Encrypted Passwords & Restricting Logon Attempts
Jim Morris
jim at morris-world.com
Tue Dec 3 19:45:01 GMT 2002
On Sat, 2002-11-30 at 20:14, Andrew Bartlett wrote:
> Really quick, and really ugly hack is to make Samba call the pam
> function with some invalid password after failing the encrypted password
> check... Just watch that some parts of Samba may cause the password
> check to fail, even when the right password is entered (it will try
> again with the other password (NT or LM) in this case).
I wanted to let you know that I made such a change, in smbd/password.c,
so that after we have a failure validating the encrypted password, we
call the smb_pam_passcheck() function, using the same username and
password - which of course fail. That causes the pam_tally count to be
incremented as desired when the domain logon via Samba fails.
So this simple 2 line change does the trick...
With a check to see if pam support is enabled via the smb.conf file
(obey pam restrictions = yes), I don't see why this cannot serve other
people with the same need I have run into.
Here's the change:
diff -r samba-2.2.7.orig/source/smbd/password.c samba-2.2.7/source/smbd/password.c
617a618,624
> #if defined(WITH_PAM)
> // Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO
> // BE UPDATED WHEN LOGON FAILS USING SMBPASSWD FILE.
> if (lp_obey_pam_restrictions() && (ret == FALSE))
> smb_pam_passcheck( user, password );
> #endif
>
--
/-----------------------------------------------
| Jim Morris | Email: Jim at Morris-World.com
| | AIM: JFM2001
\-----------------------------------------------
More information about the samba-technical
mailing list