[PATCH] PAM changes to use a single NT_STATUS switch
Andrew Bartlett
abartlet at pcug.org.au
Sat May 12 12:03:01 GMT 2001
The attached patch is a rework of be pervious patch on this subject,
modified to make the diff readable, and removing some of the unneeded
changes. It has been tested with smbclient, but my NT installation is a
tad jiggered at the moment - as I tried to figure out why it wouldn't
work. (I eventually found that NT doesn't like plain-text passwords for
domain logons :-(, something I had set for some earlier debugging). The
error messages on both sides could use some work. (And I'll have to
remember: Negative password/packet lengths == NT not liking plaintext).
However, the concepts in this patch are quite tested, as noted in the
previous patch on this subject.
The patch is includes my previous patch (the one-liner NT_STATUS
fix).
I would still like to see the functions re-ordered, but the patch for
that looks too scary, so I won't frighten you with it now.
Tested in combination with the pass_check NT_STATUS patch, in a separate
e-mail. It should however be independent of that patch.
--
Andrew Bartlett
abartlet at pcug.org.au
-------------- next part --------------
Index: source/passdb/pampass.c
===================================================================
RCS file: /cvsroot/samba/source/passdb/pampass.c,v
retrieving revision 1.1.2.25
diff -u -r1.1.2.25 pampass.c
--- source/passdb/pampass.c 9 May 2001 21:14:42 -0000 1.1.2.25
+++ source/passdb/pampass.c 12 May 2001 11:17:24 -0000
@@ -41,6 +41,14 @@
* which determines what actions/limitations/allowances become affected.
*********************************************************************/
+/********************************************************************
+ WARNING: NT_STATUS codes ahead!
+ All externally accessable functions in this file return NT_STATUS
+ constants. This means that if (smb_pam_whatever()) will give exactly
+ the oppisite result, use if (smb_pam_whatever() == NT_STATUS_NOPROBLEMO)
+ instead.
+**********************************************************************/
+
#include <security/pam_appl.h>
/*
@@ -71,6 +79,7 @@
if( pam_error != PAM_SUCCESS) {
DEBUG(dbglvl, ("smb_pam_error_handler: PAM: %s : %s\n",
msg, pam_strerror(pamh, pam_error)));
+
return False;
}
return True;
@@ -82,16 +91,127 @@
*********************************************************************/
static BOOL smb_pam_nt_status_error_handler(pam_handle_t *pamh, int pam_error,
- char *msg, int dbglvl, uint32 *nt_status)
+ char *msg, int dbglvl, uint32 *nt_status,
+ char *user)
{
+ switch( pam_error ){
+ case PAM_SUCCESS:
+ DEBUG(5, ("smb_pam_nt_status_error_handler: PAM successful, would be '%s' for failure.\n", msg));
+ *nt_status = NT_STATUS_NOPROBLEMO;
+ break;
+ case PAM_OPEN_ERR:
+ case PAM_SYMBOL_ERR:
+ case PAM_SERVICE_ERR:
+ case PAM_SYSTEM_ERR:
+ case PAM_BUF_ERR:
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+ case PAM_PERM_DENIED:
+ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: Permission denied.\n"));
+ *nt_status = NT_STATUS_ACCESS_DENIED;
+ break;
+ case PAM_AUTH_ERR:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: Authentication Error for user %s\n", user));
+ *nt_status = NT_STATUS_WRONG_PASSWORD;
+ break;
+ case PAM_CRED_INSUFFICIENT:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: Insufficient Credentials for user %s\n", user));
