diff options
| author | Jeremy Allison <jra@samba.org> | 2001-04-23 20:43:24 +0000 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2001-04-23 20:43:24 +0000 |
| commit | c7013daa92b68f2baabd75c40e9956bf61181ab4 (patch) | |
| tree | 5cabe1b740169f4e497da4a741f60bdb9bb66795 | |
| parent | af635031de8aa37e3ecaa19a50f79dd44d2efe02 (diff) | |
| download | samba-c7013daa92b68f2baabd75c40e9956bf61181ab4.tar.gz samba-c7013daa92b68f2baabd75c40e9956bf61181ab4.tar.xz samba-c7013daa92b68f2baabd75c40e9956bf61181ab4.zip | |
Added "obey pam restrictions" parameter - default to "off".
Only set this to "on" if you know you have your PAM set up correctly.....
NB. Doesn't apply to plaintext password authentication, which must use
pam when compiled in.
Jeremy.
| -rw-r--r-- | source/auth/pampass.c | 17 | ||||
| -rw-r--r-- | source/include/proto.h | 1 | ||||
| -rw-r--r-- | source/param/loadparm.c | 4 | ||||
| -rw-r--r-- | source/passdb/pampass.c | 17 |
4 files changed, 39 insertions, 0 deletions
diff --git a/source/auth/pampass.c b/source/auth/pampass.c index f91f472603c..9f4a8f57b91 100644 --- a/source/auth/pampass.c +++ b/source/auth/pampass.c @@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, /* * PAM Externally accessible Session handler */ + BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_account(pamh, user, NULL, False)) { return( smb_pam_end(pamh)); @@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; + /* + * Note we can't ignore PAM here as this is the only + * way of doing auths on plaintext passwords when + * compiled --with-pam. + */ + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_auth(pamh, user, password)) { if ( smb_pam_account(pamh, user, password, True)) { diff --git a/source/include/proto.h b/source/include/proto.h index a6dbeefd57c..3f5f173ed72 100644 --- a/source/include/proto.h +++ b/source/include/proto.h @@ -1677,6 +1677,7 @@ BOOL lp_readbmpx(void); BOOL lp_readraw(void); BOOL lp_writeraw(void); BOOL lp_null_passwords(void); +BOOL lp_obey_pam_restrictions(void); BOOL lp_strip_dot(void); BOOL lp_encrypted_passwords(void); BOOL lp_update_encrypted(void); diff --git a/source/param/loadparm.c b/source/param/loadparm.c index 1b451886d98..d6bb9af950e 100644 --- a/source/param/loadparm.c +++ b/source/param/loadparm.c @@ -244,6 +244,7 @@ typedef struct BOOL bUpdateEncrypt; BOOL bStripDot; BOOL bNullPasswords; + BOOL bObeyPamRestrictions; BOOL bLoadPrinters; BOOL bUseRhosts; BOOL bReadRaw; @@ -672,6 +673,7 @@ static struct parm_struct parm_table[] = { {"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, 0}, {"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, 0}, {"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0}, + {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0}, {"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0}, /* #ifdef WITH_TDBPWD {"tdb passwd file", P_STRING, P_GLOBAL, &Globals.szTDBPasswdFile, NULL, NULL, 0}, @@ -1236,6 +1238,7 @@ static void init_globals(void) Globals.bReadPrediction = False; Globals.bReadbmpx = False; Globals.bNullPasswords = False; + Globals.bObeyPamRestrictions = False; Globals.bStripDot = False; Globals.syslog = 1; Globals.bSyslogOnly = False; @@ -1511,6 +1514,7 @@ FN_GLOBAL_BOOL(lp_readbmpx, &Globals.bReadbmpx) FN_GLOBAL_BOOL(lp_readraw, &Globals.bReadRaw) FN_GLOBAL_BOOL(lp_writeraw, &Globals.bWriteRaw) FN_GLOBAL_BOOL(lp_null_passwords, &Globals.bNullPasswords) +FN_GLOBAL_BOOL(lp_obey_pam_restrictions, &Globals.bObeyPamRestrictions) FN_GLOBAL_BOOL(lp_strip_dot, &Globals.bStripDot) FN_GLOBAL_BOOL(lp_encrypted_passwords, &Globals.bEncryptPasswords) FN_GLOBAL_BOOL(lp_update_encrypted, &Globals.bUpdateEncrypt) diff --git a/source/passdb/pampass.c b/source/passdb/pampass.c index f91f472603c..9f4a8f57b91 100644 --- a/source/passdb/pampass.c +++ b/source/passdb/pampass.c @@ -350,11 +350,17 @@ static BOOL smb_internal_pam_session(pam_handle_t *pamh, char *user, char *tty, /* * PAM Externally accessible Session handler */ + BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost) { pam_handle_t *pamh = NULL; char * user; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + user = strdup(in_user); if ( user == NULL ) { DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); @@ -382,6 +388,11 @@ BOOL smb_pam_accountcheck(char * user) PAM_username = user; PAM_password = NULL; + /* Ignore PAM if told to. */ + + if (!lp_obey_pam_restrictions()) + return True; + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_account(pamh, user, NULL, False)) { return( smb_pam_end(pamh)); @@ -401,6 +412,12 @@ BOOL smb_pam_passcheck(char * user, char * password) PAM_username = user; PAM_password = password; + /* + * Note we can't ignore PAM here as this is the only + * way of doing auths on plaintext passwords when + * compiled --with-pam. + */ + if( smb_pam_start(&pamh, user, NULL)) { if ( smb_pam_auth(pamh, user, password)) { if ( smb_pam_account(pamh, user, password, True)) { |