summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2001-04-23 20:43:20 +0000
committerJeremy Allison <jra@samba.org>2001-04-23 20:43:20 +0000
commit70b55a9abc109df0e15e3aa6f01c03d9acea154a (patch)
tree6162241535419dcfac785bf8d55b2a97c1bad0b0
parente00451106bc0365405f68195afcb6351bd2a55c0 (diff)
downloadsamba-70b55a9abc109df0e15e3aa6f01c03d9acea154a.tar.gz
samba-70b55a9abc109df0e15e3aa6f01c03d9acea154a.tar.bz2
samba-70b55a9abc109df0e15e3aa6f01c03d9acea154a.zip
Added "obey pam restrictions" parameter - default to "off".
Only set this to "on" if you know you have your PAM set up correctly..... NB. Doesn't apply to plaintext password authentication, which must use pam when compiled in. Jeremy. (This used to be commit 59aa99f3901d098b7afbe675021bda53b62ee496)
-rw-r--r--source3/auth/pampass.c17
-rw-r--r--source3/include/proto.h1
-rw-r--r--source3/param/loadparm.c4
-rw-r--r--source3/passdb/pampass.c17
4 files changed, 39 insertions, 0 deletions
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index f91f472603..9f4a8f57b9 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
/*
* PAM Externally accessible Session handler
*/
+
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
@@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
+ /*
+ * Note we can't ignore PAM here as this is the only
+ * way of doing auths on plaintext passwords when
+ * compiled --with-pam.
+ */
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {
diff --git a/source3/include/proto.h b/source3/include/proto.h
index ae9e8e914f..e4732f1f9f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1721,6 +1721,7 @@ BOOL lp_readbmpx(void);
BOOL lp_readraw(void);
BOOL lp_writeraw(void);
BOOL lp_null_passwords(void);
+BOOL lp_obey_pam_restrictions(void);
BOOL lp_strip_dot(void);
BOOL lp_encrypted_passwords(void);
BOOL lp_update_encrypted(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c29418ee87..042963d9e5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -249,6 +249,7 @@ typedef struct
BOOL bUpdateEncrypt;
BOOL bStripDot;
BOOL bNullPasswords;
+ BOOL bObeyPamRestrictions;
BOOL bLoadPrinters;
BOOL bUseRhosts;
BOOL bReadRaw;
@@ -678,6 +679,7 @@ static struct parm_struct parm_table[] = {
{"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, 0},
{"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, 0},
{"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0},
+ {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0},
{"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0},
{"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, 0},
{"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0},
@@ -1246,6 +1248,7 @@ static void init_globals(void)
Globals.bReadPrediction = False;
Globals.bReadbmpx = False;
Globals.bNullPasswords = False;
+ Globals.bObeyPamRestrictions = False;
Globals.bStripDot = False;
Globals.syslog = 1;
Globals.bSyslogOnly = False;
@@ -1528,6 +1531,7 @@ FN_GLOBAL_BOOL(lp_readbmpx, &Globals.bReadbmpx)
FN_GLOBAL_BOOL(lp_readraw, &Globals.bReadRaw)
FN_GLOBAL_BOOL(lp_writeraw, &Globals.bWriteRaw)
FN_GLOBAL_BOOL(lp_null_passwords, &Globals.bNullPasswords)
+FN_GLOBAL_BOOL(lp_obey_pam_restrictions, &Globals.bObeyPamRestrictions)
FN_GLOBAL_BOOL(lp_strip_dot, &Globals.bStripDot)
FN_GLOBAL_BOOL(lp_encrypted_passwords, &Globals.bEncryptPasswords)
FN_GLOBAL_BOOL(lp_update_encrypted, &Globals.bUpdateEncrypt)
diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c
index f91f472603..9f4a8f57b9 100644
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
/*
* PAM Externally accessible Session handler
*/
+
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
@@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
+ /*
+ * Note we can't ignore PAM here as this is the only
+ * way of doing auths on plaintext passwords when
+ * compiled --with-pam.
+ */
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {