* Add support for credential reinitialization in pam_group, closes: #108697
  * By default do complete matches not substring matches for pam_time.
    You can include explicit wildcard for substring, closes: #66152 

Index: Linux-PAM/modules/pam_time/pam_time.c
===================================================================
--- Linux-PAM/modules/pam_time/pam_time.c.orig
+++ Linux-PAM/modules/pam_time/pam_time.c
@@ -324,7 +324,11 @@
 		    return FALSE;
 	  }
      }
-     return ( !len );
+     /* By this point we know that we didn't treat a * in b as a wildcard.
+	the only way we got done with the loop is if we consumed every
+	character in b.  Thus the strings are equal if their
+	lengths are the same otherwise not equal. */
+     return (strlen (a) == strlen (b));
 }
 
 typedef struct {
Index: Linux-PAM/modules/pam_group/pam_group.c
===================================================================
--- Linux-PAM/modules/pam_group/pam_group.c.orig
+++ Linux-PAM/modules/pam_group/pam_group.c
@@ -758,9 +758,12 @@
     unsigned setting;
 
     /* only interested in establishing credentials */
+    /* PAM docs say that an empty flag is to be treated as PAM_ESTABLISH_CRED.
+       Some people just pass PAM_SILENT, so cope with it, too. */
 
     setting = flags;
-    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))) {
+    if (!(setting & (PAM_ESTABLISH_CRED | PAM_REINITIALIZE_CRED))
+        && (setting != 0) && (setting != PAM_SILENT)) {
 	D(("ignoring call - not for establishing credentials"));
 	return PAM_SUCCESS;            /* don't fail because of this */
     }