Encrypted Passwords & Restricting Logon Attempts

Jim Morris jim at morris-world.com
Tue Dec 3 19:45:01 GMT 2002

On Sat, 2002-11-30 at 20:14, Andrew Bartlett wrote:

> Really quick, and really ugly hack is to make Samba call the pam
> function with some invalid password after failing the encrypted password
> check...  Just watch that some parts of Samba may cause the password
> check to fail, even when the right password is entered (it will try
> again with the other password (NT or LM) in this case).  

I wanted to let you know that I made such a change, in smbd/password.c,
so that after we have a failure validating the encrypted password, we
call the smb_pam_passcheck() function, using the same username and
password - which of course fail.  That causes the pam_tally count to be
incremented as desired when the domain logon via Samba fails.

So this simple 2 line change does the trick...

With a check to see if pam support is enabled via the smb.conf file
(obey pam restrictions = yes), I don't see why this cannot serve other
people with the same need I have run into.

Here's the change:

diff -r samba-2.2.7.orig/source/smbd/password.c samba-2.2.7/source/smbd/password.c
> #if defined(WITH_PAM)
> 		// Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO
> 		if (lp_obey_pam_restrictions() && (ret == FALSE))
> 			smb_pam_passcheck( user, password );
> #endif

| Jim Morris  |  Email: Jim at Morris-World.com
|             |    AIM: JFM2001

More information about the samba-technical mailing list