nsswitch: Add try_authtok option to pam_winbind

author Mathieu Parent <math.parent@gmail.com>

Thu, 12 Apr 2018 09:57:15 +0000 (11:57 +0200)

committer Andreas Schneider <asn@cryptomilk.org>

Tue, 2 Oct 2018 12:12:13 +0000 (14:12 +0200)
author Mathieu Parent <math.parent@gmail.com>
Thu, 12 Apr 2018 09:57:15 +0000 (11:57 +0200)
committer Andreas Schneider <asn@cryptomilk.org>
Tue, 2 Oct 2018 12:12:13 +0000 (14:12 +0200)
diff --git a/docs-xml/manpages/pam_winbind.8.xml b/docs-xml/manpages/pam_winbind.8.xml

index f57a9286a6cfa00af5303f4c4ad0c8c1e25711fe..b8af5b54c58ecc148eaeb93ce8a5d610d2a63349 100644 (file)
--- a/docs-xml/manpages/pam_winbind.8.xml
+++ b/docs-xml/manpages/pam_winbind.8.xml
@@ -122,6 +122,14 @@
                 </para></listitem>
                 </varlistentry>
  
+               <varlistentry>
+               <term>try_authtok</term>
+               <listitem><para>
+               Same as the use_authtok option (previous item), except that if the new password is not
+               valid, PAM will prompt for a password.
+               </para></listitem>
+               </varlistentry>
+
                 <varlistentry>
                 <term>krb5_auth</term>
                 <listitem><para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c

index 7ac5bb081818c4de9d7033855353b2b859ebbbb0..1a58ba49c48d60bd61025ca443514c1b07956a43 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -492,6 +492,8 @@ config_from_pam:
                         ctrl |= WINBIND_SILENT;
                 else if (!strcasecmp(*v, "use_authtok"))
                         ctrl |= WINBIND_USE_AUTHTOK_ARG;
+               else if (!strcasecmp(*v, "try_authtok"))
+                       ctrl |= WINBIND_TRY_AUTHTOK_ARG;
                 else if (!strcasecmp(*v, "use_first_pass"))
                         ctrl |= WINBIND_USE_FIRST_PASS_ARG;
                 else if (!strcasecmp(*v, "try_first_pass"))
@@ -3181,6 +3183,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
                 if (on(WINBIND_USE_AUTHTOK_ARG, lctrl)) {
                         lctrl |= WINBIND_USE_FIRST_PASS_ARG;
                 }
+               if (on(WINBIND_TRY_AUTHTOK_ARG, lctrl)) {
+                       lctrl |= WINBIND_TRY_FIRST_PASS_ARG;
+               }
                 retry = 0;
                 ret = PAM_AUTHTOK_ERR;
                 while ((ret != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h

index d468efbb56a264835da4794128fad416bee29508..c6786d65a4dd070c2cba70a0293dfe5401092753 100644 (file)
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -156,6 +156,7 @@ do {                             \
  #define WINBIND_DEBUG_STATE            0x00001000
  #define WINBIND_WARN_PWD_EXPIRE                0x00002000
  #define WINBIND_MKHOMEDIR              0x00004000
+#define WINBIND_TRY_AUTHTOK_ARG                0x00008000
  
  #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
  #define _(string) dgettext(MODULE_NAME, string)
author	Mathieu Parent <math.parent@gmail.com>
	Thu, 12 Apr 2018 09:57:15 +0000 (11:57 +0200)
committer	Andreas Schneider <asn@cryptomilk.org>
	Tue, 2 Oct 2018 12:12:13 +0000 (14:12 +0200)
docs-xml/manpages/pam_winbind.8.xml		patch \| blob \| history
nsswitch/pam_winbind.c		patch \| blob \| history
nsswitch/pam_winbind.h		patch \| blob \| history