3 files changed, 41 insertions, 24 deletions

diff --git a/source/smbd/chgpasswd.c b/source/smbd/chgpasswd.c
index 63f425f4cc3..1b879890813 100644
--- a/source/smbd/chgpasswd.c
+++ b/source/smbd/chgpasswd.c
@@ -53,6 +53,24 @@ extern int DEBUGLEVEL;
 
 #if ALLOW_CHANGE_PASSWORD
 
+#ifdef WITH_PAM
+BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root)
+{
+	BOOL ret;
+
+	if (as_root)
+		become_root();
+
+	ret = smb_pam_passchange(name, oldpass, newpass);
+
+	if (as_root)
+		unbecome_root();
+
+	return ret;
+}     
+
+#else /* WITH_PAM */
+
 static int findpty(char **slave)
 {
 	int master;
@@ -526,7 +544,10 @@ BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root)
 		(passwordprogram, name, chatsequence, as_root));
 }
 
+#endif /* WITH_PAM */
+
 #else /* ALLOW_CHANGE_PASSWORD */
+
 BOOL chgpasswd(char *name, char *oldpass, char *newpass, BOOL as_root)
 {
 	DEBUG(0, ("Password changing not compiled in (user=%s)\n", name));
diff --git a/source/smbd/password.c b/source/smbd/password.c
index ef457739c67..4beedbe2a5f 100644
--- a/source/smbd/password.c
+++ b/source/smbd/password.c
@@ -491,24 +491,24 @@ BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar chal[8],
 	/* Try against the lanman password. smb_pass->smb_passwd == NULL means
 	   no password, allow access. */
 
-	DEBUG(4,("Checking LM MD4 password\n"));
-
 	if((smb_pass->smb_passwd == NULL) && 
 	   (smb_pass->acct_ctrl & ACB_PWNOTREQ)) {
-		DEBUG(4,("no password required for user %s\n",
+		DEBUG(4,("smb_password_ok: no password required for user %s\n",
 			 smb_pass->smb_name));
 		return True;
 	}
 
-	if((smb_pass->smb_passwd != NULL) && 
-	   smb_password_check((char *)lm_pass, 
+	if(lp_lanman_auth() && (smb_pass->smb_passwd != NULL)) {
+		DEBUG(4,("smb_password_ok: Checking LM password\n"));
+
+		if (smb_password_check((char *)lm_pass, 
 			      (uchar *)smb_pass->smb_passwd, challenge)) {
-		DEBUG(4,("LM MD4 password check succeeded\n"));
-		return(True);
+			DEBUG(4,("smb_password_ok: LM password check succeeded\n"));
+			return(True);
+		}
+		DEBUG(4,("LM password check failed\n"));
 	}
 
-	DEBUG(4,("LM MD4 password check failed\n"));
-
 	return False;
 }
 
@@ -621,14 +621,14 @@ BOOL password_ok(char *user, char *password, int pwlen, struct passwd *pwd)
 		 */
 
 		if (ret)
-		  return smb_pam_accountcheck(user);
+		  return (smb_pam_accountcheck(user) == NT_STATUS_NOPROBLEMO);
 
 		return ret;
 	} 
 
-	return pass_check(user, password, pwlen, pwd, 
+	return (pass_check(user, password, pwlen, pwd, 
 			  lp_update_encrypted() ? 
-			  update_smbpassword_file : NULL);
+			  update_smbpassword_file : NULL));
 }
 
 /****************************************************************************
diff --git a/source/smbd/session.c b/source/smbd/session.c
index 3131fb9f542..40654c0f43c 100644
--- a/source/smbd/session.c
+++ b/source/smbd/session.c
@@ -99,6 +99,13 @@ BOOL session_claim(uint16 vuid)
 	sessionid.id_num = i;
 	sessionid.pid = pid;
 
+	if (!smb_pam_claim_session(sessionid.username, sessionid.id_str, sessionid.hostname)) {
+		DEBUG(1,("pam_session rejected the session for %s [%s]\n",
+				sessionid.username, sessionid.id_str));
+		tdb_delete(tdb, key);
+		return False;
+	}
+
 	dlen = tdb_pack(dbuf, sizeof(dbuf), "fffdd",
 			sessionid.username, sessionid.hostname, sessionid.id_str,
 			sessionid.id_num, sessionid.pid);
@@ -110,15 +117,6 @@ BOOL session_claim(uint16 vuid)
 		return False;
 	}
 
-#if WITH_PAM
-	if (!smb_pam_session(True, sessionid.username, sessionid.id_str, sessionid.hostname)) {
-		DEBUG(1,("smb_pam_session rejected the session for %s [%s]\n",
-			 sessionid.username, sessionid.id_str));
-		tdb_delete(tdb, key);
-		return False;
-	}
-#endif
-
 #if WITH_UTMP	
 	if (lp_utmp()) {
 		sys_utmp_claim(sessionid.username, sessionid.hostname, 
@@ -169,9 +167,7 @@ void session_yield(uint16 vuid)
 	}
 #endif
 
-#if WITH_PAM
-	smb_pam_session(False, sessionid.username, sessionid.id_str, sessionid.hostname);
-#endif
+	smb_pam_close_session(sessionid.username, sessionid.id_str, sessionid.hostname);
 
 	tdb_delete(tdb, key);
 }