r21011: Another patch from Danilo Almeida @ Centeris (via me):

Details: Reset the "new password prompt required" state whenever
we do a new auth.  In more detail, in pam_sm_authenticate, if not
settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially
present PAM_WINBIND_NEW_AUTHTOK_REQD.
(This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 8984b92df804be30b76f8c4927fc5bb8c94f74b8..91a333b93d6c13f67db76d3a4fc511869b8fa524 100644 (file)
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -1179,6 +1179,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
        int retval = PAM_AUTH_ERR;
        dictionary *d = NULL;
        char *username_ret = NULL;
+       char *new_authtok_required = NULL;
 
        /* parse arguments */
        int ctrl = _pam_parse(pamh, flags, argc, argv, &d);
@@ -1227,14 +1228,12 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
        if (retval == PAM_NEW_AUTHTOK_REQD ||
            retval == PAM_AUTHTOK_EXPIRED) {
 
-               char *buf;
-
-               if (!asprintf(&buf, "%d", retval)) {
+               if (!asprintf(&new_authtok_required, "%d", retval)) {
                        retval = PAM_BUF_ERR;
                        goto out;
                }
 
-               pam_set_data( pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, (void *)buf, _pam_winbind_cleanup_func);
+               pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, new_authtok_required, _pam_winbind_cleanup_func);
 
                retval = PAM_SUCCESS;
                goto out;
@@ -1296,6 +1295,10 @@ int pam_sm_setcred(pam_handle_t *pamh, int flags,
                iniparser_freedict(d);
        }
 
+       if (!new_authtok_required) {
+               pam_set_data(pamh, PAM_WINBIND_NEW_AUTHTOK_REQD, NULL, NULL);
+       }
+
        return ret;
 }