From: Björn Jacke <bj@sernet.de>
Date: Wed, 27 Jan 2021 20:14:43 +0000 (+0100)
Subject: pam_winbind: improve pam message if minimum password age strikes
X-Git-Tag: tevent-0.11.0~1785
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=20f0a3b10981873dde5c1bc76d7f3a26acc605da;p=thirdparty%2Fsamba.git

pam_winbind: improve pam message if minimum password age strikes

if minimum password age strikes we should output the next possible password
change time and not other password restriction policies.

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index aee45bfe9bc..ffbad91861f 100644
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -637,7 +637,7 @@ static const struct ntstatus_errors {
 	{"NT_STATUS_PWD_TOO_SHORT",
 		N_("Password too short")},
 	{"NT_STATUS_PWD_TOO_RECENT",
-		N_("The password of this user is too recent to change")},
+		N_("The password was recently changed and cannot be changed again before %s")},
 	{"NT_STATUS_PWD_HISTORY_CONFLICT",
 		N_("Password is already in password history")},
 	{"NT_STATUS_PASSWORD_EXPIRED",
@@ -2049,8 +2049,11 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
 			case WBC_PWD_CHANGE_NO_ERROR:
 				if ((min_pwd_age > 0) &&
 				    (pwd_last_set + min_pwd_age > time(NULL))) {
-					PAM_WB_REMARK_DIRECT(ctx,
-					     "NT_STATUS_PWD_TOO_RECENT");
+					time_t next_change = pwd_last_set + min_pwd_age;
+					_make_remark_format(ctx, PAM_ERROR_MSG,
+						_get_ntstatus_error_string("NT_STATUS_PWD_TOO_RECENT"),
+						ctime(&next_change));
+					goto done;
 				}
 				break;
 			case WBC_PWD_CHANGE_PASSWORD_TOO_SHORT: