Changes from APPLIANCE_HEAD:

[ira/wip.git] / source3 / passdb / pass_check.c
diff --git a/source3/passdb/pass_check.c b/source3/passdb/pass_check.c

index b5aa832f48be7ac966b8d6f645e5c3118926c10c..aea543d85391f0ac4e55e8d50494b1a36b96c8a4 100644 (file)
--- a/source3/passdb/pass_check.c
+++ b/source3/passdb/pass_check.c
@@ -27,43 +27,12 @@
  extern int DEBUGLEVEL;
  
  /* these are kept here to keep the string_combinations function simple */
  extern int DEBUGLEVEL;
  
  /* these are kept here to keep the string_combinations function simple */
-static char this_user[100]="";
-static char this_salt[100]="";
-static char this_crypted[100]="";
+static char this_user[100] = "";
+static char this_salt[100] = "";
+static char this_crypted[100] = "";
  
  
  
  
-/****************************************************************************
-update the enhanced security database. Only relevant for OSF1 at the moment.
-****************************************************************************/
-static void update_protected_database(char *user, BOOL result)
-{
-#ifdef OSF1_ENH_SEC
-       struct pr_passwd *mypasswd;
-       time_t starttime;
-
-       mypasswd = getprpwnam (user);
-       starttime = time (NULL);
-
-       if (result)  {
-               mypasswd->ufld.fd_slogin = starttime;
-               mypasswd->ufld.fd_nlogins = 0;
-      
-               putprpwnam(user,mypasswd);
-       } else {
-               mypasswd->ufld.fd_ulogin = starttime;
-               mypasswd->ufld.fd_nlogins = mypasswd->ufld.fd_nlogins + 1;
-               if (mypasswd->ufld.fd_max_tries != 0 && 
-                   mypasswd->ufld.fd_nlogins > mypasswd->ufld.fd_max_tries) {
-                       mypasswd->uflg.fg_lock = 0;
-                       DEBUG(3,("Account %s is disabled\n", user));
-               }
-               putprpwnam(user ,mypasswd);
-       }
-#endif
-}
-
-
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
  /*******************************************************************
  check on PAM authentication
  ********************************************************************/
  /*******************************************************************
  check on PAM authentication
  ********************************************************************/
@@ -80,122 +49,136 @@ static char *PAM_password;
   * Here we assume (for now, at least) that echo on means login name, and
   * echo off means password.
   */
   * Here we assume (for now, at least) that echo on means login name, and
   * echo off means password.
   */
-static int PAM_conv (int num_msg,
-                     const struct pam_message **msg,
-                     struct pam_response **resp,
-                     void *appdata_ptr) {
-  int replies = 0;
-  struct pam_response *reply = NULL;
-
-  #define COPY_STRING(s) (s) ? strdup(s) : NULL
-
-  reply = malloc(sizeof(struct pam_response) * num_msg);
-  if (!reply) return PAM_CONV_ERR;
-
-  for (replies = 0; replies < num_msg; replies++) {
-    switch (msg[replies]->msg_style) {
-      case PAM_PROMPT_ECHO_ON:
-        reply[replies].resp_retcode = PAM_SUCCESS;
-        reply[replies].resp = COPY_STRING(PAM_username);
-          /* PAM frees resp */
-        break;
-      case PAM_PROMPT_ECHO_OFF:
-        reply[replies].resp_retcode = PAM_SUCCESS;
-        reply[replies].resp = COPY_STRING(PAM_password);
-          /* PAM frees resp */
-        break;
-      case PAM_TEXT_INFO:
-       /* fall through */
-      case PAM_ERROR_MSG:
-        /* ignore it... */
-        reply[replies].resp_retcode = PAM_SUCCESS;
-        reply[replies].resp = NULL;
-        break;
-      default:
-        /* Must be an error of some sort... */
-        free (reply);
-        return PAM_CONV_ERR;
-    }
-  }
-  if (reply) *resp = reply;
-  return PAM_SUCCESS;
+static int PAM_conv(int num_msg,
+                   const struct pam_message **msg,
+                   struct pam_response **resp, void *appdata_ptr)
+{
+       int replies = 0;
+       struct pam_response *reply = NULL;
+
+#define COPY_STRING(s) (s) ? strdup(s) : NULL
+
+       reply = malloc(sizeof(struct pam_response) * num_msg);
+       if (!reply)
+               return PAM_CONV_ERR;
+
+       for (replies = 0; replies < num_msg; replies++)
+       {
+               switch (msg[replies]->msg_style)
+               {
+                       case PAM_PROMPT_ECHO_ON:
+                               reply[replies].resp_retcode = PAM_SUCCESS;
+                               reply[replies].resp =
+                                       COPY_STRING(PAM_username);
+                               /* PAM frees resp */
+                               break;
+                       case PAM_PROMPT_ECHO_OFF:
+                               reply[replies].resp_retcode = PAM_SUCCESS;
+                               reply[replies].resp =
+                                       COPY_STRING(PAM_password);
+                               /* PAM frees resp */
+                               break;
+                       case PAM_TEXT_INFO:
+                               /* fall through */
+                       case PAM_ERROR_MSG:
+                               /* ignore it... */
+                               reply[replies].resp_retcode = PAM_SUCCESS;
+                               reply[replies].resp = NULL;
+                               break;
+                       default:
+                               /* Must be an error of some sort... */
+                               free(reply);
+                               return PAM_CONV_ERR;
+               }
+       }
+       if (reply)
+               *resp = reply;
+       return PAM_SUCCESS;
  }
  static struct pam_conv PAM_conversation = {
  }
  static struct pam_conv PAM_conversation = {
-    &PAM_conv,
-    NULL
+       &PAM_conv,
+       NULL
  };
  
