On Fri, Oct 09, 2009 at 04:29:42PM -0400, Simo Sorce wrote: > On Fri, 2009-10-09 at 21:02 +0200, Sumit Bose wrote: > > Hi, > > > > this one should fix #223. Because sshd runs as root the old password > > was > > not sent to sssd and changing the user password failed. Please review > > carefully. > > I guess the problem here is to understand what do current pam modules, > when used through the proxy backend, expect. >
The current pam modules do not expect anything here, because they will handle expired passowrd during pam_acct_mgmt and not during pam_authenticate. > Do they skip checks or ignore if the provided password is valid or not ? > Should we think of forking a child in proxy and running it as the user > that is attempting the password change? (Assuming we know it ?) I think forking isn't needed here, because pam_sss should be kept simple. Send everything you know to sssd and wait for a response. bye, Sumit > > Otherwise the patch looks sane to me, so I'd give a tentative ack. > > Simo. > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel