Merged PR 9630: Account Override V2

Merged PR 9290: Changes for PAM Native Override V2 Native Account Overrides are not returned for NSS queries to avoid conflicts with the native NSS mechanisms. PAM no longer sets the NSS flag to ensure proper handling for AD password change. Root password change for Native Account Overrides should not be supported. In order to avoid control passing to the next PAM_UNIX module we emit a message and return success.
BeyondTrust · Dec 6, 2018 · 8cc622f · 8cc622f
1 parent 20b1f33
commit 8cc622f
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/lsass/interop/auth/pam/pam-passwd.c b/lsass/interop/auth/pam/pam-passwd.c
@@ -297,7 +297,7 @@ LsaPamMustCheckCurrentPassword(
     if (((PLSA_USER_INFO_1)pUserInfo)->bIsLocalUser)
     {
         // Local root user does not have to
-        // provider a user's old password.
+        // provide a user's old password.
         bCheckOldPassword = (getuid() != 0);
     }
     else
@@ -364,7 +364,7 @@ LsaPamUpdatePassword(
     }
     if (pPamContext->bPasswordChangeSuceeded)
     {
-        LSA_LOG_PAM_DEBUG("Password change already suceeded");
+        LSA_LOG_PAM_DEBUG("Password change already succeeded");
         goto cleanup;
     }
 
@@ -384,7 +384,7 @@ LsaPamUpdatePassword(
     dwError = LsaFindObjects(
                     hLsaConnection,
                     NULL,
-                    LSA_FIND_FLAGS_NSS,
+                    0,
                     LSA_OBJECT_TYPE_USER,
                     LSA_QUERY_TYPE_BY_NAME,
                     1,
@@ -423,7 +423,7 @@ LsaPamUpdatePassword(
     LW_SECURE_FREE_STRING(pszOldPassword);
     LW_SAFE_FREE_STRING(pszLoginId);
     if (ppUser)
-    {
+    {        
         LsaFreeSecurityObjectList(
             1,
             ppUser);
@@ -452,6 +452,19 @@ LsaPamUpdatePassword(
 
 error:
 
+    if ( dwError == LW_ERROR_INVALID_PASSWORD && ppUser && ppUser[0])
+    {
+        if (getuid() == 0 && ppUser[0]->bIsLocal) {
+            LsaPamConverse(
+                pamh,
+                "Ignoring root password change for PBIS AD user. Please use '/opt/pbis/bin/adtool' to manage PBIS AD user account passwords.",
+                PAM_ERROR_MSG,
+                NULL);
+
+            dwError = LW_ERROR_SUCCESS;
+        }
+    }
+
     if ( dwError == LW_ERROR_PASSWORD_RESTRICTION )
     {
         LsaPamConverse(