Sorry @@......

I didn't notice that you will work on it :-)...

Keeping making careless mistakes.

Thanks!

Best
Regards
BoYang


>>> Guenther Deschner 06/06/08 11:58 PM >>>

Bo Yang wrote:
> Hi, All:
>
> There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok().
> In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN
> cleared. But in winbindd_dual_pam_chauthtok(),
>
> if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
> Update cached credentials.
> }
> But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached credential is never updated when password is
> changed.
>
> Patches for v3-0-test, v3-2-test, v3-3-test in attachment.
>
> Please review it.


The idea behind disabling the cached creds flag was to not let the user
type three passwords before getting noticed that the DC is unavailable,
therefor that flag should remain turned off for auth (to make sure we're
really verifiying the creds against a living DC) and then turned on (if
globally enabled) for the chauthtok only (to store modified creds).

I'm going to check in a modified version of your patch.

Thanks,
Guenther


--
G√ľnther Deschner GPG-ID: 8EE11688
Red Hat gdeschner@redhat.com
Samba Team gd@samba.org