--- samba/source/nsswitch/pam_winbind.c	Sun Apr  4 00:37:18 2004
+++ samba.mtech/source/nsswitch/pam_winbind.c	Tue Jul 13 10:30:41 2004
@@ -420,6 +420,7 @@
      const char *username;
      const char *password;
      int retval = PAM_AUTH_ERR;
+     static char buf[256] = {0};
     
      /* parse arguments */
      int ctrl = _pam_parse(argc, argv);
@@ -454,7 +455,23 @@
      }
 
      /* Now use the username to look up password */
-     return winbind_auth_request(username, password, ctrl);
+     retval = winbind_auth_request(username, password, ctrl);
+
+     sprintf(buf, "%d", retval);
+     if(pam_set_data(pamh, "winbind_auth_retval", buf, NULL) != PAM_SUCCESS) {
+        _pam_log(LOG_WARNING, "pam_sm_authenticate return code %d cannot be saved for pam_sm_acct_mgmt", retval);
+        return PAM_BAD_ITEM;
+     }
+     switch (retval) {
+        case PAM_AUTHTOK_EXPIRED:
+           _pam_log(LOG_WARNING, "pam_sm_authenticate would return PAM_AUTHTOK_EXPIRED, returning PAM_SUCCESS instead");
+           return PAM_SUCCESS;
+	case PAM_NEW_AUTHTOK_REQD:
+           _pam_log(LOG_WARNING, "pam_sm_authenticate would return PAM_NEW_AUTHTOK_REQD, returning PAM_SUCCESS instead");
+           return PAM_SUCCESS;
+        default:
+           return retval;
+     }
 }
 
 PAM_EXTERN
@@ -474,6 +491,7 @@
 {
     const char *username;
     int retval = PAM_USER_UNKNOWN;
+    char *ptr = NULL;
 
     /* parse arguments */
     int ctrl = _pam_parse(argc, argv);
@@ -503,7 +521,7 @@
 	case 0:
 	    /* Otherwise, the authentication looked good */
 	    _pam_log(LOG_NOTICE, "user '%s' granted acces", username);
-	    return PAM_SUCCESS;
+	    break;
 	default:
 	    /* we don't know anything about this return value */
 	    _pam_log(LOG_ERR, "internal module error (retval = %d, user = `%s'",
@@ -511,6 +529,23 @@
 	    return PAM_SERVICE_ERR;
     }
     
+    if( pam_get_data(pamh, "winbind_auth_retval", (const void **)&ptr) != PAM_SUCCESS ) {
+       _pam_log(LOG_WARNING, "pam_sm_acct_mgmt cannot retrieve pam_sm_authenticate return value");
+       return retval;
+    }
+
+    retval = atoi( ptr );
+    switch (retval) {
+       case PAM_AUTHTOK_EXPIRED:
+          _pam_log(LOG_WARNING, "pam_sm_acct_mgmt would return PAM_AUTHTOK_EXPIRED");
+          /* fall through, since new token is required in this case */
+       case PAM_NEW_AUTHTOK_REQD:
+          _pam_log(LOG_WARNING, "pam_sm_acct_mgmt returning PAM_NEW_AUTHTOK_REQD");
+          return retval;
+       default:
+	  return PAM_SUCCESS;
+    }
+
     /* should not be reached */
     return PAM_IGNORE;
 }