  
  };
  
  
-static BOOL pam_auth(char *this_user,char *password)
+static BOOL pam_auth(char *user, char *password)
  {
  {
-  pam_handle_t *pamh;
-  int pam_error;
-
-  /* Now use PAM to do authentication.  For now, we won't worry about
-   * session logging, only authentication.  Bail out if there are any
-   * errors.  Since this is a limited protocol, and an even more limited
-   * function within a server speaking this protocol, we can't be as
-   * verbose as would otherwise make sense.
-   * Query: should we be using PAM_SILENT to shut PAM up?
-   */
-  #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
+       pam_handle_t *pamh;
+       int pam_error;
+
+       /* Now use PAM to do authentication.  For now, we won't worry about
+        * session logging, only authentication.  Bail out if there are any
+        * errors.  Since this is a limited protocol, and an even more limited
+        * function within a server speaking this protocol, we can't be as
+        * verbose as would otherwise make sense.
+        * Query: should we be using PAM_SILENT to shut PAM up?
+        */
+#define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
       pam_end(pamh, 0); return False; \
     }
       pam_end(pamh, 0); return False; \
     }
-  PAM_password = password;
-  PAM_username = this_user;
-  pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh);
-  PAM_BAIL;
+       PAM_password = password;
+       PAM_username = user;
+       pam_error = pam_start("samba", user, &PAM_conversation, &pamh);
+       PAM_BAIL;
  /* Setting PAM_SILENT stops generation of error messages to syslog
   * to enable debugging on Red Hat Linux set:
   * /etc/pam.d/samba:
   *     auth required /lib/security/pam_pwdb.so nullok shadow audit
   * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
   */
  /* Setting PAM_SILENT stops generation of error messages to syslog
   * to enable debugging on Red Hat Linux set:
   * /etc/pam.d/samba:
   *     auth required /lib/security/pam_pwdb.so nullok shadow audit
   * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
   */
-  pam_error = pam_authenticate(pamh, PAM_SILENT);
-  PAM_BAIL;
-  /* It is not clear to me that account management is the right thing
-   * to do, but it is not clear that it isn't, either.  This can be
-   * removed if no account management should be done.  Alternately,
-   * put a pam_allow.so entry in /etc/pam.conf for account handling. */
-  pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
-  PAM_BAIL;
-  pam_end(pamh, PAM_SUCCESS);
-  /* If this point is reached, the user has been authenticated. */
-  return(True);
+       pam_error = pam_authenticate(pamh, PAM_SILENT);
+       PAM_BAIL;
+       /* It is not clear to me that account management is the right thing
+        * to do, but it is not clear that it isn't, either.  This can be
+        * removed if no account management should be done.  Alternately,
+        * put a pam_allow.so entry in /etc/pam.conf for account handling. */
+       pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
+       PAM_BAIL;
+       pam_end(pamh, PAM_SUCCESS);
+       /* If this point is reached, the user has been authenticated. */
+       return (True);
  }
  #endif
  
  
  #ifdef WITH_AFS
  }
  #endif
  
  
  #ifdef WITH_AFS
+
+#include <afs/stds.h>
+#include <afs/kautils.h>
+
  /*******************************************************************
  check on AFS authentication
  ********************************************************************/
  /*******************************************************************
  check on AFS authentication
  ********************************************************************/
-static BOOL afs_auth(char *this_user,char *password)
+static BOOL afs_auth(char *user, char *password)
  {
         long password_expires = 0;
         char *reason;
  {
         long password_expires = 0;
         char *reason;
-    
+
         /* For versions of AFS prior to 3.3, this routine has few arguments, */
         /* but since I can't find the old documentation... :-)               */
         setpag();
         /* For versions of AFS prior to 3.3, this routine has few arguments, */
         /* but since I can't find the old documentation... :-)               */
         setpag();
-       if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG,
-                                      this_user,
-                                      (char *) 0, /* instance */
-                                      (char *) 0, /* cell */
-                                      password,
-                                      0,          /* lifetime, default */
-                                      &password_expires, /*days 'til it expires */
-                                      0,          /* spare 2 */
-                                      &reason) == 0) {
-               return(True);
-       }
-       return(False);
+       if (ka_UserAuthenticateGeneral
+           (KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, user, (char *)0,       /* instance */
+            (char *)0,         /* cell */
+            password, 0,       /* lifetime, default */
+            &password_expires, /*days 'til it expires */
+            0,                 /* spare 2 */
+            &reason) == 0)
+       {
+               return (True);
+       }
+       DEBUG(1,
+             ("AFS authentication for \"%s\" failed (%s)\n", user, reason));
+       return (False);
  }
  #endif
  
  
  #ifdef WITH_DFS
  
  }
  #endif
  
  
  #ifdef WITH_DFS
  
+#include <dce/dce_error.h>
+#include <dce/sec_login.h>
+
  /*****************************************************************
   This new version of the DFS_AUTH code was donated by Karsten Muuss
   <muuss@or.uni-bonn.de>. It fixes the following problems with the
  /*****************************************************************
   This new version of the DFS_AUTH code was donated by Karsten Muuss
   <muuss@or.uni-bonn.de>. It fixes the following problems with the
@@ -215,7 +198,7 @@ int dcelogin_atmost_once = 0;
  /*******************************************************************
  check on a DCE/DFS authentication
  ********************************************************************/
  /*******************************************************************
  check on a DCE/DFS authentication
  ********************************************************************/
-static BOOL dfs_auth(char *this_user,char *password)
+static BOOL dfs_auth(char *user, char *password)
  {
         error_status_t err;
         int err2;
  {
         error_status_t err;
         int err2;
@@ -226,8 +209,10 @@ static BOOL dfs_auth(char *this_user,char *password)
         sec_passwd_rec_t passwd_rec;
         sec_login_auth_src_t auth_src = sec_login_auth_src_network;
         unsigned char dce_errstr[dce_c_error_string_len];
         sec_passwd_rec_t passwd_rec;
         sec_login_auth_src_t auth_src = sec_login_auth_src_network;
         unsigned char dce_errstr[dce_c_error_string_len];
+       gid_t egid;
  
