svn commit: samba r19980 - in branches/SAMBA_3_0/source: auth smbd

idra at samba.org idra at samba.org
Fri Dec 1 15:06:35 GMT 2006 

Author: idra
Date: 2006-12-01 15:06:34 +0000 (Fri, 01 Dec 2006)
New Revision: 19980

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19980

Log:

Implement pam account stack checks when obey pam restrictions is true.
It was missing for security=server/domain/ads 

Simo.


Modified:
   branches/SAMBA_3_0/source/auth/auth_domain.c
   branches/SAMBA_3_0/source/auth/auth_server.c
   branches/SAMBA_3_0/source/auth/auth_unix.c
   branches/SAMBA_3_0/source/auth/auth_util.c
   branches/SAMBA_3_0/source/smbd/sesssetup.c


Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_domain.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_domain.c	2006-12-01 15:04:53 UTC (rev 19979)
+++ branches/SAMBA_3_0/source/auth/auth_domain.c	2006-12-01 15:06:34 UTC (rev 19980)
@@ -269,6 +269,17 @@
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			(*server_info)->was_mapped |= user_info->was_mapped;
+
+			if ( ! (*server_info)->guest) {
+				/* if a real user check pam account restrictions */
+				/* only really perfomed if "obey pam restriction" is true */
+				nt_status = smb_pam_accountcheck((*server_info)->unix_name);
+				if (  !NT_STATUS_IS_OK(nt_status)) {
+					DEBUG(1, ("PAM account restriction prevents user login\n"));
+					cli_shutdown(cli);
+					return nt_status;
+				}
+			}
 		}
 
 		netsamlogon_cache_store( user_info->smb_name, &info3 );

Modified: branches/SAMBA_3_0/source/auth/auth_server.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_server.c	2006-12-01 15:04:53 UTC (rev 19979)
+++ branches/SAMBA_3_0/source/auth/auth_server.c	2006-12-01 15:06:34 UTC (rev 19980)
@@ -383,7 +383,15 @@
 		if ( (pass = smb_getpwnam( NULL, user_info->internal_username, 
 			real_username, True )) != NULL ) 
 		{
-			nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+			/* if a real user check pam account restrictions */
+			/* only really perfomed if "obey pam restriction" is true */
+			nt_status = smb_pam_accountcheck(pass->pw_name);
+			if (  !NT_STATUS_IS_OK(nt_status)) {
+				DEBUG(1, ("PAM account restriction prevents user login\n"));
+			} else {
+
+				nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+			}
 			TALLOC_FREE(pass);
 		}
 		else

Modified: branches/SAMBA_3_0/source/auth/auth_unix.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_unix.c	2006-12-01 15:04:53 UTC (rev 19979)
+++ branches/SAMBA_3_0/source/auth/auth_unix.c	2006-12-01 15:06:34 UTC (rev 19980)
@@ -110,7 +110,14 @@
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		if (pass) {
-			make_server_info_pw(server_info, pass->pw_name, pass);
+			/* if a real user check pam account restrictions */
+			/* only really perfomed if "obey pam restriction" is true */
+			nt_status = smb_pam_accountcheck(pass->pw_name);
+			if (  !NT_STATUS_IS_OK(nt_status)) {
+				DEBUG(1, ("PAM account restriction prevents user login\n"));
+			} else {
+				make_server_info_pw(server_info, pass->pw_name, pass);
+			}
 		} else {
 			/* we need to do somthing more useful here */
 			nt_status = NT_STATUS_NO_SUCH_USER;

Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c	2006-12-01 15:04:53 UTC (rev 19979)
+++ branches/SAMBA_3_0/source/auth/auth_util.c	2006-12-01 15:06:34 UTC (rev 19980)
@@ -496,7 +496,7 @@
 	
 	if ( token )
 		return token;
-		
+
 	if ( !(pw = sys_getpwnam( "root" )) ) {
 		DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
 		return NULL;

Modified: branches/SAMBA_3_0/source/smbd/sesssetup.c
===================================================================
--- branches/SAMBA_3_0/source/smbd/sesssetup.c	2006-12-01 15:04:53 UTC (rev 19979)
+++ branches/SAMBA_3_0/source/smbd/sesssetup.c	2006-12-01 15:06:34 UTC (rev 19980)
@@ -292,6 +292,22 @@
 	username_was_mapped = map_username( user );
 
 	pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+	if (pw) {
+		/* if a real user check pam account restrictions */
+		/* only really perfomed if "obey pam restriction" is true */
+		/* do this before an eventual mappign to guest occurs */
+		ret = smb_pam_accountcheck(pw->pw_name);
+		if (  !NT_STATUS_IS_OK(ret)) {
+			DEBUG(1, ("PAM account restriction prevents user login\n"));
+			data_blob_free(&ap_rep);
+			data_blob_free(&session_key);
+			talloc_destroy(mem_ctx);
+			TALLOC_FREE(pw);
+			return ERROR_NT(nt_status_squash(ret));
+		}
+	}
+
 	if (!pw) {
 
 		/* this was originally the behavior of Samba 2.2, if a user

More information about the samba-cvs mailing list