ do { \ #define WINBIND_DEBUG_STATE 0x00001000 #define WINBIND_WARN_PWD_EXPIRE 0x00002000 #define WINBIND_MKHOMEDIR 0x00004000 +#define WINBIND_TRY_AUTHTOK_ARG 0x00008000 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__) #define _(string) dgettext(MODULE_NAME, string) |