  
-       if (dcelogin_atmost_once) return(False);
+       if (dcelogin_atmost_once)
+               return (False);
  
  #ifdef HAVE_CRYPT
         /*
  
  #ifdef HAVE_CRYPT
         /*
@@ -236,112 +221,125 @@ static BOOL dfs_auth(char *this_user,char *password)
          * Assumes local passwd file is kept in sync w/ DCE RGY!
          */
  
          * Assumes local passwd file is kept in sync w/ DCE RGY!
          */
  
-       if (strcmp((char *)crypt(password,this_salt),this_crypted)) {
-               return(False);
+       if (strcmp((char *)crypt(password, this_salt), this_crypted))
+       {
+               return (False);
         }
  #endif
  
         sec_login_get_current_context(&my_dce_sec_context, &err);
         }
  #endif
  
         sec_login_get_current_context(&my_dce_sec_context, &err);
-       if (err != error_status_ok ) {  
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE can't get current context. %s\n", dce_errstr));
+               DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
  
  
-               return(False);
+               return (False);
         }
  
         sec_login_certify_identity(my_dce_sec_context, &err);
         }
  
         sec_login_certify_identity(my_dce_sec_context, &err);
-       if (err != error_status_ok) {  
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE can't get current context. %s\n", dce_errstr));
-               
-               return(False);
+               DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
+
+               return (False);
         }
  
         sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
         }
  
         sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
-       if (err != error_status_ok) {
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr));
-               
-               return(False);
+               DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
+
+               return (False);
         }
         }
-  
+
         time(&current_time);
  
         time(&current_time);
  
-       if (expire_time < (current_time + 60)) {
-               struct passwd    *pw;
+       if (expire_time < (current_time + 60))
+       {
+               struct passwd *pw;
                 sec_passwd_rec_t *key;
                 sec_passwd_rec_t *key;
-  
-               sec_login_get_pwent(my_dce_sec_context, 
-                                   (sec_login_passwd_t*)&pw, &err);
-               if (err != error_status_ok ) {
+
+               sec_login_get_pwent(my_dce_sec_context,
+                                   (sec_login_passwd_t *) & pw, &err);
+               if (err != error_status_ok)
+               {
                         dce_error_inq_text(err, dce_errstr, &err2);
                         dce_error_inq_text(err, dce_errstr, &err2);
-                       DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-                       
-                       return(False);
+                       DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
+
+                       return (False);
                 }
                 }
-               
+
                 sec_login_refresh_identity(my_dce_sec_context, &err);
                 sec_login_refresh_identity(my_dce_sec_context, &err);
-               if (err != error_status_ok) { 
+               if (err != error_status_ok)
+               {
                         dce_error_inq_text(err, dce_errstr, &err2);
                         dce_error_inq_text(err, dce_errstr, &err2);
-                       DEBUG(0,("DCE can't refresh identity. %s\n", 
-                                dce_errstr));
-                       
-                       return(False);
+                       DEBUG(0, ("DCE can't refresh identity. %s\n",
+                                 dce_errstr));
+
+                       return (False);
                 }
                 }
-  
+
                 sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
                                      (unsigned char *)pw->pw_name,
                                      sec_c_key_version_none,
                 sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
                                      (unsigned char *)pw->pw_name,
                                      sec_c_key_version_none,
-                                    (void**)&key, &err);
-               if (err != error_status_ok) {
+                                    (void **)&key, &err);
+               if (err != error_status_ok)
+               {
                         dce_error_inq_text(err, dce_errstr, &err2);
                         dce_error_inq_text(err, dce_errstr, &err2);
-                       DEBUG(0,("DCE can't get key for %s. %s\n", 
-                                pw->pw_name, dce_errstr));
+                       DEBUG(0, ("DCE can't get key for %s. %s\n",
+                                 pw->pw_name, dce_errstr));
  
  
-                       return(False);
+                       return (False);
                 }
                 }
-  
+
                 sec_login_valid_and_cert_ident(my_dce_sec_context, key,
                 sec_login_valid_and_cert_ident(my_dce_sec_context, key,
-                                              &password_reset, &auth_src, 
+                                              &password_reset, &auth_src,
                                                &err);
                                                &err);
-               if (err != error_status_ok ) {
+               if (err != error_status_ok)
+               {
                         dce_error_inq_text(err, dce_errstr, &err2);
                         dce_error_inq_text(err, dce_errstr, &err2);
-                       DEBUG(0,("DCE can't validate and certify identity for %s. %s\n", 
-                                pw->pw_name, dce_errstr));
+                       DEBUG(0,
+                             ("DCE can't validate and certify identity for %s. %s\n",
+                              pw->pw_name, dce_errstr));
                 }
                 }
-  
+
                 sec_key_mgmt_free_key(key, &err);
                 sec_key_mgmt_free_key(key, &err);
-               if (err != error_status_ok ) {
+               if (err != error_status_ok)
+               {
                         dce_error_inq_text(err, dce_errstr, &err2);
                         dce_error_inq_text(err, dce_errstr, &err2);
-                       DEBUG(0,("DCE can't free key.\n", dce_errstr));
+                       DEBUG(0, ("DCE can't free key.\n", dce_errstr));
                 }
         }
  
