patch from Steve Langasek <vorlon@netexpress.net> to make sure we

author Jeremy Allison <jra@samba.org>

Wed, 18 Apr 2001 04:34:42 +0000 (04:34 +0000)

committer Jeremy Allison <jra@samba.org>

Wed, 18 Apr 2001 04:34:42 +0000 (04:34 +0000)
author Jeremy Allison <jra@samba.org>
Wed, 18 Apr 2001 04:34:42 +0000 (04:34 +0000)
committer Jeremy Allison <jra@samba.org>
Wed, 18 Apr 2001 04:34:42 +0000 (04:34 +0000)
diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c

index 08f6027a880f1900b493f486caff6d06acba9c6e..271c46045bce5c0875b96ddf1bff4c6d352c5631 100644 (file)
--- a/source3/auth/pampass.c
+++ b/source3/auth/pampass.c
@@ -61,8 +61,6 @@ static char *PAM_password;
  static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
  {
  
-       int retval;
-
                 if( pam_error != PAM_SUCCESS)
         {
                 DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error)));
@@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password)
  /* 
   * PAM Account Handler
   */
-static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
+static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth)
  {
         int pam_error;
  
@@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
                 return False;
         }
  
+       /* Skip the pam_setcred() call if we didn't use pam_authenticate()
+          for authentication -- it's an error to call pam_setcred without
+          calling pam_authenticate first */
+       if (!pam_auth) {
+               DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user));
+               return True;
+       }
+
         /*
          * This will allow samba to aquire a kerberos token. And, when
          * exporting an AFS cell, be able to /write/ to this cell.
@@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user)
  
         if( proc_pam_start(&pamh, user))
         {
-                       if ( pam_account(pamh, user, NULL))
+                       if ( pam_account(pamh, user, NULL, False))
                         {
                                 return( proc_pam_end(pamh));
                         }
@@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password)
         {
                 if ( pam_auth(pamh, user, password))
                 {
-                       if ( pam_account(pamh, user, password))
+                       if ( pam_account(pamh, user, password, True))
                         {
                                 return( proc_pam_end(pamh));
                         }
diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c

index 08f6027a880f1900b493f486caff6d06acba9c6e..271c46045bce5c0875b96ddf1bff4c6d352c5631 100644 (file)
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -61,8 +61,6 @@ static char *PAM_password;
  static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
  {
  
-       int retval;
-
                 if( pam_error != PAM_SUCCESS)
         {
                 DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error)));
@@ -241,7 +239,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password)
  /* 
   * PAM Account Handler
   */
-static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
+static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL pam_auth)
  {
         int pam_error;
  
@@ -274,6 +272,14 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password)
                 return False;
         }
  
+       /* Skip the pam_setcred() call if we didn't use pam_authenticate()
+          for authentication -- it's an error to call pam_setcred without
+          calling pam_authenticate first */
+       if (!pam_auth) {
+               DEBUG(4, ("PAM: Skipping setcred for user: %s (using encrypted passwords)\n", user));
+               return True;
+       }
+
         /*
          * This will allow samba to aquire a kerberos token. And, when
          * exporting an AFS cell, be able to /write/ to this cell.
@@ -375,7 +381,7 @@ BOOL pam_accountcheck(char * user)
  
         if( proc_pam_start(&pamh, user))
         {
-                       if ( pam_account(pamh, user, NULL))
+                       if ( pam_account(pamh, user, NULL, False))
                         {
                                 return( proc_pam_end(pamh));
                         }
@@ -398,7 +404,7 @@ BOOL pam_passcheck(char * user, char * password)
         {
                 if ( pam_auth(pamh, user, password))
                 {
-                       if ( pam_account(pamh, user, password))
+                       if ( pam_account(pamh, user, password, True))
                         {
                                 return( proc_pam_end(pamh));
                         }
author	Jeremy Allison <jra@samba.org>
	Wed, 18 Apr 2001 04:34:42 +0000 (04:34 +0000)
committer	Jeremy Allison <jra@samba.org>
	Wed, 18 Apr 2001 04:34:42 +0000 (04:34 +0000)
source3/auth/pampass.c		patch \| blob \| history
source3/passdb/pampass.c		patch \| blob \| history