summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/pampass.c17
-rw-r--r--source3/include/proto.h1
-rw-r--r--source3/param/loadparm.c4
-rw-r--r--source3/passdb/pampass.c17
4 files changed, 39 insertions, 0 deletions
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c
index f91f472603..9f4a8f57b9 100644
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
/*
* PAM Externally accessible Session handler
*/
+
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
@@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
+ /*
+ * Note we can't ignore PAM here as this is the only
+ * way of doing auths on plaintext passwords when
+ * compiled --with-pam.
+ */
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {
diff --git a/source3/include/proto.h b/source3/include/proto.h
index ae9e8e914f..e4732f1f9f 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1721,6 +1721,7 @@ BOOL lp_readbmpx(void);
BOOL lp_readraw(void);
BOOL lp_writeraw(void);
BOOL lp_null_passwords(void);
+BOOL lp_obey_pam_restrictions(void);
BOOL lp_strip_dot(void);
BOOL lp_encrypted_passwords(void);
BOOL lp_update_encrypted(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c29418ee87..042963d9e5 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -249,6 +249,7 @@ typedef struct
BOOL bUpdateEncrypt;
BOOL bStripDot;
BOOL bNullPasswords;
+ BOOL bObeyPamRestrictions;
BOOL bLoadPrinters;
BOOL bUseRhosts;
BOOL bReadRaw;
@@ -678,6 +679,7 @@ static struct parm_struct parm_table[] = {
{"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, 0},
{"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, 0},
{"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0},
+ {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0},
{"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0},
{"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, 0},
{"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0},
@@ -1246,6 +1248,7 @@ static void init_globals(void)
Globals.bReadPrediction = False;
Globals.bReadbmpx = False;
Globals.bNullPasswords = False;
+ Globals.bObeyPamRestrictions = False;
Globals.bStripDot = False;
Globals.syslog = 1;
Globals.bSyslogOnly = False;
@@ -1528,6 +1531,7 @@ FN_GLOBAL_BOOL(lp_readbmpx, &Globals.bReadbmpx)
FN_GLOBAL_BOOL(lp_readraw, &Globals.bReadRaw)
FN_GLOBAL_BOOL(lp_writeraw, &Globals.bWriteRaw)
FN_GLOBAL_BOOL(lp_null_passwords, &Globals.bNullPasswords)
+FN_GLOBAL_BOOL(lp_obey_pam_restrictions, &Globals.bObeyPamRestrictions)
FN_GLOBAL_BOOL(lp_strip_dot, &Globals.bStripDot)
FN_GLOBAL_BOOL(lp_encrypted_passwords, &Globals.bEncryptPasswords)
FN_GLOBAL_BOOL(lp_update_encrypted, &Globals.bUpdateEncrypt)
diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c
index f91f472603..9f4a8f57b9 100644
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
/*
* PAM Externally accessible Session handler
*/
+
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
@@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
+ /*
+ * Note we can't ignore PAM here as this is the only
+ * way of doing auths on plaintext passwords when
+ * compiled --with-pam.
+ */
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {