diff options
author | Günther Deschner <gd@samba.org> | 2007-01-11 15:41:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:17:02 -0500 |
commit | 0d538f7370f13b175f127f061d5bff18e631cd5e (patch) | |
tree | 6ed7999cab70207a63907d17c2184e033acd335c /source3/nsswitch/pam_winbind.c | |
parent | b79629fcc431764f1ec34876e7a28e242d205ac8 (diff) | |
download | samba-0d538f7370f13b175f127f061d5bff18e631cd5e.tar.gz samba-0d538f7370f13b175f127f061d5bff18e631cd5e.tar.xz samba-0d538f7370f13b175f127f061d5bff18e631cd5e.zip |
r20687: Implement grace logons for offline authentications in pam_winbind.
In case a user authenticated sucessfully and his password just expired
while beeing disconnected, we should allow a user to logon (given a
clear warning). We currently forced the user into a password change
dialogue in that scenario; this did not make much sense while offline.
Guenther
(This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
Diffstat (limited to 'source3/nsswitch/pam_winbind.c')
-rw-r--r-- | source3/nsswitch/pam_winbind.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 6b683d682d..f0a60233c5 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -420,6 +420,11 @@ static void _pam_warn_password_expires_in_future(pam_handle_t *pamh, struct winb return; } + /* no point in sending a warning if this is a grace logon */ + if (PAM_WB_GRACE_LOGON(response->data.auth.info3.user_flgs)) { + return; + } + /* check if the info3 must change timestamp has been set */ next_change = response->data.auth.info3.pass_must_change_time; @@ -586,6 +591,7 @@ static int winbind_auth_request(pam_handle_t * pamh, /* handle the case where the auth was ok, but the password must expire right now */ /* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */ if ( ! (response.data.auth.info3.acct_flags & ACB_PWNOEXP) && + ! (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) && (response.data.auth.policy.expire > 0) && (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) { @@ -604,9 +610,20 @@ static int winbind_auth_request(pam_handle_t * pamh, /* warn a user if the password is about to expire soon */ _pam_warn_password_expires_in_future(pamh, &response); - if (response.data.auth.info3.user_flgs & LOGON_CACHED_ACCOUNT) { - _make_remark(pamh, PAM_ERROR_MSG, "Logging on using cached account. Network ressources can be unavailable"); - _pam_log_debug(pamh, ctrl, LOG_DEBUG,"User %s logged on using cached account\n", user); + /* inform about logon type */ + if (PAM_WB_GRACE_LOGON(response.data.auth.info3.user_flgs)) { + + _make_remark(pamh, PAM_ERROR_MSG, + "Grace login. Please change your password as soon you're online again"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, + "User %s logged on using grace logon\n", user); + + } else if (PAM_WB_CACHED_LOGON(response.data.auth.info3.user_flgs)) { + + _make_remark(pamh, PAM_ERROR_MSG, + "Logging on using cached account. Network ressources can be unavailable"); + _pam_log_debug(pamh, ctrl, LOG_DEBUG, + "User %s logged on using cached account\n", user); } /* save the CIFS homedir for pam_cifs / pam_mount */ |