From cb0402c2d3941a813e33b2b5e07c54b9ff644ca4 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Fri, 1 Dec 2006 15:06:34 +0000
Subject: r19980: Implement pam account stack checks when obey pam restrictions
 is true. It was missing for security=server/domain/ads

Simo.
(This used to be commit 550f651499c22c3c11594a0a39061a8a9b438d82)
---
 source3/smbd/sesssetup.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'source3/smbd/sesssetup.c')

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index ae6dd49663..11c5e9bbf9 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -292,6 +292,22 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	username_was_mapped = map_username( user );
 
 	pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+	if (pw) {
+		/* if a real user check pam account restrictions */
+		/* only really perfomed if "obey pam restriction" is true */
+		/* do this before an eventual mappign to guest occurs */
+		ret = smb_pam_accountcheck(pw->pw_name);
+		if (  !NT_STATUS_IS_OK(ret)) {
+			DEBUG(1, ("PAM account restriction prevents user login\n"));
+			data_blob_free(&ap_rep);
+			data_blob_free(&session_key);
+			talloc_destroy(mem_ctx);
+			TALLOC_FREE(pw);
+			return ERROR_NT(nt_status_squash(ret));
+		}
+	}
+
 	if (!pw) {
 
 		/* this was originally the behavior of Samba 2.2, if a user
-- 
cgit