diff options
| -rw-r--r-- | source3/auth/pampass.c | 17 | ||||
| -rw-r--r-- | source3/include/proto.h | 1 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 4 | ||||
| -rw-r--r-- | source3/passdb/pampass.c | 17 |
4 files changed, 39 insertions, 0 deletions
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index f91f472603..9f4a8f57b9 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, /* * PAM Externally accessible Session handler */ + BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_account(pamh, user, NULL, False)) { return( smb_pam_end(pamh)); @@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; + /* + * Note we can't ignore PAM here as this is the only + * way of doing auths on plaintext passwords when + * compiled --with-pam. + */ + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_auth(pamh, user, password)) { if ( smb_pam_account(pamh, user, password, True)) { diff --git a/source3/include/proto.h b/source3/include/proto.h index ae9e8e914f..e4732f1f9f 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1721,6 +1721,7 @@ BOOL lp_readbmpx(void); BOOL lp_readraw(void); BOOL lp_writeraw(void); BOOL lp_null_passwords(void); +BOOL lp_obey_pam_restrictions(void); BOOL lp_strip_dot(void); BOOL lp_encrypted_passwords(void); BOOL lp_update_encrypted(void); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index c29418ee87..042963d9e5 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -249,6 +249,7 @@ typedef struct BOOL bUpdateEncrypt; BOOL bStripDot; BOOL bNullPasswords; + BOOL bObeyPamRestrictions; BOOL bLoadPrinters; BOOL bUseRhosts; BOOL bReadRaw; @@ -678,6 +679,7 @@ static struct parm_struct parm_table[] = { {"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, 0}, {"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, 0}, {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0}, + {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0}, {"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0}, {"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, 0}, {"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0}, @@ -1246,6 +1248,7 @@ static void init_globals(void) Globals.bReadPrediction = False; Globals.bReadbmpx = False; Globals.bNullPasswords = False; + Globals.bObeyPamRestrictions = False; Globals.bStripDot = False; Globals.syslog = 1; Globals.bSyslogOnly = False; @@ -1528,6 +1531,7 @@ FN_GLOBAL_BOOL(lp_readbmpx, &Globals.bReadbmpx) FN_GLOBAL_BOOL(lp_readraw, &Globals.bReadRaw) FN_GLOBAL_BOOL(lp_writeraw, &Globals.bWriteRaw) FN_GLOBAL_BOOL(lp_null_passwords, &Globals.bNullPasswords) +FN_GLOBAL_BOOL(lp_obey_pam_restrictions, &Globals.bObeyPamRestrictions) FN_GLOBAL_BOOL(lp_strip_dot, &Globals.bStripDot) FN_GLOBAL_BOOL(lp_encrypted_passwords, &Globals.bEncryptPasswords) FN_GLOBAL_BOOL(lp_update_encrypted, &Globals.bUpdateEncrypt) diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c index f91f472603..9f4a8f57b9 100644 --- a/source3/passdb/pampass.c +++ b/source3/passdb/pampass.c @@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, /* * PAM Externally accessible Session handler */ + BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_account(pamh, user, NULL, False)) { return( smb_pam_end(pamh)); @@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; + /* + * Note we can't ignore PAM here as this is the only + * way of doing auths on plaintext passwords when + * compiled --with-pam. + */ + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_auth(pamh, user, password)) { if ( smb_pam_account(pamh, user, password, True)) { |