+ *nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO; /* FIXME: Is this correct? */
+ break;
+ case PAM_AUTHINFO_UNAVAIL:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: Authentication Information Unavailable for user %s\n", user));
+ *nt_status = NT_STATUS_LOGON_FAILURE;
+ break;
+ case PAM_USER_UNKNOWN:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: Username %s NOT known to PAM\n", user));
+ *nt_status = NT_STATUS_NO_SUCH_USER;
+ break;
+ case PAM_MAXTRIES:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
+ *nt_status = NT_STATUS_REMOTE_SESSION_LIMIT; /* FIXME: Is this correct? */
+ break;
+ case PAM_NEW_AUTHTOK_REQD:
+ DEBUG(3, ("smb_pam_nt_status_error_handler: PAM: Immidiate password change required for user %s\n", user));
+ *nt_status = NT_STATUS_PASSWORD_MUST_CHANGE;
+ break;
+ case PAM_ACCT_EXPIRED:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: User %s no longer permitted to access system\n", user));
+ *nt_status = NT_STATUS_ACCOUNT_EXPIRED;
+ break;
+ case PAM_SESSION_ERR:
+ DEBUG(1, ("smb_pam_nt_status_error_handler: PAM: Session denied for user %s\n", user));
+ *nt_status = NT_STATUS_INSUFFICIENT_RESOURCES;
+ break;
+ case PAM_CRED_UNAVAIL:
+ DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
+ *nt_status = NT_STATUS_NO_TOKEN; /* FIXME: Is this correct? */
+ break;
+ case PAM_CRED_EXPIRED:
+ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
+ *nt_status = NT_STATUS_PASSWORD_EXPIRED; /* FIXME: Is this correct? */
+ break;
+ case PAM_CRED_ERR:
+ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+
+/* 18-19 */
+
+ case PAM_AUTHTOK_ERR:
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+#if defined(PAM_AUTHTOK_RECOVERY_ERR) && !defined(PAM_AUTHTOK_RECOVER_ERR)
+#define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
+#endif
+ case PAM_AUTHTOK_RECOVER_ERR:
+ DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+ case PAM_AUTHTOK_LOCK_BUSY:
+ DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
+ break;
+ case PAM_AUTHTOK_DISABLE_AGING:
+ DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+ case PAM_TRY_AGAIN:
+ DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+ case PAM_IGNORE:
+ *nt_status = NT_STATUS_UNSUCCESSFUL; /* FIXME: What should we do here? */
+ break;
+ case PAM_ABORT:
+ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: One or more PAM modules failed to load for user %s\n", user));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+ case PAM_AUTHTOK_EXPIRED:
+ DEBUG(2, ("smb_pam_nt_status_error_handler: PAM: User %s is valid but password is expired\n", user));
+ *nt_status = NT_STATUS_PASSWORD_EXPIRED;
+ break;
+ case PAM_MODULE_UNKNOWN:
+ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: One or more PAM modules is unknown for user %s\n", user));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+
+/* 29-30-31 */
+
+ default:
+ DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: UNKNOWN ERROR (%d) while running PAM for user %s\n", pam_error, user));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
+ break;
+ }
+
if (smb_pam_error_handler(pamh, pam_error, msg, dbglvl))
return True;
+ DEBUG(5,("smb_pam_nt_status_error_handler: PAM: pam_error was %d\n",pam_error));
+
if (*nt_status == NT_STATUS_NOPROBLEMO) {
/* Complain LOUDLY */
DEBUG(0, ("smb_pam_nt_status_error_handler: PAM: BUG: PAM and NT_STATUS \
