Fix [RFE] Change change password change prompt phrasing
resolves: #2050111
This commit is contained in:
Pavel Filipenský
parent
b6cf6d220e
commit
2edc842f20
|
|
@ -0,0 +1,100 @@
|
|||
From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
|
||||
Date: Wed, 17 Nov 2021 09:56:09 +0100
|
||||
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
|
||||
off).
|
||||
|
||||
This change disables the prompt for the change of an expired password by
|
||||
default (using the PAM_RADIO_TYPE mechanism if present).
|
||||
|
||||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691
|
||||
|
||||
Guenther
|
||||
|
||||
Signed-off-by: Guenther Deschner <gd@samba.org>
|
||||
Reviewed-by: Alexander Bokovoy <ab@samba.org>
|
||||
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||||
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
|
||||
---
|
||||
docs-xml/manpages/pam_winbind.conf.5.xml | 7 +++++++
|
||||
nsswitch/pam_winbind.c | 12 ++++++++++--
|
||||
nsswitch/pam_winbind.h | 1 +
|
||||
3 files changed, 18 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
index 0bc288f91a1..bae9298fc32 100644
|
||||
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
|
||||
@@ -194,6 +194,13 @@
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
+ <varlistentry>
|
||||
+ <term>pwd_change_prompt = yes|no</term>
|
||||
+ <listitem><para>
|
||||
+ Generate prompt for changing an expired password. Defaults to "no".
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
</variablelist>
|
||||
|
||||
</para>
|
||||
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
|
||||
index 720a4b90d85..06098dd07d8 100644
|
||||
--- a/nsswitch/pam_winbind.c
|
||||
+++ b/nsswitch/pam_winbind.c
|
||||
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
|
||||
ctrl |= WINBIND_MKHOMEDIR;
|
||||
}
|
||||
|
||||
+ if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
|
||||
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
|
||||
+ }
|
||||
+
|
||||
config_from_pam:
|
||||
/* step through arguments */
|
||||
for (i=argc,v=argv; i-- > 0; ++v) {
|
||||
@@ -522,6 +526,8 @@ config_from_pam:
|
||||
else if (!strncasecmp(*v, "warn_pwd_expire",
|
||||
strlen("warn_pwd_expire")))
|
||||
ctrl |= WINBIND_WARN_PWD_EXPIRE;
|
||||
+ else if (!strcasecmp(*v, "pwd_change_prompt"))
|
||||
+ ctrl |= WINBIND_PWD_CHANGE_PROMPT;
|
||||
else if (type != PAM_WINBIND_CLEANUP) {
|
||||
__pam_log(pamh, ctrl, LOG_ERR,
|
||||
"pam_parse: unknown option: %s", *v);
|
||||
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
|
||||
* successfully sent the warning message.
|
||||
* Give the user a chance to change pwd.
|
||||
*/
|
||||
- if (ret == PAM_SUCCESS) {
|
||||
+ if (ret == PAM_SUCCESS &&
|
||||
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
|
||||
if (change_pwd) {
|
||||
retval = _pam_winbind_change_pwd(ctx);
|
||||
if (retval) {
|
||||
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
|
||||
* successfully sent the warning message.
|
||||
* Give the user a chance to change pwd.
|
||||
*/
|
||||
- if (ret == PAM_SUCCESS) {
|
||||
+ if (ret == PAM_SUCCESS &&
|
||||
+ (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
|
||||
if (change_pwd) {
|
||||
retval = _pam_winbind_change_pwd(ctx);
|
||||
if (retval) {
|
||||
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
|
||||
index c6786d65a4d..2f4a25729bd 100644
|
||||
--- a/nsswitch/pam_winbind.h
|
||||
+++ b/nsswitch/pam_winbind.h
|
||||
@@ -157,6 +157,7 @@ do { \
|
||||
#define WINBIND_WARN_PWD_EXPIRE 0x00002000
|
||||
#define WINBIND_MKHOMEDIR 0x00004000
|
||||
#define WINBIND_TRY_AUTHTOK_ARG 0x00008000
|
||||
+#define WINBIND_PWD_CHANGE_PROMPT 0x00010000
|
||||
|
||||
#if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
|
||||
#define _(string) dgettext(MODULE_NAME, string)
|
||||
--
|
||||
2.35.1
|
||||
|
||||
|
|
@ -132,7 +132,7 @@
|
|||
|
||||
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||
|
||||
%global baserelease 100
|
||||
%global baserelease 101
|
||||
|
||||
%global samba_version 4.15.5
|
||||
%global talloc_version 2.3.3
|
||||
|
|
@ -207,6 +207,7 @@ Patch2: samba-glibc-dns.patch
|
|||
Patch3: samba-printing-win7.patch
|
||||
Patch4: samba-disable-systemd-notifications.patch
|
||||
Patch5: samba-disable-ntlmssp.patch
|
||||
Patch6: samba-password-change-prompt.patch
|
||||
|
||||
Requires(pre): /usr/sbin/groupadd
|
||||
Requires(post): systemd
|
||||
|
|
@ -4105,6 +4106,9 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Feb 14 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-101
|
||||
- resolves: #2050111 - [RFE] Change change password change prompt phrasing
|
||||
|
||||
* Wed Feb 02 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-100
|
||||
- related: rhbz#2013578 - Rebase Samba to the the latest 4.15.x release
|
||||
- resolves: #2046129 - Fix CVE-2021-44141
|
||||
|
|
|
|||
Loading…
Reference in New Issue