1 files changed, 11 insertions, 5 deletions

diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c
index 08f6027a88..271c46045b 100644
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -61,8 +61,6 @@ static char *PAM_password;
 static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
 {
 
-	int retval;
-
        	if( pam_error != PAM_SUCCESS)
 	{
 		DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error)));
@@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password)
 /* 
  * PAM Account Handler
  */
-static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
+static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth)
 {
 	int pam_error;
 
@@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
 		return False;
 	}
 
+	/* Skip the pam_setcred() call if we didn't use pam_authenticate()
+	   for authentication -- it's an error to call pam_setcred without
+	   calling pam_authenticate first */
+	if (!pam_auth) {
+		DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user));
+		return True;
+	}
+
 	/*
 	 * This will allow samba to aquire a kerberos token. And, when
 	 * exporting an AFS cell, be able to /write/ to this cell.
@@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user)
 
 	if( proc_pam_start(&pamh, user))
 	{
-			if ( pam_account(pamh, user, NULL))
+			if ( pam_account(pamh, user, NULL, False))
 			{
 				return( proc_pam_end(pamh));
 			}
@@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password)
 	{
 		if ( pam_auth(pamh, user, password))
 		{
-			if ( pam_account(pamh, user, password))
+			if ( pam_account(pamh, user, password, True))
 			{
 				return( proc_pam_end(pamh));
 			}