Re: Update memory and cached creds when changing password from gdmor xdm - Samba

This is a discussion on Re: Update memory and cached creds when changing password from gdmor xdm - Samba ; On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote: > Hi, All: > There is a lot of pain when changing password from > gdm or xdm. Ie, When users try to login from gdm or > xdm, and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Update memory and cached creds when changing password from gdmor xdm

  1. Re: Update memory and cached creds when changing password from gdmor xdm

    On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote:
    > Hi, All:
    > There is a lot of pain when changing password from
    > gdm or xdm. Ie, When users try to login from gdm or
    > xdm, and password expires.
    >
    > 1. because user didn't login(PAM_AUTH returns
    > NT_STATUS_PASSWORD_EXPIRED), thus ther is no memory
    > creds, which causes winbindd_replace_memory_creds()
    > fail. It will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
    > which is not a real failure. Because changing password
    > succeeded.
    >
    > 2. And there can be no cached creds(If it has been deleted
    > if cached creds reach the maximum cached number. Thus
    > Updating cached creds will probably fail with NT_STATUS_NO_SUCH_USER.
    > It is not a real failure too because changing password succeed.
    >
    > 3. When login from gdm or xdm with passthrough authentication.
    > there is no memory creds. Therefore, we should authenticate with
    > new password even for passthrough authentication to update memory
    > creds.
    >
    > 4. because updating cached creds in winbindd_dual_pam_chauthtok()
    > can probably fail. Therefore we should set WINBIND_CACHED_LOGIN
    > bit in the authentication immediately after changing password
    > to cover the hole of the possible failure of updating creds
    > in winbindd_dual_pam_chauthtok.
    >
    > Please correct if there is anything wrong.
    >
    > Patch for v3-[023]-test in the attachment. Please review them.


    I'll review this tomorrow (2nd July Pacific time). Hopefully
    we'll get this done for 3.0.31.

    Thanks,

    Jeremy.


  2. Re: Update memory and cached creds when changing password from gdmor xdm

    Jeremy Allison wrote:
    > On Tue, Jul 01, 2008 at 01:29:39PM +0800, boyang wrote:
    >
    >> Hi, All:
    >> There is a lot of pain when changing password from
    >> gdm or xdm. Ie, When users try to login from gdm or
    >> xdm, and password expires.
    >>
    >> 1. because user didn't login(PAM_AUTH returns
    >> NT_STATUS_PASSWORD_EXPIRED), thus ther is no memory
    >> creds, which causes winbindd_replace_memory_creds()
    >> fail. It will return NT_STATUS_OBJECT_NAME_NOT_FOUND,
    >> which is not a real failure. Because changing password
    >> succeeded.
    >>
    >> 2. And there can be no cached creds(If it has been deleted
    >> if cached creds reach the maximum cached number. Thus
    >> Updating cached creds will probably fail with NT_STATUS_NO_SUCH_USER.
    >> It is not a real failure too because changing password succeed.
    >>
    >> 3. When login from gdm or xdm with passthrough authentication.
    >> there is no memory creds. Therefore, we should authenticate with
    >> new password even for passthrough authentication to update memory
    >> creds.
    >>
    >> 4. because updating cached creds in winbindd_dual_pam_chauthtok()
    >> can probably fail. Therefore we should set WINBIND_CACHED_LOGIN
    >> bit in the authentication immediately after changing password
    >> to cover the hole of the possible failure of updating creds
    >> in winbindd_dual_pam_chauthtok.
    >>
    >> Please correct if there is anything wrong.
    >>
    >> Patch for v3-[023]-test in the attachment. Please review them.
    >>

    >
    > I'll review this tomorrow (2nd July Pacific time). Hopefully
    > we'll get this done for 3.0.31.
    >


    Thanks for spending time on this. :-)

    > Thanks,
    >
    > Jeremy.
    >
    >




+ Reply to Thread