summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2001-04-18 04:34:42 +0000
committerJeremy Allison <jra@samba.org>2001-04-18 04:34:42 +0000
commita40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17 (patch)
tree6441541bd1582a2cd20448619fd0634556374856
parent0766f84a403354c46398690e69c138a27344aece (diff)
downloadsamba-a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17.tar.gz
samba-a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17.tar.bz2
samba-a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17.zip
patch from Steve Langasek <vorlon@netexpress.net> to make sure we
don't use pam_setcred() if we haven't called pam_authenticate() Merge from 2.2 Jeremy. (This used to be commit 89589895e3adce75ecd6205547392326cf291543)
-rw-r--r--source3/auth/pampass.c16
-rw-r--r--source3/passdb/pampass.c16
2 files changed, 22 insertions, 10 deletions
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index 08f6027a88..271c46045b 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -61,8 +61,6 @@ static char *PAM_password;
static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
{
- int retval;
-
if( pam_error != PAM_SUCCESS)
{
DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error)));
@@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password)
/*
* PAM Account Handler
*/
-static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
+static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth)
{
int pam_error;
@@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
return False;
}
+ /* Skip the pam_setcred() call if we didn't use pam_authenticate()
+ for authentication -- it's an error to call pam_setcred without
+ calling pam_authenticate first */
+ if (!pam_auth) {
+ DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user));
+ return True;
+ }
+
/*
* This will allow samba to aquire a kerberos token. And, when
* exporting an AFS cell, be able to /write/ to this cell.
@@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user)
if( proc_pam_start(&pamh, user))
{
- if ( pam_account(pamh, user, NULL))
+ if ( pam_account(pamh, user, NULL, False))
{
return( proc_pam_end(pamh));
}
@@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password)
{
if ( pam_auth(pamh, user, password))
{
- if ( pam_account(pamh, user, password))
+ if ( pam_account(pamh, user, password, True))
{
return( proc_pam_end(pamh));
}
diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c
index 08f6027a88..271c46045b 100644
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -61,8 +61,6 @@ static char *PAM_password;
static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
{
- int retval;
-
if( pam_error != PAM_SUCCESS)
{
DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error)));
@@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password)
/*
* PAM Account Handler
*/
-static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
+static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth)
{
int pam_error;
@@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
return False;
}
+ /* Skip the pam_setcred() call if we didn't use pam_authenticate()
+ for authentication -- it's an error to call pam_setcred without
+ calling pam_authenticate first */
+ if (!pam_auth) {
+ DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user));
+ return True;
+ }
+
/*
* This will allow samba to aquire a kerberos token. And, when
* exporting an AFS cell, be able to /write/ to this cell.
@@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user)
if( proc_pam_start(&pamh, user))
{
- if ( pam_account(pamh, user, NULL))
+ if ( pam_account(pamh, user, NULL, False))
{
return( proc_pam_end(pamh));
}
@@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password)
{
if ( pam_auth(pamh, user, password))
{
- if ( pam_account(pamh, user, password))
+ if ( pam_account(pamh, user, password, True))
{
return( proc_pam_end(pamh));
}