-error MISMATCH, forcing to NT_STATUS_LOGON_FAILURE"));
- *nt_status = NT_STATUS_LOGON_FAILURE;
+error MISMATCH, forcing to NT_STATUS_UNSUCCESSFUL"));
+ *nt_status = NT_STATUS_UNSUCCESSFUL;
}
return False;
}
@@ -179,7 +299,7 @@
struct pam_response *reply = NULL;
fstring oldpw_prompt;
fstring newpw_prompt;
- fstring repeatpw_prompt;
+ fstring repeatpw_prompt;
fstring prompt_ret;
char *p = lp_passwd_chat();
struct smb_pam_userdata *udp = (struct smb_pam_userdata *)appdata_ptr;
@@ -395,42 +515,8 @@
DEBUG(4,("smb_pam_auth: PAM: Authenticate User: %s\n", user));
pam_error = pam_authenticate(pamh, PAM_SILENT | lp_null_passwords() ? 0 : PAM_DISALLOW_NULL_AUTHTOK);
- switch( pam_error ){
- case PAM_AUTH_ERR:
- DEBUG(2, ("smb_pam_auth: PAM: Athentication Error for user %s\n", user));
- nt_status = NT_STATUS_WRONG_PASSWORD;
- break;
- case PAM_CRED_INSUFFICIENT:
- DEBUG(2, ("smb_pam_auth: PAM: Insufficient Credentials for user %s\n", user));
- nt_status = NT_STATUS_INSUFFICIENT_LOGON_INFO;
- break;
- case PAM_AUTHINFO_UNAVAIL:
- DEBUG(2, ("smb_pam_auth: PAM: Authentication Information Unavailable for user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
- break;
- case PAM_USER_UNKNOWN:
- DEBUG(2, ("smb_pam_auth: PAM: Username %s NOT known to Authentication system\n", user));
- nt_status = NT_STATUS_NO_SUCH_USER;
- break;
- case PAM_MAXTRIES:
- DEBUG(2, ("smb_pam_auth: PAM: One or more authentication modules reports user limit for user %s exceeeded\n", user));
- nt_status = NT_STATUS_REMOTE_SESSION_LIMIT;
- break;
- case PAM_ABORT:
- DEBUG(0, ("smb_pam_auth: PAM: One or more PAM modules failed to load for user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
- break;
- case PAM_SUCCESS:
- DEBUG(4, ("smb_pam_auth: PAM: User %s Authenticated OK\n", user));
- nt_status = NT_STATUS_NOPROBLEMO;
- break;
- default:
- DEBUG(0, ("smb_pam_auth: PAM: UNKNOWN ERROR while authenticating user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
- break;
- }
- smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status);
+ smb_pam_nt_status_error_handler(pamh, pam_error, "Authentication Failure", 2, &nt_status, user);
return nt_status;
}
@@ -440,42 +526,12 @@
static uint32 smb_pam_account(pam_handle_t *pamh, char * user)
{
int pam_error;
- uint32 nt_status = NT_STATUS_ACCOUNT_DISABLED;
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
DEBUG(4,("smb_pam_account: PAM: Account Management for User: %s\n", user));
pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
- switch( pam_error ) {
- case PAM_AUTHTOK_EXPIRED:
- DEBUG(2, ("smb_pam_account: PAM: User %s is valid but password is expired\n", user));
- nt_status = NT_STATUS_PASSWORD_EXPIRED;
- break;
- case PAM_ACCT_EXPIRED:
- DEBUG(2, ("smb_pam_account: PAM: User %s no longer permitted to access system\n", user));
- nt_status = NT_STATUS_ACCOUNT_EXPIRED;
- break;
- case PAM_AUTH_ERR:
- DEBUG(2, ("smb_pam_account: PAM: There was an authentication error for user %s\n", user));
- nt_status = NT_STATUS_LOGON_FAILURE;
- break;
- case PAM_PERM_DENIED:
- DEBUG(0, ("smb_pam_account: PAM: User %s is NOT permitted to access system at this time\n", user));
- nt_status = NT_STATUS_ACCOUNT_RESTRICTION;
- break;
- case PAM_USER_UNKNOWN:
- DEBUG(0, ("smb_pam_account: PAM: User \"%s\" is NOT known to account management\n", user));
