s3: Pass the rhost through smb_pam_accountcheck

5 files changed, 11 insertions, 8 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index d92d327721..cabff53180 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -18,6 +18,7 @@
 */
 
 #include "includes.h"
+#include "smbd/globals.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -284,7 +285,9 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 		if (!(*server_info)->guest) {
 			/* We might not be root if we are an RPC call */
 			become_root();
-			nt_status = smb_pam_accountcheck(unix_username);
+			nt_status = smb_pam_accountcheck(
+				unix_username,
+				smbd_server_conn->client_id.name);
 			unbecome_root();
 
 			if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index 50bfec1a0c..69a746747a 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -773,7 +773,7 @@ bool smb_pam_close_session(char *user, char *tty, char *rhost)
  * PAM Externally accessible Account handler
  */
 
-NTSTATUS smb_pam_accountcheck(const char * user)
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
 {
 	NTSTATUS nt_status = NT_STATUS_ACCOUNT_DISABLED;
 	pam_handle_t *pamh = NULL;
@@ -787,7 +787,7 @@ NTSTATUS smb_pam_accountcheck(const char * user)
 	if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
 		return NT_STATUS_NO_MEMORY;
 
-	if (!smb_pam_start(&pamh, user, NULL, pconv))
+	if (!smb_pam_start(&pamh, user, rhost, pconv))
 		return NT_STATUS_ACCOUNT_DISABLED;
 
 	if (!NT_STATUS_IS_OK(nt_status = smb_pam_account(pamh, user)))
@@ -869,7 +869,7 @@ bool smb_pam_passchange(const char * user, const char * oldpassword, const char
 #else
 
 /* If PAM not used, no PAM restrictions on accounts. */
-NTSTATUS smb_pam_accountcheck(const char * user)
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost)
 {
 	return NT_STATUS_OK;
 }
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 50309a931c..43a510b4b2 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -221,10 +221,9 @@ NTSTATUS auth_wbc_init(void);
 
 bool smb_pam_claim_session(char *user, char *tty, char *rhost);
 bool smb_pam_close_session(char *user, char *tty, char *rhost);
-NTSTATUS smb_pam_accountcheck(const char * user);
+NTSTATUS smb_pam_accountcheck(const char *user, const char *rhost);
 NTSTATUS smb_pam_passcheck(const char * user, const char * password);
 bool smb_pam_passchange(const char * user, const char * oldpassword, const char * newpassword);
-NTSTATUS smb_pam_accountcheck(const char * user);
 bool smb_pam_claim_session(char *user, char *tty, char *rhost);
 bool smb_pam_close_session(char *in_user, char *tty, char *rhost);
 
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a476ed42ae..9ff5d55133 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -427,7 +427,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 		/* if a real user check pam account restrictions */
 		/* only really perfomed if "obey pam restriction" is true */
 		/* do this before an eventual mapping to guest occurs */
-		ret = smb_pam_accountcheck(pw->pw_name);
+		ret = smb_pam_accountcheck(pw->pw_name, sconn->client_id.name);
 		if (  !NT_STATUS_IS_OK(ret)) {
 			DEBUG(1,("PAM account restriction "
 				"prevents user login\n"));
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index df00b4f654..4a91e845fc 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -294,7 +294,8 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		/* if a real user check pam account restrictions */
 		/* only really perfomed if "obey pam restriction" is true */
 		/* do this before an eventual mapping to guest occurs */
-		status = smb_pam_accountcheck(pw->pw_name);
+		status = smb_pam_accountcheck(
+			pw->pw_name, smb2req->sconn->client_id.name);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1,("smb2: PAM account restriction "
 				"prevents user login\n"));