[PATCH] s3: Remove smb_pam_accountcheck from the auth modules

Volker Lendecke vl at samba.org
Wed Aug 18 10:16:24 MDT 2010


We go through the same check in auth/auth.c line 287 after the module has done
its job. So we don't have to do that check twice.
---
 source3/auth/auth_domain.c |   17 ++---------------
 source3/auth/auth_server.c |   10 +---------
 source3/auth/auth_unix.c   |    9 +--------
 3 files changed, 4 insertions(+), 32 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 445aff5..cac482c 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -342,22 +342,9 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			(*server_info)->nss_token |= user_info->was_mapped;
-
-			if ( ! (*server_info)->guest) {
-				/* if a real user check pam account restrictions */
-				/* only really perfomed if "obey pam restriction" is true */
-				nt_status = smb_pam_accountcheck((*server_info)->unix_name);
-				if (  !NT_STATUS_IS_OK(nt_status)) {
-					DEBUG(1, ("PAM account restriction prevents user login\n"));
-					cli_shutdown(cli);
-					TALLOC_FREE(info3);
-					return nt_status;
-				}
-			}
+			netsamlogon_cache_store(user_info->client.account_name, info3);
+			TALLOC_FREE(info3);
 		}
-
-		netsamlogon_cache_store(user_info->client.account_name, info3);
-		TALLOC_FREE(info3);
 	}
 
 	/* Note - once the cli stream is shutdown the mem_ctx used
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index b5954e6..4ce0336 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -435,15 +435,7 @@ use this machine as the password server.\n"));
 		if ( (pass = smb_getpwnam( NULL, user_info->mapped.account_name,
 			real_username, True )) != NULL ) 
 		{
-			/* if a real user check pam account restrictions */
-			/* only really perfomed if "obey pam restriction" is true */
-			nt_status = smb_pam_accountcheck(pass->pw_name);
-			if (  !NT_STATUS_IS_OK(nt_status)) {
-				DEBUG(1, ("PAM account restriction prevents user login\n"));
-			} else {
-
-				nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
-			}
+			nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
 			TALLOC_FREE(pass);
 		}
 		else
diff --git a/source3/auth/auth_unix.c b/source3/auth/auth_unix.c
index 8668a2f..c50ac78 100644
--- a/source3/auth/auth_unix.c
+++ b/source3/auth/auth_unix.c
@@ -54,14 +54,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
 
 	if (NT_STATUS_IS_OK(nt_status)) {
 		if (pass) {
-			/* if a real user check pam account restrictions */
-			/* only really perfomed if "obey pam restriction" is true */
-			nt_status = smb_pam_accountcheck(pass->pw_name);
-			if (  !NT_STATUS_IS_OK(nt_status)) {
-				DEBUG(1, ("PAM account restriction prevents user login\n"));
-			} else {
-				make_server_info_pw(server_info, pass->pw_name, pass);
-			}
+			make_server_info_pw(server_info, pass->pw_name, pass);
 		} else {
 			/* we need to do somthing more useful here */
 			nt_status = NT_STATUS_NO_SUCH_USER;
-- 
1.7.0.4


--7JfCtLOvnd9MIVvH--


More information about the samba-technical mailing list