From 70b55a9abc109df0e15e3aa6f01c03d9acea154a Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 23 Apr 2001 20:43:20 +0000
Subject: Added "obey pam restrictions" parameter - default to "off". Only set
 this to "on" if you know you have your PAM set up correctly..... NB. Doesn't
 apply to plaintext password authentication, which must use pam when compiled
 in. Jeremy. (This used to be commit 59aa99f3901d098b7afbe675021bda53b62ee496)

---
 source3/passdb/pampass.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'source3/passdb/pampass.c')

diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c
index f91f472603..9f4a8f57b9 100644
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
 /*
  * PAM Externally accessible Session handler
  */
+
 BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
 {
 	pam_handle_t *pamh = NULL;
 	char * user;
 
+	/* Ignore PAM if told to. */
+
+	if (!lp_obey_pam_restrictions())
+		return True;
+
 	user = strdup(in_user);
 	if ( user == NULL ) {
 		DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
 	PAM_username = user;
 	PAM_password = NULL;
 
+	/* Ignore PAM if told to. */
+
+	if (!lp_obey_pam_restrictions())
+		return True;
+
 	if( smb_pam_start(&pamh, user, NULL)) {
 		if ( smb_pam_account(pamh, user, NULL, False)) {
 			return( smb_pam_end(pamh));
@@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
 	PAM_username = user;
 	PAM_password = password;
 
+	/*
+	 * Note we can't ignore PAM here as this is the only
+	 * way of doing auths on plaintext passwords when
+	 * compiled --with-pam.
+	 */
+
 	if( smb_pam_start(&pamh, user, NULL)) {
 		if ( smb_pam_auth(pamh, user, password)) {
 			if ( smb_pam_account(pamh, user, password, True)) {
-- 
cgit