                 }
         }
  
-       if (sec_login_setup_identity((unsigned char *)this_user,
+       if (sec_login_setup_identity((unsigned char *)user,
                                      sec_login_no_flags,
                                      sec_login_no_flags,
-                                    &my_dce_sec_context,
-                                    &err) == 0) {
+                                    &my_dce_sec_context, &err) == 0)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
-                        this_user,dce_errstr));
-               return(False);
+               DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
+                         user, dce_errstr));
+               return (False);
         }
  
         }
  
-       sec_login_get_pwent(my_dce_sec_context, 
-                           (sec_login_passwd_t*)&pw, &err);
-       if (err != error_status_ok) {
+       sec_login_get_pwent(my_dce_sec_context,
+                           (sec_login_passwd_t *) & pw, &err);
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-               
-               return(False);
+               DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
+
+               return (False);
         }
  
         sec_login_purge_context(&my_dce_sec_context, &err);
         }
  
         sec_login_purge_context(&my_dce_sec_context, &err);
-       if (err != error_status_ok) {
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE can't purge context. %s\n", dce_errstr));
+               DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr));
  
  
-               return(False);
+               return (False);
         }
  
         /*
         }
  
         /*
@@ -352,134 +350,117 @@ static BOOL dfs_auth(char *this_user,char *password)
          * this should be ok. I have added code to go
          * back to being root on error though. JRA.
          */
          * this should be ok. I have added code to go
          * back to being root on error though. JRA.
          */
-       
-       if (setregid(-1, pw->pw_gid) != 0) {
-               DEBUG(0,("Can't set egid to %d (%s)\n", 
-                        pw->pw_gid, strerror(errno)));
-               return False;
-       }
  
  
-       if (setreuid(-1, pw->pw_uid) != 0) {
-               setgid(0);
-               DEBUG(0,("Can't set euid to %d (%s)\n", 
-                        pw->pw_uid, strerror(errno)));
-               return False;
-       }
- 
-       if (sec_login_setup_identity((unsigned char *)this_user,
+       egid = getegid();
+
+       set_effective_gid(pw->pw_gid);
+       set_effective_uid(pw->pw_uid);
+
+       if (sec_login_setup_identity((unsigned char *)user,
                                      sec_login_no_flags,
                                      sec_login_no_flags,
-                                    &my_dce_sec_context,
-                                    &err) == 0) {
+                                    &my_dce_sec_context, &err) == 0)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
-                        this_user,dce_errstr));
-               return(False);
+               DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
+                         user, dce_errstr));
+               goto err;
         }
  
         }
  
-       sec_login_get_pwent(my_dce_sec_context, 
-                           (sec_login_passwd_t*)&pw, &err);
-       if (err != error_status_ok ) {
+       sec_login_get_pwent(my_dce_sec_context,
+                           (sec_login_passwd_t *) & pw, &err);
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-               
-               return(False);
+               DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
+               goto err;
         }
  
         passwd_rec.version_number = sec_passwd_c_version_none;
         passwd_rec.pepper = NULL;
         passwd_rec.key.key_type = sec_passwd_plain;
         }
  
         passwd_rec.version_number = sec_passwd_c_version_none;
         passwd_rec.pepper = NULL;
         passwd_rec.key.key_type = sec_passwd_plain;
-       passwd_rec.key.tagged_union.plain  = (idl_char *)password;
-       
+       passwd_rec.key.tagged_union.plain = (idl_char *) password;
+
         sec_login_validate_identity(my_dce_sec_context,
                                     &passwd_rec, &password_reset,
                                     &auth_src, &err);
         sec_login_validate_identity(my_dce_sec_context,
                                     &passwd_rec, &password_reset,
                                     &auth_src, &err);
-       if (err != error_status_ok ) { 
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
-                        this_user,dce_errstr));
-               
-               return(False);
+               DEBUG(0,
+                     ("DCE Identity Validation failed for principal %s: %s\n",
+                      user, dce_errstr));
+               goto err;
         }
  
         sec_login_certify_identity(my_dce_sec_context, &err);
         }
  
         sec_login_certify_identity(my_dce_sec_context, &err);
-       if (err != error_status_ok) { 
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr));
-               
-               return(False);
+               DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr));
+               goto err;
         }
  
         }
  
-       if (auth_src != sec_login_auth_src_network) { 
-               DEBUG(0,("DCE context has no network credentials.\n"));
+       if (auth_src != sec_login_auth_src_network)
+       {
+               DEBUG(0, ("DCE context has no network credentials.\n"));
         }
  
