use old password if available during password change

- if the password is reset by root we do not ask for a password during
  PAM_PRELIM_CHECK. But if there is one available during PAM_UPDATE_AUTHTOK
  we will use it, because now we are in an expired password dialog.

1 files changed, 9 insertions, 8 deletions

diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c
index 4755cd32e..411afd185 100644
--- a/sss_client/pam_sss.c
+++ b/sss_client/pam_sss.c
@@ -735,18 +735,19 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
         return PAM_SUCCESS;
     }
 
-    if (getuid() != 0) {
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
-        pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
-        if (pi->pam_authtok == NULL) {
+    if (pi->pamstack_oldauthtok == NULL) {
+        if (getuid() != 0) {
             D(("no password found for chauthtok"));
             return PAM_BUF_ERR;
+        } else {
+            pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
+            pi->pam_authtok = NULL;
+            pi->pam_authtok_size = 0;
         }
-        pi->pam_authtok_size = strlen(pi->pam_authtok);
     } else {
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
-        pi->pam_authtok = NULL;
-        pi->pam_authtok_size = 0;
+        pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
+        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+        pi->pam_authtok_size = strlen(pi->pam_authtok);
     }
 
     if (flags & FLAGS_USE_AUTHTOK) {