* Add support for credential reinitialization in pam_group, closes: #108697
  * Only log unknown user at warning, not alert, closes: #95220
  * By default do complete matches not substring matches for pam_time.
    You can include explicit wildcard for substring, closes: #66152 

Index: Linux-PAM/modules/pam_unix/support.c
===================================================================
--- Linux-PAM/modules/pam_unix/support.c.orig
+++ Linux-PAM/modules/pam_unix/support.c
@@ -676,7 +676,7 @@
 			if (on(UNIX_AUDIT, ctrl)) {
 				/* this might be a typo and the user has given a password
 				   instead of a username. Careful with this. */
-				pam_syslog(pamh, LOG_ALERT,
+				pam_syslog(pamh, LOG_WARNING,
 				         "check pass; user (%s) unknown", name);
 			} else {
 				name = NULL;
Index: Linux-PAM/modules/pam_unix/unix_chkpwd.c
===================================================================
--- Linux-PAM/modules/pam_unix/unix_chkpwd.c.orig
+++ Linux-PAM/modules/pam_unix/unix_chkpwd.c
@@ -179,7 +179,7 @@
 		}
 	}
 	if (pwd == NULL || salt == NULL) {
-		_log_err(LOG_ALERT, "check pass; user unknown");
+		_log_err(LOG_WARNING, "check pass; user unknown");
 		p = NULL;
 		return PAM_USER_UNKNOWN;
 	}
Index: Linux-PAM/modules/pam_time/pam_time.c
===================================================================
--- Linux-PAM/modules/pam_time/pam_time.c.orig
+++ Linux-PAM/modules/pam_time/pam_time.c
@@ -324,7 +324,11 @@
 		    return FALSE;
 	  }
      }
-     return ( !len );
+     /* By this point we know that we didn't treat a * in b as a wildcard.
+	the only way we got done with the loop is if we consumed every
+	character in b.  Thus the strings are equal if their
+	lengths are the same otherwise not equal. */
+     return (strlen (a) == strlen (b));
 }
 
 typedef struct {
Index: Linux-PAM/modules/pam_group/pam_group.c
===================================================================
--- Linux-PAM/modules/pam_group/pam_group.c.orig
+++ Linux-PAM/modules/pam_group/pam_group.c
@@ -758,9 +758,12 @@
     unsigned setting;
 
     /* only interested in establishing credentials */
+    /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
+       Some people just pass PAM_SILENT, so cope with it, too. */
 
     setting = flags;
-    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
+    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
+        && (setting != 0) && (setting != PAM_SILENT)) {
 	D(("ignoring call - not for establishing credentials"));
 	return PAM_SUCCESS;            /* don't fail because of this */
     }