From cb0402c2d3941a813e33b2b5e07c54b9ff644ca4 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 1 Dec 2006 15:06:34 +0000 Subject: r19980: Implement pam account stack checks when obey pam restrictions is true. It was missing for security=server/domain/ads Simo. (This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82) --- source3/auth/auth_domain.c | 11 +++++++++++ source3/auth/auth_server.c | 10 +++++++++- source3/auth/auth_unix.c | 9 ++++++++- source3/auth/auth_util.c | 2 +- 4 files changed, 29 insertions(+), 3 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 8ad6329da9..6468c18cb0 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -269,6 +269,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, if (NT_STATUS_IS_OK(nt_status)) { (*server_info)->was_mapped |= user_info->was_mapped; + + if ( ! (*server_info)->guest) { + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck((*server_info)->unix_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + cli_shutdown(cli); + return nt_status; + } + } } netsamlogon_cache_store( user_info->smb_name, &info3 ); diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c index 7ffea1ca11..8a8ecfa575 100644 --- a/source3/auth/auth_server.c +++ b/source3/auth/auth_server.c @@ -383,7 +383,15 @@ use this machine as the password server.\n")); if ( (pass = smb_getpwnam( NULL, user_info->internal_username, real_username, True )) != NULL ) { - nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck(pass->pw_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + } else { + + nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + } TALLOC_FREE(pass); } else diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c index efe5203b23..837c932365 100644 --- a/source3/auth/auth_unix.c +++ b/source3/auth/auth_unix.c @@ -110,7 +110,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context, if (NT_STATUS_IS_OK(nt_status)) { if (pass) { - make_server_info_pw(server_info, pass->pw_name, pass); + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck(pass->pw_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + } else { + make_server_info_pw(server_info, pass->pw_name, pass); + } } else { /* we need to do somthing more useful here */ nt_status = NT_STATUS_NO_SUCH_USER; diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 82a13fd9e7..357ca5f626 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -496,7 +496,7 @@ NT_USER_TOKEN *get_root_nt_token( void ) if ( token ) return token; - + if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; -- cgit