5 files changed, 45 insertions, 3 deletions

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 8ad6329da9..6468c18cb0 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -269,6 +269,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			(*server_info)->was_mapped |= user_info->was_mapped;
+
+			if ( ! (*server_info)->guest) {
+				/* if a real user check pam account restrictions */
+				/* only really perfomed if "obey pam restriction" is true */
+				nt_status = smb_pam_accountcheck((*server_info)->unix_name);
+				if (  !NT_STATUS_IS_OK(nt_status)) {
+					DEBUG(1, ("PAM account restriction prevents user login\n"));
+					cli_shutdown(cli);
+					return nt_status;
+				}
+			}
 		}
 
 		netsamlogon_cache_store( user_info->smb_name, &info3 );
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index 7ffea1ca11..8a8ecfa575 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -383,7 +383,15 @@ use this machine as the password server.\n"));
 		if ( (pass = smb_getpwnam( NULL, user_info->internal_username, 
 			real_username, True )) != NULL ) 
 		{
-			nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+			/* if a real user check pam account restrictions */
+			/* only really perfomed if "obey pam restriction" is true */
+			nt_status = smb_pam_accountcheck(pass->pw_name);
+			if (  !NT_STATUS_IS_OK(nt_status)) {
+				DEBUG(1, ("PAM account restriction prevents user login\n"));
+			} else {
+
+				nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+			}
 			TALLOC_FREE(pass);
 		}
 		else
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index efe5203b23..837c932365 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -110,7 +110,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		if (pass) {
-			make_server_info_pw(server_info, pass->pw_name, pass);
+			/* if a real user check pam account restrictions */
+			/* only really perfomed if "obey pam restriction" is true */
+			nt_status = smb_pam_accountcheck(pass->pw_name);
+			if (  !NT_STATUS_IS_OK(nt_status)) {
+				DEBUG(1, ("PAM account restriction prevents user login\n"));
+			} else {
+				make_server_info_pw(server_info, pass->pw_name, pass);
+			}
 		} else {
 			/* we need to do somthing more useful here */
 			nt_status = NT_STATUS_NO_SUCH_USER;
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 82a13fd9e7..357ca5f626 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -496,7 +496,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
 	
 	if ( token )
 		return token;
-		
+
 	if ( !(pw = sys_getpwnam( "root" )) ) {
 		DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
 		return NULL;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index ae6dd49663..11c5e9bbf9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -292,6 +292,22 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	username_was_mapped = map_username( user );
 
 	pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+	if (pw) {
+		/* if a real user check pam account restrictions */
+		/* only really perfomed if "obey pam restriction" is true */
+		/* do this before an eventual mappign to guest occurs */
+		ret = smb_pam_accountcheck(pw->pw_name);
+		if (  !NT_STATUS_IS_OK(ret)) {
+			DEBUG(1, ("PAM account restriction prevents user login\n"));
+			data_blob_free(&ap_rep);
+			data_blob_free(&session_key);
+			talloc_destroy(mem_ctx);
+			TALLOC_FREE(pw);
+			return ERROR_NT(nt_status_squash(ret));
+		}
+	}
+
 	if (!pw) {
 
 		/* this was originally the behavior of Samba 2.2, if a user