diff options
author | Jeremy Allison <jra@samba.org> | 2001-04-18 04:34:42 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2001-04-18 04:34:42 +0000 |
commit | a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17 (patch) | |
tree | 6441541bd1582a2cd20448619fd0634556374856 /source3 | |
parent | 0766f84a403354c46398690e69c138a27344aece (diff) | |
download | samba-a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17.tar.gz samba-a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17.tar.xz samba-a40fe7b47d269d294b1bbf5c22d9a6d6c9f81e17.zip |
patch from Steve Langasek <vorlon@netexpress.net> to make sure we
don't use pam_setcred() if we haven't called pam_authenticate()
Merge from 2.2
Jeremy.
(This used to be commit 89589895e3adce75ecd6205547392326cf291543)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/auth/pampass.c | 16 | ||||
-rw-r--r-- | source3/passdb/pampass.c | 16 |
2 files changed, 22 insertions, 10 deletions
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index 08f6027a88..271c46045b 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -61,8 +61,6 @@ static char *PAM_password; static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { - int retval; - if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); @@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) /* * PAM Account Handler */ -static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) { int pam_error; @@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) return False; } + /* Skip the pam_setcred() call if we didn't use pam_authenticate() + for authentication -- it's an error to call pam_setcred without + calling pam_authenticate first */ + if (!pam_auth) { + DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user)); + return True; + } + /* * This will allow samba to aquire a kerberos token. And, when * exporting an AFS cell, be able to /write/ to this cell. @@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user) if( proc_pam_start(&pamh, user)) { - if ( pam_account(pamh, user, NULL)) + if ( pam_account(pamh, user, NULL, False)) { return( proc_pam_end(pamh)); } @@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password) { if ( pam_auth(pamh, user, password)) { - if ( pam_account(pamh, user, password)) + if ( pam_account(pamh, user, password, True)) { return( proc_pam_end(pamh)); } diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c index 08f6027a88..271c46045b 100644 --- a/source3/passdb/pampass.c +++ b/source3/passdb/pampass.c @@ -61,8 +61,6 @@ static char *PAM_password; static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { - int retval; - if( pam_error != PAM_SUCCESS) { DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); @@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) /* * PAM Account Handler */ -static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth) { int pam_error; @@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) return False; } + /* Skip the pam_setcred() call if we didn't use pam_authenticate() + for authentication -- it's an error to call pam_setcred without + calling pam_authenticate first */ + if (!pam_auth) { + DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user)); + return True; + } + /* * This will allow samba to aquire a kerberos token. And, when * exporting an AFS cell, be able to /write/ to this cell. @@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user) if( proc_pam_start(&pamh, user)) { - if ( pam_account(pamh, user, NULL)) + if ( pam_account(pamh, user, NULL, False)) { return( proc_pam_end(pamh)); } @@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password) { if ( pam_auth(pamh, user, password)) { - if ( pam_account(pamh, user, password)) + if ( pam_account(pamh, user, password, True)) { return( proc_pam_end(pamh)); } |