You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
100 lines
3.4 KiB
100 lines
3.4 KiB
From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001 |
|
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> |
|
Date: Wed, 17 Nov 2021 09:56:09 +0100 |
|
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to |
|
off). |
|
|
|
This change disables the prompt for the change of an expired password by |
|
default (using the PAM_RADIO_TYPE mechanism if present). |
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691 |
|
|
|
Guenther |
|
|
|
Signed-off-by: Guenther Deschner <gd@samba.org> |
|
Reviewed-by: Alexander Bokovoy <ab@samba.org> |
|
Reviewed-by: Andreas Schneider <asn@samba.org> |
|
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472) |
|
--- |
|
docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++ |
|
nsswitch/pam_winbind.c | 12 ++++++++++-- |
|
nsswitch/pam_winbind.h | 1 + |
|
3 files changed, 18 insertions(+), 2 deletions(-) |
|
|
|
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml |
|
index 0bc288f91a1..bae9298fc32 100644 |
|
--- a/docs-xml/manpages/pam_winbind.conf.5.xml |
|
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml |
|
@@ -194,6 +194,13 @@ |
|
</para></listitem> |
|
</varlistentry> |
|
|
|
+ <varlistentry> |
|
+ <term>pwd_change_prompt = yes|no</term> |
|
+ <listitem><para> |
|
+ Generate prompt for changing an expired password. Defaults to "no". |
|
+ </para></listitem> |
|
+ </varlistentry> |
|
+ |
|
</variablelist> |
|
|
|
</para> |
|
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c |
|
index 720a4b90d85..06098dd07d8 100644 |
|
--- a/nsswitch/pam_winbind.c |
|
+++ b/nsswitch/pam_winbind.c |
|
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh, |
|
ctrl |= WINBIND_MKHOMEDIR; |
|
} |
|
|
|
+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) { |
|
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; |
|
+ } |
|
+ |
|
config_from_pam: |
|
/* step through arguments */ |
|
for (i=argc,v=argv; i-- > 0; ++v) { |
|
@@ -522,6 +526,8 @@ config_from_pam: |
|
else if (!strncasecmp(*v, "warn_pwd_expire", |
|
strlen("warn_pwd_expire"))) |
|
ctrl |= WINBIND_WARN_PWD_EXPIRE; |
|
+ else if (!strcasecmp(*v, "pwd_change_prompt")) |
|
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT; |
|
else if (type != PAM_WINBIND_CLEANUP) { |
|
__pam_log(pamh, ctrl, LOG_ERR, |
|
"pam_parse: unknown option: %s", *v); |
|
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, |
|
* successfully sent the warning message. |
|
* Give the user a chance to change pwd. |
|
*/ |
|
- if (ret == PAM_SUCCESS) { |
|
+ if (ret == PAM_SUCCESS && |
|
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { |
|
if (change_pwd) { |
|
retval = _pam_winbind_change_pwd(ctx); |
|
if (retval) { |
|
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx, |
|
* successfully sent the warning message. |
|
* Give the user a chance to change pwd. |
|
*/ |
|
- if (ret == PAM_SUCCESS) { |
|
+ if (ret == PAM_SUCCESS && |
|
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) { |
|
if (change_pwd) { |
|
retval = _pam_winbind_change_pwd(ctx); |
|
if (retval) { |
|
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h |
|
index c6786d65a4d..2f4a25729bd 100644 |
|
--- a/nsswitch/pam_winbind.h |
|
+++ b/nsswitch/pam_winbind.h |
|
@@ -157,6 +157,7 @@ do { \ |
|
#define WINBIND_WARN_PWD_EXPIRE 0x00002000 |
|
#define WINBIND_MKHOMEDIR 0x00004000 |
|
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000 |
|
+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000 |
|
|
|
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__) |
|
#define _(string) dgettext(MODULE_NAME, string) |
|
-- |
|
2.35.1 |
|
|
|
|