r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user

changed a password via pam_chauthtok. Only do this if 

a) a user logs on using an expired password (or a password that needs to
be changed immediately) or 

b) the user itself changes his password.

Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).

Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).

Guenther

1 files changed, 11 insertions, 0 deletions

diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 98f76bea923..69e004ec718 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -671,6 +671,17 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 			DEBUG(10,("winbindd_raw_kerberos_login: failed to add ccache to list: %s\n", 
 				nt_errstr(result)));
 		}
+	} else {
+
+		/* need to delete the memory cred cache, it is not used anymore */
+
+		krb5_ret = ads_kdestroy(cc);
+		if (krb5_ret) {
+			DEBUG(3,("winbindd_raw_kerberos_login: "
+				 "could not destroy krb5 credential cache: "
+				 "%s\n", error_message(krb5_ret)));
+		}
+
 	}
 
 	result = NT_STATUS_OK;