summaryrefslogtreecommitdiff
path: root/source3/smbd
diff options
context:
space:
mode:
authorSimo Sorce <idra@samba.org>2006-12-01 15:06:34 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:16:17 -0500
commitcb0402c2d3941a813e33b2b5e07c54b9ff644ca4 (patch)
tree799a448568dc233247089b8068bd119d9c3f65b7 /source3/smbd
parentef8d6bf5f700dcfeec7919203da9c357c4f21e3f (diff)
downloadsamba-cb0402c2d3941a813e33b2b5e07c54b9ff644ca4.tar.gz
samba-cb0402c2d3941a813e33b2b5e07c54b9ff644ca4.tar.bz2
samba-cb0402c2d3941a813e33b2b5e07c54b9ff644ca4.zip
r19980: Implement pam account stack checks when obey pam restrictions is true.
It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82)
Diffstat (limited to 'source3/smbd')
-rw-r--r--source3/smbd/sesssetup.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index ae6dd49663..11c5e9bbf9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -292,6 +292,22 @@ static int reply_spnego_kerberos(connection_struct *conn,
username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+ if (pw) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ /* do this before an eventual mappign to guest occurs */
+ ret = smb_pam_accountcheck(pw->pw_name);
+ if ( !NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ data_blob_free(&ap_rep);
+ data_blob_free(&session_key);
+ talloc_destroy(mem_ctx);
+ TALLOC_FREE(pw);
+ return ERROR_NT(nt_status_squash(ret));
+ }
+ }
+
if (!pw) {
/* this was originally the behavior of Samba 2.2, if a user