         sec_login_set_context(my_dce_sec_context, &err);
         }
  
         sec_login_set_context(my_dce_sec_context, &err);
-       if (err != error_status_ok) {  
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n",
-                        this_user,dce_errstr));
-               
+               DEBUG(0,
+                     ("DCE login failed for principal %s, cant set context: %s\n",
+                      user, dce_errstr));
+
                 sec_login_purge_context(&my_dce_sec_context, &err);
                 sec_login_purge_context(&my_dce_sec_context, &err);
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               return(False);
-       }
-       
-       sec_login_get_pwent(my_dce_sec_context, 
-                           (sec_login_passwd_t*)&pw, &err);
-       if (err != error_status_ok) {
+               goto err;
+       }
+
+       sec_login_get_pwent(my_dce_sec_context,
+                           (sec_login_passwd_t *) & pw, &err);
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               return(False);
-       }
-       
-       DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
-                this_user, getpid()));
-       
-       DEBUG(3,("DCE principal: %s\n"
-                "          uid: %d\n"
-                "          gid: %d\n",
-                pw->pw_name, pw->pw_uid, pw->pw_gid));
-       DEBUG(3,("         info: %s\n"
-                "          dir: %s\n"
-                "        shell: %s\n",
-                pw->pw_gecos, pw->pw_dir, pw->pw_shell));
-       
+               DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
+               goto err;
+       }
+
+       DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n",
+                 user, sys_getpid()));
+
+       DEBUG(3, ("DCE principal: %s\n"
+                 "          uid: %d\n"
+                 "          gid: %d\n",
+                 pw->pw_name, pw->pw_uid, pw->pw_gid));
+       DEBUG(3, ("         info: %s\n"
+                 "          dir: %s\n"
+                 "        shell: %s\n",
+                 pw->pw_gecos, pw->pw_dir, pw->pw_shell));
+
         sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
         sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
-       if (err != error_status_ok) {
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               /* Go back to root, JRA. */
-               setuid(0);
-               setgid(0);
-               DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr));
-               
-               return(False);
-       }
-       
-       setuid(0);
-       setgid(0);
-       
-       DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time))));
-       
+               DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
+               goto err;
+       }
+
+       set_effective_uid(0);
+       set_effective_gid(0);
+
+       DEBUG(0,
+             ("DCE context expires: %s", asctime(localtime(&expire_time))));
+
         dcelogin_atmost_once = 1;
         return (True);
         dcelogin_atmost_once = 1;
         return (True);
+
+      err:
+
+       /* Go back to root, JRA. */
+       set_effective_uid(0);
+       set_effective_gid(egid);
+       return (False);
  }
  
  void dfs_unlogin(void)
  }
  
  void dfs_unlogin(void)
@@ -487,33 +468,38 @@ void dfs_unlogin(void)
         error_status_t err;
         int err2;
         unsigned char dce_errstr[dce_c_error_string_len];
         error_status_t err;
         int err2;
         unsigned char dce_errstr[dce_c_error_string_len];
-       
+
         sec_login_purge_context(&my_dce_sec_context, &err);
         sec_login_purge_context(&my_dce_sec_context, &err);
-       if (err != error_status_ok) {  
+       if (err != error_status_ok)
+       {
                 dce_error_inq_text(err, dce_errstr, &err2);
                 dce_error_inq_text(err, dce_errstr, &err2);
-               DEBUG(0,("DCE purge login context failed for server instance %d: %s\n",
-                        getpid(), dce_errstr));
+               DEBUG(0,
+                     ("DCE purge login context failed for server instance %d: %s\n",
+                      sys_getpid(), dce_errstr));
         }
  }
  #endif
  
  #ifdef KRB5_AUTH
         }
  }
  #endif
  
  #ifdef KRB5_AUTH
+
+#include <krb5.h>
+
  /*******************************************************************
  check on Kerberos authentication
  ********************************************************************/
  /*******************************************************************
  check on Kerberos authentication
  ********************************************************************/
-static BOOL krb5_auth(char *this_user,char *password)
+static BOOL krb5_auth(char *user, char *password)
  {
         krb5_data tgtname = {
                 0,
                 KRB5_TGS_NAME_SIZE,
  {
         krb5_data tgtname = {
                 0,
                 KRB5_TGS_NAME_SIZE,
-               KRB5_TGS_NAME
-       };
+               KRB5_TGS_NAME
+       };
         krb5_context kcontext;
         krb5_principal kprinc;
         krb5_principal server;
         krb5_creds kcreds;
         int options = 0;
         krb5_context kcontext;
         krb5_principal kprinc;
         krb5_principal server;
         krb5_creds kcreds;
         int options = 0;
-       krb5_address **addrs = (krb5_address **)0;
+       krb5_address **addrs = (krb5_address **) 0;
         krb5_preauthtype *preauth = NULL;
         krb5_keytab keytab = NULL;
         krb5_timestamp now;
         krb5_preauthtype *preauth = NULL;
         krb5_keytab keytab = NULL;
         krb5_timestamp now;
@@ -521,35 +507,45 @@ static BOOL krb5_auth(char *this_user,char *password)
         int retval;
         char *name;
  
         int retval;
         char *name;
  
-       if (retval=krb5_init_context(&kcontext)) {
-               return(False);
+       if (retval = krb5_init_context(&kcontext))
+       {
+               return (False);
         }
  
         }
  
-       if (retval = krb5_timeofday(kcontext, &now)) {
-               return(False);
+       if (retval = krb5_timeofday(kcontext, &now))
+       {
+               return (False);
         }
  
         }
  
-       if (retval = krb5_cc_default(kcontext, &ccache)) {
-               return(False);
+       if (retval = krb5_cc_default(kcontext, &ccache))
+       {
+               return (False);
         }
         }
-       
-       if (retval = krb5_parse_name(kcontext, this_user, &kprinc)) {
-               return(False);
+
+       if (retval = krb5_parse_name(kcontext, user, &kprinc))
+       {
+               return (False);
         }
  
