From 91f92358f790ddd2cf60b0b950d1d7fb586528f7 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 9 Oct 2009 20:52:25 +0200
Subject: use old password if available during password change

- if the password is reset by root we do not ask for a password during
  PAM_PRELIM_CHECK. But if there is one available during PAM_UPDATE_AUTHTOK
  we will use it, because now we are in an expired password dialog.
---
 sss_client/pam_sss.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/sss_client/pam_sss.c b/sss_client/pam_sss.c
index 4755cd32e..411afd185 100644
--- a/sss_client/pam_sss.c
+++ b/sss_client/pam_sss.c
@@ -735,18 +735,19 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
         return PAM_SUCCESS;
     }
 
-    if (getuid() != 0) {
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
-        pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
-        if (pi->pam_authtok == NULL) {
+    if (pi->pamstack_oldauthtok == NULL) {
+        if (getuid() != 0) {
             D(("no password found for chauthtok"));
             return PAM_BUF_ERR;
+        } else {
+            pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
+            pi->pam_authtok = NULL;
+            pi->pam_authtok_size = 0;
         }
-        pi->pam_authtok_size = strlen(pi->pam_authtok);
     } else {
-        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
-        pi->pam_authtok = NULL;
-        pi->pam_authtok_size = 0;
+        pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
+        pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
+        pi->pam_authtok_size = strlen(pi->pam_authtok);
     }
 
     if (flags & FLAGS_USE_AUTHTOK) {
-- 
cgit