From 8602f82a78de4f8315c150da2166a5e3fa87b191 Mon Sep 17 00:00:00 2001
From: Gleb Popov <6yearold@gmail.com>
Date: Thu, 12 Dec 2024 10:18:42 +0300
Subject: [PATCH] pam: Do not prevent root from changing auth token

---
 src/sss_client/pam_sss.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 600c3616a6..5b8823ba52 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2756,9 +2756,6 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
     }
 
     if (pam_flags & PAM_PRELIM_CHECK) {
-        if (getuid() == 0 && !exp_data )
-            return PAM_SUCCESS;
-
         if (flags & PAM_CLI_FLAGS_USE_2FA
                 || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
                         && pi->otp_challenge != NULL)) {