sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-08 04:58:40 +03:00
Code

Added "obey pam restrictions" parameter - default to "off".

Browse Source 
Only set this to "on" if you know you have your PAM set up correctly.....
NB. Doesn't apply to plaintext password authentication, which must use
pam when compiled in.
Jeremy.
This commit is contained in:
Jeremy Allison -
parent 4db22afeed
commit 59aa99f390
4 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
source/auth/pampass.c
View File

@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
/*
* PAM Externally accessible Session handler
*/
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
/* Ignore PAM if told to. */
if (!lp_obey_pam_restrictions())
return True;
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
/* Ignore PAM if told to. */
if (!lp_obey_pam_restrictions())
return True;
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
/*
* Note we can't ignore PAM here as this is the only
* way of doing auths on plaintext passwords when
* compiled --with-pam.
*/
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {

1
source/include/proto.h
View File

@ -1721,6 +1721,7 @@ BOOL lp_readbmpx(void);
BOOL lp_readraw(void);
BOOL lp_writeraw(void);
BOOL lp_null_passwords(void);
BOOL lp_obey_pam_restrictions(void);
BOOL lp_strip_dot(void);
BOOL lp_encrypted_passwords(void);
BOOL lp_update_encrypted(void);

4
source/param/loadparm.c
View File

@ -249,6 +249,7 @@ typedef struct
BOOL bUpdateEncrypt;
BOOL bStripDot;
BOOL bNullPasswords;
BOOL bObeyPamRestrictions;
BOOL bLoadPrinters;
BOOL bUseRhosts;
BOOL bReadRaw;
@ -678,6 +679,7 @@ static struct parm_struct parm_table[] = {
{"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, 0},
{"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, 0},
{"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0},
{"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0},
{"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0},
{"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, 0},
{"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0},
@ -1246,6 +1248,7 @@ static void init_globals(void)
Globals.bReadPrediction = False;
Globals.bReadbmpx = False;
Globals.bNullPasswords = False;
Globals.bObeyPamRestrictions = False;
Globals.bStripDot = False;
Globals.syslog = 1;
Globals.bSyslogOnly = False;
@ -1528,6 +1531,7 @@ FN_GLOBAL_BOOL(lp_readbmpx, &Globals.bReadbmpx)
FN_GLOBAL_BOOL(lp_readraw, &Globals.bReadRaw)
FN_GLOBAL_BOOL(lp_writeraw, &Globals.bWriteRaw)
FN_GLOBAL_BOOL(lp_null_passwords, &Globals.bNullPasswords)
FN_GLOBAL_BOOL(lp_obey_pam_restrictions, &Globals.bObeyPamRestrictions)
FN_GLOBAL_BOOL(lp_strip_dot, &Globals.bStripDot)
FN_GLOBAL_BOOL(lp_encrypted_passwords, &Globals.bEncryptPasswords)
FN_GLOBAL_BOOL(lp_update_encrypted, &Globals.bUpdateEncrypt)

17
source/passdb/pampass.c
View File

@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty,
/*
* PAM Externally accessible Session handler
*/
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
/* Ignore PAM if told to. */
if (!lp_obey_pam_restrictions())
return True;
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
/* Ignore PAM if told to. */
if (!lp_obey_pam_restrictions())
return True;
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
/*
* Note we can't ignore PAM here as this is the only
* way of doing auths on plaintext passwords when
* compiled --with-pam.
*/
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {