Commit of a modified version of Andrew Bartlett's patch that removes the

horrid utmp hostname parameter - now uses the client name instead.
Also tidies up some of the unencrypted password checking when PAM
is compiled in.
FIXME ! An pam_accountcheck() is being called even when smb encrypted
passwords are negotiated. Is this the correct thing to do when winbindd
is running ! This needs *SEVERE* testing....
Jeremy.
(This used to be commit 071c799f479dd25efdb9c41745fc8f2beea7b568)

1 files changed, 14 insertions, 5 deletions

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index 6c0fe79845..698c6a1356 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -606,24 +606,33 @@ return True if the password is correct, False otherwise
 ****************************************************************************/
 BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
 {
+	BOOL ret;
+
 	if ((pwlen == 0) && !lp_null_passwords()) {
 		DEBUG(4,("Null passwords not allowed.\n"));
 		return False;
 	}
 
-	if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords()))
-	{
+	if (pwlen == 24 || (lp_encrypted_passwords() && (pwlen == 0) && lp_null_passwords())) {
 		/* if 24 bytes long assume it is an encrypted password */
 		uchar challenge[8];
 
-		if (!last_challenge(challenge))
-		{
+		if (!last_challenge(challenge)) {
 			DEBUG(0,("Error: challenge not done for user=%s\n", user));
 			return False;
 		}
 
-		return pass_check_smb(user, global_myworkgroup,
+		ret = pass_check_smb(user, global_myworkgroup,
 		                      challenge, (uchar *)password, (uchar *)password, pwd);
+
+		/*
+		 * Try with PAM (may not be compiled in - returns True if not. JRA).
+		 * FIXME ! Should this be called if we're using winbindd ? What about
+		 * non-local accounts ? JRA.
+		 */
+
+		if (ret)
+			return pam_accountcheck(user);
 	} 
 
 	return pass_check(user, password, pwlen, pwd,