- nt_status = NT_STATUS_NO_SUCH_USER;
- break;
- case PAM_SUCCESS:
- DEBUG(4, ("smb_pam_account: PAM: Account OK for User: %s\n", user));
- nt_status = NT_STATUS_NOPROBLEMO;
- break;
- default:
- nt_status = NT_STATUS_ACCOUNT_DISABLED;
- DEBUG(0, ("smb_pam_account: PAM: UNKNOWN PAM ERROR (%d) during Account Management for User: %s\n", pam_error, user));
- break;
- }
- smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status);
+ smb_pam_nt_status_error_handler(pamh, pam_error, "Account Check Failed", 2, &nt_status, user);
return nt_status;
}
@@ -486,7 +542,7 @@
static uint32 smb_pam_setcred(pam_handle_t *pamh, char * user)
{
int pam_error;
- uint32 nt_status = NT_STATUS_NO_TOKEN;
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
/*
* This will allow samba to aquire a kerberos token. And, when
@@ -495,172 +551,110 @@
DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
- switch( pam_error ) {
- case PAM_CRED_UNAVAIL:
- DEBUG(0, ("smb_pam_setcred: PAM: Credentials not found for user:%s\n", user ));
- nt_status = NT_STATUS_NO_TOKEN;
- break;
- case PAM_CRED_EXPIRED:
- DEBUG(0, ("smb_pam_setcred: PAM: Credentials for user: \"%s\" EXPIRED!\n", user ));
- nt_status = NT_STATUS_PASSWORD_EXPIRED;
- break;
- case PAM_USER_UNKNOWN:
- DEBUG(0, ("smb_pam_setcred: PAM: User: \"%s\" is NOT known so can not set credentials!\n", user ));
- nt_status = NT_STATUS_NO_SUCH_USER;
- break;
- case PAM_CRED_ERR:
- DEBUG(0, ("smb_pam_setcred: PAM: Unknown setcredentials error - unable to set credentials for %s\n", user ));
- nt_status = NT_STATUS_LOGON_FAILURE;
- break;
- case PAM_SUCCESS:
- DEBUG(4, ("smb_pam_setcred: PAM: SetCredentials OK for User: %s\n", user));
- nt_status = NT_STATUS_NOPROBLEMO;
- break;
- default:
- DEBUG(0, ("smb_pam_setcred: PAM: UNKNOWN PAM ERROR (%d) during SetCredentials for User: %s\n", pam_error, user));
- nt_status = NT_STATUS_NO_TOKEN;
- break;
- }
-
- smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status);
+
+ smb_pam_nt_status_error_handler(pamh, pam_error, "Set Credential Failure", 2, &nt_status, user);
return nt_status;
}
/*
* PAM Internal Session Handler
*/
-static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag)
+static uint32 smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag)
{
int pam_error;
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
#ifdef PAM_TTY
DEBUG(4,("smb_internal_pam_session: PAM: tty set to: %s\n", tty));
pam_error = pam_set_item(pamh, PAM_TTY, tty);
- if (!smb_pam_error_handler(pamh, pam_error, "set tty failed", 0))
- return False;
+ if (!smb_pam_nt_status_error_handler(pamh, pam_error, "set tty failed", 0, &nt_status, user))
+ return nt_status;
#endif
if (flag) {
pam_error = pam_open_session(pamh, PAM_SILENT);
- if (!smb_pam_error_handler(pamh, pam_error, "session setup failed", 0))
- return False;
+ smb_pam_nt_status_error_handler(pamh, pam_error, "session setup failed", 0, &nt_status, user);
+
} else {
pam_setcred(pamh, (PAM_DELETE_CRED|PAM_SILENT)); /* We don't care if this fails */
pam_error = pam_close_session(pamh, PAM_SILENT); /* This will probably pick up the error anyway */
- if (!smb_pam_error_handler(pamh, pam_error, "session close failed", 0))
- return False;
+ smb_pam_nt_status_error_handler(pamh, pam_error, "session close failed", 0, &nt_status, user);
}
- return (True);
+ return nt_status;
}
/*
* Internal PAM Password Changer.
