pam_winbind: fix pam_sm_chauthtok for storing modified cached creds.

Thanks to Bo Yang for pointing this out.

Guenther
(cherry picked from commit 516a067016955938988ab37c777102a14b41e100)

1 files changed, 16 insertions, 1 deletions

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 47e0e3cd128..7288d7af77b 100644
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -2417,6 +2417,7 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 {
 	unsigned int lctrl;
 	int ret;
+	bool cached_login = false;
 
 	/* <DO NOT free() THESE> */
 	const char *user;
@@ -2439,7 +2440,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 
 	_PAM_LOG_FUNCTION_ENTER("pam_sm_chauthtok", ctx);
 
-	/* clearing offline bit for the auth in the password change */
+	cached_login = (ctx->ctrl & WINBIND_CACHED_LOGIN);
+
+	/* clearing offline bit for auth */
 	ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
 
 	/*
@@ -2595,6 +2598,15 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 		_pam_get_data(pamh, PAM_WINBIND_PWD_LAST_SET,
 			      &pwdlastset_update);
 
+		/*
+		 * if cached creds were enabled, make sure to set the
+		 * WINBIND_CACHED_LOGIN bit here in order to have winbindd
+		 * update the cached creds storage - gd
+		 */
+		if (cached_login) {
+			ctx->ctrl |= WINBIND_CACHED_LOGIN;
+		}
+
 		ret = winbind_chauthtok_request(ctx, user, pass_old,
 						pass_new, pwdlastset_update);
 		if (ret) {
@@ -2614,6 +2626,9 @@ int pam_sm_chauthtok(pam_handle_t * pamh, int flags,
 			cctype = get_krb5_cc_type_from_config(ctx);
 			warn_pwd_expire = get_warn_pwd_expire_from_config(ctx);
 
+			/* clearing offline bit for auth */
+			ctx->ctrl &= ~WINBIND_CACHED_LOGIN;
+
 			ret = winbind_auth_request(ctx, user, pass_new,
 						   member, cctype, 0, &response,
 						   NULL, &username_ret);