summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2006-12-01 15:06:34 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:16:17 -0500
commitcb0402c2d3941a813e33b2b5e07c54b9ff644ca4 (patch)
tree799a448568dc233247089b8068bd119d9c3f65b7
parentef8d6bf5f700dcfeec7919203da9c357c4f21e3f (diff)
downloadsamba-cb0402c2d3941a813e33b2b5e07c54b9ff644ca4.tar.gz
samba-cb0402c2d3941a813e33b2b5e07c54b9ff644ca4.tar.bz2
samba-cb0402c2d3941a813e33b2b5e07c54b9ff644ca4.zip
r19980: Implement pam account stack checks when obey pam restrictions is true.
It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82)
-rw-r--r--source3/auth/auth_domain.c11
-rw-r--r--source3/auth/auth_server.c10
-rw-r--r--source3/auth/auth_unix.c9
-rw-r--r--source3/auth/auth_util.c2
-rw-r--r--source3/smbd/sesssetup.c16
5 files changed, 45 insertions, 3 deletions
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 8ad6329da9..6468c18cb0 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -269,6 +269,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
if (NT_STATUS_IS_OK(nt_status)) {
(*server_info)->was_mapped |= user_info->was_mapped;
+
+ if ( ! (*server_info)->guest) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck((*server_info)->unix_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ cli_shutdown(cli);
+ return nt_status;
+ }
+ }
}
netsamlogon_cache_store( user_info->smb_name, &info3 );
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index 7ffea1ca11..8a8ecfa575 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -383,7 +383,15 @@ use this machine as the password server.\n"));
if ( (pass = smb_getpwnam( NULL, user_info->internal_username,
real_username, True )) != NULL )
{
- nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck(pass->pw_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ } else {
+
+ nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+ }
TALLOC_FREE(pass);
}
else
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index efe5203b23..837c932365 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -110,7 +110,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
if (NT_STATUS_IS_OK(nt_status)) {
if (pass) {
- make_server_info_pw(server_info, pass->pw_name, pass);
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck(pass->pw_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ } else {
+ make_server_info_pw(server_info, pass->pw_name, pass);
+ }
} else {
/* we need to do somthing more useful here */
nt_status = NT_STATUS_NO_SUCH_USER;
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 82a13fd9e7..357ca5f626 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -496,7 +496,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
if ( token )
return token;
-
+
if ( !(pw = sys_getpwnam( "root" )) ) {
DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
return NULL;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index ae6dd49663..11c5e9bbf9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -292,6 +292,22 @@ static int reply_spnego_kerberos(connection_struct *conn,
username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+ if (pw) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ /* do this before an eventual mappign to guest occurs */
+ ret = smb_pam_accountcheck(pw->pw_name);
+ if ( !NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ data_blob_free(&ap_rep);
+ data_blob_free(&session_key);
+ talloc_destroy(mem_ctx);
+ TALLOC_FREE(pw);
+ return ERROR_NT(nt_status_squash(ret));
+ }
+ }
+
if (!pw) {
/* this was originally the behavior of Samba 2.2, if a user