*/
-static BOOL smb_pam_chauthtok(pam_handle_t *pamh, char * user)
+static uint32 smb_pam_chauthtok(pam_handle_t *pamh, char * user)
{
int pam_error;
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
DEBUG(4,("smb_pam_chauthtok: PAM: Password Change for User: %s\n", user));
pam_error = pam_chauthtok(pamh, PAM_SILENT); /* Change Password */
- switch( pam_error ) {
- case PAM_AUTHTOK_ERR:
- DEBUG(2, ("PAM: unable to obtain the new authentication token - is password to weak?\n"));
- break;
-
- /* This doesn't seem to be defined on Solaris. JRA */
-#ifdef PAM_AUTHTOK_RECOVER_ERR
- case PAM_AUTHTOK_RECOVER_ERR:
- DEBUG(2, ("PAM: unable to obtain the old authentication token - was the old password wrong?.\n"));
- break;
-#endif
+ smb_pam_nt_status_error_handler(pamh, pam_error, "Password Change Failed", 2, &nt_status, user);
- case PAM_AUTHTOK_LOCK_BUSY:
- DEBUG(2, ("PAM: unable to change the authentication token since it is currently locked.\n"));
- break;
- case PAM_AUTHTOK_DISABLE_AGING:
- DEBUG(2, ("PAM: Authentication token aging has been disabled.\n"));
- break;
- case PAM_PERM_DENIED:
- DEBUG(0, ("PAM: Permission denied.\n"));
- break;
- case PAM_TRY_AGAIN:
- DEBUG(0, ("PAM: Could not update all authentication token(s). No authentication tokens were updated.\n"));
- break;
- case PAM_USER_UNKNOWN:
- DEBUG(0, ("PAM: User not known to PAM\n"));
- break;
- case PAM_SUCCESS:
- DEBUG(4, ("PAM: Account OK for User: %s\n", user));
- break;
- default:
- DEBUG(0, ("PAM: UNKNOWN PAM ERROR (%d) for User: %s\n", pam_error, user));
- }
-
- if(!smb_pam_error_handler(pamh, pam_error, "Password Change Failed", 2)) {
- return False;
- }
-
- /* If this point is reached, the password has changed. */
- return True;
+ return nt_status;
}
/*
* PAM Externally accessible Session handler
*/
-BOOL smb_pam_claim_session(char *user, char *tty, char *rhost)
+uint32 smb_pam_claim_session(char *user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
struct pam_conv *pconv = NULL;
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
/* Ignore PAM if told to. */
if (!lp_obey_pam_restrictions())
- return True;
+ return NT_STATUS_NOPROBLEMO;
if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
- return False;
+ return nt_status;
if (!smb_pam_start(&pamh, user, rhost, pconv))
- return False;
+ return nt_status;
- if (!smb_internal_pam_session(pamh, user, tty, True)) {
- smb_pam_end(pamh, pconv);
- return False;
- }
+ if ((nt_status = smb_internal_pam_session(pamh, user, tty, True)) != NT_STATUS_NOPROBLEMO)
+ DEBUG(0, ("smb_pam_close_session: PAM: Session Claim Failed for user %s!\n", user));
- return smb_pam_end(pamh, pconv);
+ smb_pam_end(pamh, pconv);
+ return nt_status;
}
/*
* PAM Externally accessible Session handler
*/
-BOOL smb_pam_close_session(char *user, char *tty, char *rhost)
+uint32 smb_pam_close_session(char *user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
struct pam_conv *pconv = NULL;
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
/* Ignore PAM if told to. */
if (!lp_obey_pam_restrictions())
- return True;
+ return NT_STATUS_NOPROBLEMO;
if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
- return False;
+ return nt_status;
if (!smb_pam_start(&pamh, user, rhost, pconv))
- return False;
+ return nt_status;
- if (!smb_internal_pam_session(pamh, user, tty, False)) {
