pam_winbind: add new pwd_change_prompt option (defaults to off).

This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Dec 16 03:05:30 UTC 2021 on sn-devel-184

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 0bc288f91a1b2ded882e4e81c213640f01a86f81..bae9298fc329c4f2c175abda31c7b7184ceb8ee9 100644 (file)
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -194,6 +194,13 @@
                </para></listitem>
                </varlistentry>
 
+               <varlistentry>
+               <term>pwd_change_prompt = yes|no</term>
+               <listitem><para>
+                       Generate prompt for changing an expired password. Defaults to "no".
+               </para></listitem>
+               </varlistentry>
+
                </variablelist>
 
        </para>

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 5d168e2715e095636040005a164b12c2790ebfb1..e7ae605b3416ff7e949ee2c180f21e096af529f0 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
                ctrl |= WINBIND_MKHOMEDIR;
        }
 
+       if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
+               ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+       }
+
 config_from_pam:
        /* step through arguments */
        for (i=argc,v=argv; i-- > 0; ++v) {
@@ -522,6 +526,8 @@ config_from_pam:
                else if (!strncasecmp(*v, "warn_pwd_expire",
                        strlen("warn_pwd_expire")))
                        ctrl |= WINBIND_WARN_PWD_EXPIRE;
+               else if (!strcasecmp(*v, "pwd_change_prompt"))
+                       ctrl |= WINBIND_PWD_CHANGE_PROMPT;
                else if (type != PAM_WINBIND_CLEANUP) {
                        __pam_log(pamh, ctrl, LOG_ERR,
                                 "pam_parse: unknown option: %s", *v);
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
                 * successfully sent the warning message.
                 * Give the user a chance to change pwd.
                 */
-               if (ret == PAM_SUCCESS) {
+               if (ret == PAM_SUCCESS &&
+                   (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
                        if (change_pwd) {
                                retval = _pam_winbind_change_pwd(ctx);
                                if (retval) {
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
                 * successfully sent the warning message.
                 * Give the user a chance to change pwd.
                 */
-               if (ret == PAM_SUCCESS) {
+               if (ret == PAM_SUCCESS &&
+                   (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
                        if (change_pwd) {
                                retval = _pam_winbind_change_pwd(ctx);
                                if (retval) {

diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index c6786d65a4dd070c2cba70a0293dfe5401092753..2f4a25729bddc789749d6348d0f86ee5ca078d76 100644 (file)
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -157,6 +157,7 @@ do {                             \
 #define WINBIND_WARN_PWD_EXPIRE                0x00002000
 #define WINBIND_MKHOMEDIR              0x00004000
 #define WINBIND_TRY_AUTHTOK_ARG                0x00008000
+#define WINBIND_PWD_CHANGE_PROMPT      0x00010000
 
 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
 #define _(string) dgettext(MODULE_NAME, string)