         }
  
-       memset((char *)&kcreds, 0, sizeof(kcreds));
+       ZERO_STRUCT(kcreds);
  
         kcreds.client = kprinc;
  
         kcreds.client = kprinc;
-       
+
         if ((retval = krb5_build_principal_ext(kcontext, &server,
         if ((retval = krb5_build_principal_ext(kcontext, &server,
-               krb5_princ_realm(kcontext, kprinc)->length,
-               krb5_princ_realm(kcontext, kprinc)->data,
-               tgtname.length,
-               tgtname.data,
-               krb5_princ_realm(kcontext, kprinc)->length,
-               krb5_princ_realm(kcontext, kprinc)->data,
-               0))) {
-               return(False);
+                                              krb5_princ_realm(kcontext,
+                                                               kprinc)->
+                                              length,
+                                              krb5_princ_realm(kcontext,
+                                                               kprinc)->data,
+                                              tgtname.length, tgtname.data,
+                                              krb5_princ_realm(kcontext,
+                                                               kprinc)->
+                                              length,
+                                              krb5_princ_realm(kcontext,
+                                                               kprinc)->data,
+                                              0)))
+       {
+               return (False);
         }
  
         kcreds.server = server;
         }
  
         kcreds.server = server;
@@ -559,39 +555,39 @@ static BOOL krb5_auth(char *this_user,char *password)
                                                addrs,
                                                NULL,
                                                preauth,
                                                addrs,
                                                NULL,
                                                preauth,
-                                              password,
-                                              0,
-                                              &kcreds,
-                                              0);
+                                              password, 0, &kcreds, 0);
  
  
-       if (retval) {
-               return(False);
+       if (retval)
+       {
+               return (False);
         }
  
         }
  
-       return(True);
+       return (True);
  }
  #endif /* KRB5_AUTH */
  
  #ifdef KRB4_AUTH
  }
  #endif /* KRB5_AUTH */
  
  #ifdef KRB4_AUTH
+#include <krb.h>
+
  /*******************************************************************
  check on Kerberos authentication
  ********************************************************************/
  /*******************************************************************
  check on Kerberos authentication
  ********************************************************************/
-static BOOL krb4_auth(char *this_user,char *password)
+static BOOL krb4_auth(char *user, char *password)
  {
         char realm[REALM_SZ];
         char tkfile[MAXPATHLEN];
  {
         char realm[REALM_SZ];
         char tkfile[MAXPATHLEN];
-  
-       if (krb_get_lrealm(realm, 1) != KSUCCESS) {
-               (void) safe_strcpy(realm, KRB_REALM, sizeof (realm) - 1);
+
+       if (krb_get_lrealm(realm, 1) != KSUCCESS)
+       {
+               (void)safe_strcpy(realm, KRB_REALM, sizeof(realm) - 1);
         }
  
         }
  
-       (void) slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d", 
-                       getpid());
-  
+       (void)slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d",
+                      (int)sys_getpid());
+
         krb_set_tkt_string(tkfile);
         krb_set_tkt_string(tkfile);
-       if (krb_verify_user(this_user, "", realm,
-                           password, 0,
-                           "rmcd") == KSUCCESS) {
+       if (krb_verify_user(user, "", realm, password, 0, "rmcd") == KSUCCESS)
+       {
                 unlink(tkfile);
                 return 1;
         }
                 unlink(tkfile);
                 return 1;
         }
@@ -604,24 +600,25 @@ static BOOL krb4_auth(char *this_user,char *password)
  /****************************************************************************
  an enhanced crypt for Linux to handle password longer than 8 characters
  ****************************************************************************/
  /****************************************************************************
  an enhanced crypt for Linux to handle password longer than 8 characters
  ****************************************************************************/
-static int linux_bigcrypt(char *password,char *salt1, char *crypted)
+static int linux_bigcrypt(char *password, char *salt1, char *crypted)
  {
  #define LINUX_PASSWORD_SEG_CHARS 8
         char salt[3];
         int i;
  {
  #define LINUX_PASSWORD_SEG_CHARS 8
         char salt[3];
         int i;
-  
-       StrnCpy(salt,salt1,2);
-       crypted +=2;
-  
-       for ( i=strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) {
-               char * p = crypt(password,salt) + 2;
+
+       StrnCpy(salt, salt1, 2);
+       crypted += 2;
+
+       for (i = strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS)
+       {
+               char *p = crypt(password, salt) + 2;
                 if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0)
                 if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0)
-                       return(0);
+                       return (0);
                 password += LINUX_PASSWORD_SEG_CHARS;
                 password += LINUX_PASSWORD_SEG_CHARS;
-               crypted  += strlen(p);
+               crypted += strlen(p);
         }
         }
-  
-       return(1);
+
+       return (1);
  }
  #endif
  
  }
  #endif
  
@@ -629,29 +626,33 @@ static int linux_bigcrypt(char *password,char *salt1, char *crypted)
  /****************************************************************************
  an enhanced crypt for OSF1
  ****************************************************************************/
  /****************************************************************************
  an enhanced crypt for OSF1
  ****************************************************************************/
-static char *osf1_bigcrypt(char *password,char *salt1)
+static char *osf1_bigcrypt(char *password, char *salt1)
  {
         static char result[AUTH_MAX_PASSWD_LENGTH] = "";
         char *p1;
  {
         static char result[AUTH_MAX_PASSWD_LENGTH] = "";
         char *p1;
-       char *p2=password;
+       char *p2 = password;
         char salt[3];
         int i;
         int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS;
         char salt[3];
         int i;
         int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS;
-       if (strlen(password)%AUTH_CLEARTEXT_SEG_CHARS) {
+       if (strlen(password) % AUTH_CLEARTEXT_SEG_CHARS)
+       {
                 parts++;
         }
                 parts++;
         }
-       
-       StrnCpy(salt,salt1,2);
-       StrnCpy(result,salt1,2);
  
