From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Wed, 17 Nov 2021 09:56:09 +0100

Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to

 off).

This change disables the prompt for the change of an expired password by

default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>

Reviewed-by: Alexander Bokovoy <ab@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)

---

 docs-xml/manpages/pam_winbind.conf.5.xml |  7 +++++++

 nsswitch/pam_winbind.c                   | 12 ++++++++++--

 nsswitch/pam_winbind.h                   |  1 +

 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml

index 0bc288f91a1..bae9298fc32 100644

--- a/docs-xml/manpages/pam_winbind.conf.5.xml

+++ b/docs-xml/manpages/pam_winbind.conf.5.xml

@@ -194,6 +194,13 @@

 		</para></listitem>

 		</varlistentry>

+		<varlistentry>

+		<term>pwd_change_prompt = yes|no</term>

+		<listitem><para>

+			Generate prompt for changing an expired password. Defaults to "no".

+		</para></listitem>

+		</varlistentry>

+

 		</variablelist>

 	</para>

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c

index 720a4b90d85..06098dd07d8 100644

--- a/nsswitch/pam_winbind.c

+++ b/nsswitch/pam_winbind.c

@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,

 		ctrl |= WINBIND_MKHOMEDIR;

 	}

+	if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {

+		ctrl |= WINBIND_PWD_CHANGE_PROMPT;

+	}

+

 config_from_pam:

 	/* step through arguments */

 	for (i=argc,v=argv; i-- > 0; ++v) {

@@ -522,6 +526,8 @@ config_from_pam:

 		else if (!strncasecmp(*v, "warn_pwd_expire",

 			strlen("warn_pwd_expire")))

 			ctrl |= WINBIND_WARN_PWD_EXPIRE;

+		else if (!strcasecmp(*v, "pwd_change_prompt"))

+			ctrl |= WINBIND_PWD_CHANGE_PROMPT;

 		else if (type != PAM_WINBIND_CLEANUP) {

 			__pam_log(pamh, ctrl, LOG_ERR,

 				 "pam_parse: unknown option: %s", *v);

@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,

 		 * successfully sent the warning message.

 		 * Give the user a chance to change pwd.

 		 */

-		if (ret == PAM_SUCCESS) {

+		if (ret == PAM_SUCCESS &&

+		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {

 			if (change_pwd) {

 				retval = _pam_winbind_change_pwd(ctx);

 				if (retval) {

@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,

 		 * successfully sent the warning message.

 		 * Give the user a chance to change pwd.

 		 */

-		if (ret == PAM_SUCCESS) {

+		if (ret == PAM_SUCCESS &&

+		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {

 			if (change_pwd) {

 				retval = _pam_winbind_change_pwd(ctx);

 				if (retval) {

diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h

index c6786d65a4d..2f4a25729bd 100644

--- a/nsswitch/pam_winbind.h

+++ b/nsswitch/pam_winbind.h

@@ -157,6 +157,7 @@ do {                             \

 #define WINBIND_WARN_PWD_EXPIRE		0x00002000

 #define WINBIND_MKHOMEDIR		0x00004000

 #define WINBIND_TRY_AUTHTOK_ARG		0x00008000

+#define WINBIND_PWD_CHANGE_PROMPT	0x00010000

 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)

 #define _(string) dgettext(MODULE_NAME, string)

-- 

2.35.1