3 files changed, 48 insertions, 37 deletions
diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c
index 21b77223070..72e97abc3b9 100644
--- a/source/smbd/chgpasswd.c
+++ b/source/smbd/chgpasswd.c
@@ -54,6 +54,24 @@ extern struct passdb_ops pdb_ops;
 
 #if ALLOW_CHANGE_PASSWORD
 
+#ifdef WITH_PAM
+BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root)
+{
+	BOOL ret;
+
+	if (as_root)
+		become_root();
+
+	ret = smb_pam_passchange(name, oldpass, newpass);
+
+	if (as_root)
+		unbecome_root();
+
+	return ret;
+}     
+
+#else /* WITH_PAM */
+
 static int findpty(char **slave)
 {
 	int master;
@@ -527,7 +545,10 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root)
 		(passwordprogram, name, chatsequence, as_root));
 }
 
+#endif /* WITH_PAM */
+
 #else /* ALLOW_CHANGE_PASSWORD */
+
 BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root)
 {
 	DEBUG(0, ("Password changing not compiled in (user=%s)\n", name));
diff --git a/source/smbd/password.c b/source/smbd/password.c
index ba882f2bf26..03d96bebc05 100644
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -453,25 +453,21 @@ BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8],
 
 	user_name = pdb_get_username(sampass);
 	
-	DEBUG(4,("Checking SMB password for user %s\n",user_name));
+	DEBUG(4,("smb_password_ok: Checking SMB password for user %s\n",user_name));
 
 	if(pdb_get_acct_ctrl(sampass) & ACB_DISABLED) {
-		DEBUG(1,("account for user %s was disabled.\n", user_name));
+		DEBUG(1,("smb_password_ok: account for user %s was disabled.\n", user_name));
 		return(False);
 	}
 
-	if (chal == NULL)
-	{
-		DEBUG(5,("use last SMBnegprot challenge\n"));
-		if (!last_challenge(challenge))
-		{
-			DEBUG(1,("no challenge done - password failed\n"));
+	if (chal == NULL) {
+		DEBUG(5,("smb_password_ok: use last SMBnegprot challenge\n"));
+		if (!last_challenge(challenge)) {
+			DEBUG(1,("smb_password_ok: no challenge done - password failed\n"));
 			return False;
 		}
-	}
-	else
-	{
-		DEBUG(5,("challenge received\n"));
+	} else {
+		DEBUG(5,("smb_password_ok: challenge received\n"));
 		memcpy(challenge, chal, 8);
 	}
 
@@ -482,35 +478,33 @@ BOOL smb_password_ok(SAM_ACCOUNT *sampass, uchar chal[8],
 		   use it (ie. does it exist in the smbpasswd file).
 		*/
 		DEBUG(4,("smb_password_ok: Checking NT MD4 password\n"));
-		if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge)) 
-		{
-			DEBUG(4,("NT MD4 password check succeeded\n"));
+		if (smb_password_check((char *)nt_pass, (uchar *)nt_pw, challenge)) {
+			DEBUG(4,("smb_password_ok: NT MD4 password check succeeded\n"));
 			return(True);
 		}
-		DEBUG(4,("NT MD4 password check failed\n"));
+		DEBUG(4,("smb_password_ok: NT MD4 password check failed\n"));
 	}
 
 	/* Try against the lanman password. pdb_get_lanman_passwd(sampass) == NULL 
 	   means no password, allow access. */
 
-	DEBUG(4,("Checking LM MD4 password\n"));
-
 	lm_pw = pdb_get_lanman_passwd(sampass);
 	
 	if((lm_pw == NULL) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) 
 	{
-		DEBUG(4,("no password required for user %s\n",user_name));
+		DEBUG(4,("smb_password_ok: no password required for user %s\n",user_name));
 		return True;
 	}
 
-	if((lm_pw != NULL) && smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge)) 
-	{
-		DEBUG(4,("LM MD4 password check succeeded\n"));
-		return(True);
+	if(lp_lanman_auth() && (lm_pw != NULL)) {
+		DEBUG(4,("smb_password_ok: Checking LM password\n"));
+		if(smb_password_check((char *)lm_pass,(uchar *)lm_pw, challenge)) {
+			DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
+			return(True);
+		}
+		DEBUG(4,("smb_password_ok: LM password check failed\n"));
 	}
 
-	DEBUG(4,("LM MD4 password check failed\n"));
-
 	return False;
 }
 
diff --git a/source/smbd/session.c b/source/smbd/session.c
index 3131fb9f542..40654c0f43c 100644
--- a/source/smbd/session.c
+++ b/source/smbd/session.c
@@ -99,6 +99,13 @@ BOOL session_claim(uint16 vuid)
 	sessionid.id_num = i;
 	sessionid.pid = pid;
 
+	if (!smb_pam_claim_session(sessionid.username, sessionid.id_str, sessionid.hostname)) {
+		DEBUG(1,("pam_session rejected the session for %s [%s]\n",
+				sessionid.username, sessionid.id_str));
+		tdb_delete(tdb, key);
+		return False;
+	}
+
 	dlen = tdb_pack(dbuf, sizeof(dbuf), "fffdd",
 			sessionid.username, sessionid.hostname, sessionid.id_str,
 			sessionid.id_num, sessionid.pid);
@@ -110,15 +117,6 @@ BOOL session_claim(uint16 vuid)
 		return False;
 	}
 
-#if WITH_PAM
-	if (!smb_pam_session(True, sessionid.username, sessionid.id_str, sessionid.hostname)) {
-		DEBUG(1,("smb_pam_session rejected the session for %s [%s]\n",
-			 sessionid.username, sessionid.id_str));
-		tdb_delete(tdb, key);
-		return False;
-	}
-#endif
-
 #if WITH_UTMP	
 	if (lp_utmp()) {
 		sys_utmp_claim(sessionid.username, sessionid.hostname, 
@@ -169,9 +167,7 @@ void session_yield(uint16 vuid)
 	}
 #endif
 
-#if WITH_PAM
-	smb_pam_session(False, sessionid.username, sessionid.id_str, sessionid.hostname);
-#endif
+	smb_pam_close_session(sessionid.username, sessionid.id_str, sessionid.hostname);
 
 	tdb_delete(tdb, key);
 }