  
-       for (i=0; i<parts;i++) {
-               p1 = crypt(p2,salt);
-               strncat(result,p1+2,AUTH_MAX_PASSWD_LENGTH-strlen(p1+2)-1);
-               StrnCpy(salt,&result[2+i*AUTH_CIPHERTEXT_SEG_CHARS],2);
+       StrnCpy(salt, salt1, 2);
+       StrnCpy(result, salt1, 2);
+       result[2] = '\0';
+
+       for (i = 0; i < parts; i++)
+       {
+               p1 = crypt(p2, salt);
+               strncat(result, p1 + 2,
+                       AUTH_MAX_PASSWD_LENGTH - strlen(p1 + 2) - 1);
+               StrnCpy(salt, &result[2 + i * AUTH_CIPHERTEXT_SEG_CHARS], 2);
                 p2 += AUTH_CLEARTEXT_SEG_CHARS;
         }
  
                 p2 += AUTH_CLEARTEXT_SEG_CHARS;
         }
  
-       return(result);
+       return (result);
  }
  #endif
  
  }
  #endif
  
@@ -663,28 +664,32 @@ try all combinations with N uppercase letters.
  offset is the first char to try and change (start with 0)
  it assumes the string starts lowercased
  ****************************************************************************/
  offset is the first char to try and change (start with 0)
  it assumes the string starts lowercased
  ****************************************************************************/
-static BOOL string_combinations2(char *s,int offset,BOOL (*fn)(char *),int N)
+static BOOL string_combinations2(char *s, int offset, BOOL (*fn) (char *),
+                                int N)
  {
         int len = strlen(s);
         int i;
  
  #ifdef PASSWORD_LENGTH
  {
         int len = strlen(s);
         int i;
  
  #ifdef PASSWORD_LENGTH
-       len = MIN(len,PASSWORD_LENGTH);
+       len = MIN(len, PASSWORD_LENGTH);
  #endif
  
  #endif
  
-       if (N <= 0 || offset >= len) {
-               return(fn(s));
+       if (N <= 0 || offset >= len)
+       {
+               return (fn(s));
         }
  
         }
  
-       for (i=offset;i<(len-(N-1));i++) {      
+       for (i = offset; i < (len - (N - 1)); i++)
+       {
                 char c = s[i];
                 char c = s[i];
-               if (!islower(c)) continue;
+               if (!islower(c))
+                       continue;
                 s[i] = toupper(c);
                 s[i] = toupper(c);
-               if (string_combinations2(s,i+1,fn,N-1))
-                       return(True);
+               if (string_combinations2(s, i + 1, fn, N - 1))
+                       return (True);
                 s[i] = c;
         }
                 s[i] = c;
         }
-       return(False);
+       return (False);
  }
  
  /****************************************************************************
  }
  
  /****************************************************************************
@@ -694,12 +699,13 @@ try all combinations with up to N uppercase letters.
  offset is the first char to try and change (start with 0)
  it assumes the string starts lowercased
  ****************************************************************************/
  offset is the first char to try and change (start with 0)
  it assumes the string starts lowercased
  ****************************************************************************/
-static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N)
+static BOOL string_combinations(char *s, BOOL (*fn) (char *), int N)
  {
         int n;
  {
         int n;
-       for (n=1;n<=N;n++)
-               if (string_combinations2(s,0,fn,n)) return(True);
-       return(False);
+       for (n = 1; n <= N; n++)
+               if (string_combinations2(s, 0, fn, n))
+                       return (True);
+       return (False);
  }
  
  
  }
  
  
@@ -709,64 +715,96 @@ core of password checking routine
  static BOOL password_check(char *password)
  {
  
  static BOOL password_check(char *password)
  {
  
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
         /* This falls through if the password check fails
            - if HAVE_CRYPT is not defined this causes an error msg
            saying Warning - no crypt available
            - if HAVE_CRYPT is defined this is a potential security hole
            as it may authenticate via the crypt call when PAM
            settings say it should fail.
         /* This falls through if the password check fails
            - if HAVE_CRYPT is not defined this causes an error msg
            saying Warning - no crypt available
            - if HAVE_CRYPT is defined this is a potential security hole
            as it may authenticate via the crypt call when PAM
            settings say it should fail.
-          if (pam_auth(this_user,password)) return(True);
+          if (pam_auth(user,password)) return(True);
            Hence we make a direct return to avoid a second chance!!!
            Hence we make a direct return to avoid a second chance!!!
-       */
-       return (pam_auth(this_user,password));
-#endif
-       
+        */
+       return (pam_auth(this_user, password));
+#endif /* WITH_PAM */
+
  #ifdef WITH_AFS
  #ifdef WITH_AFS
-       if (afs_auth(this_user,password)) return(True);
-#endif
-       
+       if (afs_auth(this_user, password))
+               return (True);
+#endif /* WITH_AFS */
+
  #ifdef WITH_DFS
  #ifdef WITH_DFS
-       if (dfs_auth(this_user,password)) return(True);
-#endif 
+       if (dfs_auth(this_user, password))
+               return (True);
+#endif /* WITH_DFS */
  
  #ifdef KRB5_AUTH
  
  #ifdef KRB5_AUTH
-       if (krb5_auth(this_user,password)) return(True);
-#endif
+       if (krb5_auth(this_user, password))
+               return (True);
+#endif /* KRB5_AUTH */
  
  #ifdef KRB4_AUTH
  
  #ifdef KRB4_AUTH
-       if (krb4_auth(this_user,password)) return(True);
-#endif
+       if (krb4_auth(this_user, password))
+               return (True);
+#endif /* KRB4_AUTH */
  
