From 8cc622f9af0b5183ba847636ad4047906b8abb55 Mon Sep 17 00:00:00 2001
From: Richard Boulton <rboulton@beyondtrust.com>
Date: Thu, 6 Dec 2018 16:39:25 -0400
Subject: [PATCH] Merged PR 9630: Account Override V2

Merged PR 9290: Changes for PAM Native Override V2

Native Account Overrides are not returned for NSS queries to avoid conflicts with the native NSS mechanisms. PAM no longer sets the NSS flag to ensure proper handling for AD password change.

Root password change for Native Account Overrides should not be supported. In order to avoid control passing to the next PAM_UNIX module we emit a message and return success.
---
 lsass/interop/auth/pam/pam-passwd.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/lsass/interop/auth/pam/pam-passwd.c b/lsass/interop/auth/pam/pam-passwd.c
index 04a68cf28..d44ffadb9 100644
--- a/lsass/interop/auth/pam/pam-passwd.c
+++ b/lsass/interop/auth/pam/pam-passwd.c
@@ -297,7 +297,7 @@ LsaPamMustCheckCurrentPassword(
     if (((PLSA_USER_INFO_1)pUserInfo)->bIsLocalUser)
     {
         // Local root user does not have to
-        // provider a user's old password.
+        // provide a user's old password.
         bCheckOldPassword = (getuid() != 0);
     }
     else
@@ -364,7 +364,7 @@ LsaPamUpdatePassword(
     }
     if (pPamContext->bPasswordChangeSuceeded)
     {
-        LSA_LOG_PAM_DEBUG("Password change already suceeded");
+        LSA_LOG_PAM_DEBUG("Password change already succeeded");
         goto cleanup;
     }
 
@@ -384,7 +384,7 @@ LsaPamUpdatePassword(
     dwError = LsaFindObjects(
                     hLsaConnection,
                     NULL,
-                    LSA_FIND_FLAGS_NSS,
+                    0,
                     LSA_OBJECT_TYPE_USER,
                     LSA_QUERY_TYPE_BY_NAME,
                     1,
@@ -423,7 +423,7 @@ LsaPamUpdatePassword(
     LW_SECURE_FREE_STRING(pszOldPassword);
     LW_SAFE_FREE_STRING(pszLoginId);
     if (ppUser)
-    {
+    {        
         LsaFreeSecurityObjectList(
             1,
             ppUser);
@@ -452,6 +452,19 @@ LsaPamUpdatePassword(
 
 error:
 
+    if ( dwError == LW_ERROR_INVALID_PASSWORD && ppUser && ppUser[0])
+    {
+        if (getuid() == 0 && ppUser[0]->bIsLocal) {
+            LsaPamConverse(
+                pamh,
+                "Ignoring root password change for PBIS AD user. Please use '/opt/pbis/bin/adtool' to manage PBIS AD user account passwords.",
+                PAM_ERROR_MSG,
+                NULL);
+            
+            dwError = LW_ERROR_SUCCESS;
+        }
+    }
+
     if ( dwError == LW_ERROR_PASSWORD_RESTRICTION )
     {
         LsaPamConverse(