From 513946aec6ddf4cb61d5d460e0478fd7ffd7be21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 17 Nov 2021 09:56:09 +0100
Subject: [PATCH] pam_winbind: add new pwd_change_prompt option (defaults to
 off).

This change disables the prompt for the change of an expired password by
default (using the PAM_RADIO_TYPE mechanism if present).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=8691

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 20c85cc1da8d8c7f1932fbdd92128bb6dafad472)
---
 docs-xml/manpages/pam_winbind.conf.5.xml |  7 +++++++
 nsswitch/pam_winbind.c                   | 12 ++++++++++--
 nsswitch/pam_winbind.h                   |  1 +
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml
index 0bc288f91a1..bae9298fc32 100644
--- a/docs-xml/manpages/pam_winbind.conf.5.xml
+++ b/docs-xml/manpages/pam_winbind.conf.5.xml
@@ -194,6 +194,13 @@
 		</para></listitem>
 		</varlistentry>
 
+		<varlistentry>
+		<term>pwd_change_prompt = yes|no</term>
+		<listitem><para>
+			Generate prompt for changing an expired password. Defaults to "no".
+		</para></listitem>
+		</varlistentry>
+
 		</variablelist>
 
 	</para>
diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 720a4b90d85..06098dd07d8 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -479,6 +479,10 @@ static int _pam_parse(const pam_handle_t *pamh,
 		ctrl |= WINBIND_MKHOMEDIR;
 	}
 
+	if (tiniparser_getboolean(d, "global:pwd_change_prompt", false)) {
+		ctrl |= WINBIND_PWD_CHANGE_PROMPT;
+	}
+
 config_from_pam:
 	/* step through arguments */
 	for (i=argc,v=argv; i-- > 0; ++v) {
@@ -522,6 +526,8 @@ config_from_pam:
 		else if (!strncasecmp(*v, "warn_pwd_expire",
 			strlen("warn_pwd_expire")))
 			ctrl |= WINBIND_WARN_PWD_EXPIRE;
+		else if (!strcasecmp(*v, "pwd_change_prompt"))
+			ctrl |= WINBIND_PWD_CHANGE_PROMPT;
 		else if (type != PAM_WINBIND_CLEANUP) {
 			__pam_log(pamh, ctrl, LOG_ERR,
 				 "pam_parse: unknown option: %s", *v);
@@ -976,7 +982,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
 		 * successfully sent the warning message.
 		 * Give the user a chance to change pwd.
 		 */
-		if (ret == PAM_SUCCESS) {
+		if (ret == PAM_SUCCESS &&
+		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
 			if (change_pwd) {
 				retval = _pam_winbind_change_pwd(ctx);
 				if (retval) {
@@ -1006,7 +1013,8 @@ static bool _pam_send_password_expiry_message(struct pwb_context *ctx,
 		 * successfully sent the warning message.
 		 * Give the user a chance to change pwd.
 		 */
-		if (ret == PAM_SUCCESS) {
+		if (ret == PAM_SUCCESS &&
+		    (ctx->ctrl & WINBIND_PWD_CHANGE_PROMPT)) {
 			if (change_pwd) {
 				retval = _pam_winbind_change_pwd(ctx);
 				if (retval) {
diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index c6786d65a4d..2f4a25729bd 100644
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -157,6 +157,7 @@ do {                             \
 #define WINBIND_WARN_PWD_EXPIRE		0x00002000
 #define WINBIND_MKHOMEDIR		0x00004000
 #define WINBIND_TRY_AUTHTOK_ARG		0x00008000
+#define WINBIND_PWD_CHANGE_PROMPT	0x00010000
 
 #if defined(HAVE_GETTEXT) && !defined(__LCLINT__)
 #define _(string) dgettext(MODULE_NAME, string)
-- 
2.35.1