- smb_pam_end(pamh, pconv);
- return False;
- }
+ if ((nt_status = smb_internal_pam_session(pamh, user, tty, True)) != NT_STATUS_NOPROBLEMO)
+ DEBUG(0, ("smb_pam_close_session: PAM: Session Close Failed for user %s!\n", user));
- return smb_pam_end(pamh, pconv);
+ smb_pam_end(pamh, pconv);
+ return nt_status;
}
/*
@@ -679,7 +673,7 @@
return NT_STATUS_NOPROBLEMO;
if ((pconv = smb_setup_pam_conv(smb_pam_conv, user, NULL, NULL)) == NULL)
- return False;
+ return NT_STATUS_UNSUCCESSFUL;
if (!smb_pam_start(&pamh, user, NULL, pconv))
return NT_STATUS_ACCOUNT_DISABLED;
@@ -739,25 +733,25 @@
* PAM Password Change Suite
*/
-BOOL smb_pam_passchange(char * user, char * oldpassword, char * newpassword)
+uint32 smb_pam_passchange(char * user, char * oldpassword, char * newpassword)
{
/* Appropriate quantities of root should be obtained BEFORE calling this function */
struct pam_conv *pconv = NULL;
pam_handle_t *pamh = NULL;
-
+ uint32 nt_status = NT_STATUS_UNSUCCESSFUL;
+
if ((pconv = smb_setup_pam_conv(smb_pam_passchange_conv, user, oldpassword, newpassword)) == NULL)
- return False;
-
- if(!smb_pam_start(&pamh, user, NULL, pconv))
- return False;
+ return nt_status;
+
+ if (!smb_pam_start(&pamh, user, NULL, pconv))
+ return nt_status;
- if (!smb_pam_chauthtok(pamh, user)) {
+ if ((nt_status = smb_pam_chauthtok(pamh, user)) != NT_STATUS_NOPROBLEMO) {
DEBUG(0, ("smb_pam_passchange: PAM: Password Change Failed for user %s!\n", user));
- smb_pam_end(pamh, pconv);
- return False;
}
- return smb_pam_end(pamh, pconv);
+ smb_pam_end(pamh, pconv);
+ return nt_status;
}
#else
@@ -769,14 +763,19 @@
}
/* If PAM not used, also no PAM restrictions on sessions. */
- BOOL smb_pam_claim_session(char *user, char *tty, char *rhost)
+ uint32 smb_pam_claim_session(char *user, char *tty, char *rhost)
{
- return True;
+ return NT_STATUS_NOPROBLEMO;
}
/* If PAM not used, also no PAM restrictions on sessions. */
- BOOL smb_pam_close_session(char *in_user, char *tty, char *rhost)
+ uint32 smb_pam_close_session(char *in_user, char *tty, char *rhost)
{
- return True;
+ return NT_STATUS_NOPROBLEMO;
}
#endif /* WITH_PAM */
+
+
+
+
+
Index: source/smbd/chgpasswd.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/chgpasswd.c,v
retrieving revision 1.64.4.3
diff -u -r1.64.4.3 chgpasswd.c
--- source/smbd/chgpasswd.c 2 May 2001 23:32:19 -0000 1.64.4.3
+++ source/smbd/chgpasswd.c 12 May 2001 11:18:21 -0000
@@ -495,7 +495,7 @@
#ifdef WITH_PAM
if (lp_pam_password_change()) {
- BOOL ret;
+ uint32 ret;
if (as_root)
become_root();
@@ -505,7 +505,7 @@
if (as_root)
unbecome_root();
- return ret;
+ return (ret == NT_STATUS_NOPROBLEMO);
}
#endif
Index: source/smbd/session.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/session.c,v
retrieving revision 1.1.2.6
diff -u -r1.1.2.6 session.c
--- source/smbd/session.c 30 Apr 2001 20:37:44 -0000 1.1.2.6
+++ source/smbd/session.c 12 May 2001 11:18:24 -0000
@@ -99,7 +99,7 @@
sessionid.id_num = i;
sessionid.pid = pid;
- if (!smb_pam_claim_session(sessionid.username, sessionid.id_str, sessionid.hostname)) {
+ if (smb_pam_claim_session(sessionid.username, sessionid.id_str, sessionid.hostname) != NT_STATUS_NOPROBLEMO) {
DEBUG(1,("pam_session rejected the session for %s [%s]\n",
sessionid.username, sessionid.id_str));
tdb_delete(tdb, key);
More information about the samba-technical
mailing list