  #ifdef OSF1_ENH_SEC
         {
  
  #ifdef OSF1_ENH_SEC
         {
-         BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0);
-         if(!ret) {
-                 DEBUG(2,("OSF1_ENH_SEC failed. Trying normal crypt.\n"));
-                 ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
-         }
-         return ret;
+               BOOL ret =
+                       (strcmp
+                        (osf1_bigcrypt(password, this_salt),
+                         this_crypted) == 0);
+               if (!ret)
+               {
+                       DEBUG(2,
+                             ("OSF1_ENH_SEC failed. Trying normal crypt.\n"));
+                       ret =
+                               (strcmp
+                              ((char *)crypt(password, this_salt),
+                               this_crypted) == 0);
+               }
+               return ret;
         }
         }
-#endif
+#endif /* OSF1_ENH_SEC */
  
  #ifdef ULTRIX_AUTH
  
  #ifdef ULTRIX_AUTH
-       return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0);
-#endif
+       return (strcmp((char *)crypt16(password, this_salt), this_crypted) ==
+               0);
+#endif /* ULTRIX_AUTH */
  
  #ifdef LINUX_BIGCRYPT
  
  #ifdef LINUX_BIGCRYPT
-       return(linux_bigcrypt(password,this_salt,this_crypted));
-#endif
+       return (linux_bigcrypt(password, this_salt, this_crypted));
+#endif /* LINUX_BIGCRYPT */
+
+#if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS)
+
+       /*
+        * Some systems have bigcrypt in the C library but might not
+        * actually use it for the password hashes (HPUX 10.20) is
+        * a noteable example. So we try bigcrypt first, followed
+        * by crypt.
+        */
+
+       if (strcmp(bigcrypt(password, this_salt), this_crypted) == 0)
+               return True;
+       else
+               return (strcmp
+                       ((char *)crypt(password, this_salt),
+                        this_crypted) == 0);
+#else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
  
  #ifdef HAVE_BIGCRYPT
  
  #ifdef HAVE_BIGCRYPT
-       return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0);
-#endif
+       return (strcmp(bigcrypt(password, this_salt), this_crypted) == 0);
+#endif /* HAVE_BIGCRYPT */
  
  #ifndef HAVE_CRYPT
  
  #ifndef HAVE_CRYPT
-       DEBUG(1,("Warning - no crypt available\n"));
-       return(False);
-#else
-       return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
-#endif
+       DEBUG(1, ("Warning - no crypt available\n"));
+       return (False);
+#else /* HAVE_CRYPT */
+       return (strcmp((char *)crypt(password, this_salt), this_crypted) ==
+               0);
+#endif /* HAVE_CRYPT */
+#endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
  }
  
  
  }
  
  
@@ -777,40 +815,47 @@ the function pointer fn() points to a function to call when a successful
  match is found and is used to update the encrypted password file 
  return True on correct match, False otherwise
  ****************************************************************************/
  match is found and is used to update the encrypted password file 
  return True on correct match, False otherwise
  ****************************************************************************/
-BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
-               BOOL (*fn)(char *, char *))
+BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd,
+               BOOL (*fn) (char *, char *))
  {
         pstring pass2;
         int level = lp_passwordlevel();
         struct passwd *pass;
  
  {
         pstring pass2;
         int level = lp_passwordlevel();
         struct passwd *pass;
  
-       if (password) password[pwlen] = 0;
+       if (password)
+               password[pwlen] = 0;
  
  #if DEBUG_PASSWORD
  
  #if DEBUG_PASSWORD
-       DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password));
+       DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password));
  #endif
  
  #endif
  
-       if (!password) {
-               return(False);
+       if (!password)
+       {
+               return (False);
         }
  
         }
  
-       if (((!*password) || (!pwlen)) && !lp_null_passwords()) {
-               return(False);
+       if (((!*password) || (!pwlen)) && !lp_null_passwords())
+       {
+               return (False);
         }
  
         }
  
-       if (pwd && !user) {
-               pass = (struct passwd *) pwd;
+       if (pwd && !user)
+       {
+               pass = (struct passwd *)pwd;
                 user = pass->pw_name;
                 user = pass->pw_name;
-       } else {
-               pass = Get_Pwnam(user,True);
+       }
+       else
+       {
+               pass = Get_Pwnam(user, True);
         }
  
  
         }
  
  
-       DEBUG(4,("Checking password for user %s (l=%d)\n",user,pwlen));
+       DEBUG(4, ("Checking password for user %s (l=%d)\n", user, pwlen));
  
  
-       if (!pass) {
-               DEBUG(3,("Couldn't find user %s\n",user));
-               return(False);
+       if (!pass)
+       {
+               DEBUG(3, ("Couldn't find user %s\n", user));
+               return (False);
         }
  
  #ifdef HAVE_GETSPNAM
         }
  
  #ifdef HAVE_GETSPNAM
@@ -823,8 +868,9 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
                    perhaps for IPC password changing requests */
  
                 spass = getspnam(pass->pw_name);
                    perhaps for IPC password changing requests */
  
                 spass = getspnam(pass->pw_name);
-               if (spass && spass->sp_pwdp) {
-                       pass->pw_passwd = spass->sp_pwdp;
+               if (spass && spass->sp_pwdp)
+               {
+                       pstrcpy(pass->pw_passwd, spass->sp_pwdp);
                 }
         }
  #elif defined(IA_UINFO)
                 }
         }
  #elif defined(IA_UINFO)
@@ -834,7 +880,8 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
                    UnixWare 2.x, tested on version
                    2.1. (tangent@cyberport.com) */
                 uinfo_t uinfo;
                    UnixWare 2.x, tested on version
                    2.1. (tangent@cyberport.com) */
                 uinfo_t uinfo;
-               if (ia_openinfo(pass->pw_name, &uinfo) != -1) {
+               if (ia_openinfo(pass->pw_name, &uinfo) != -1)
+               {
                         ia_get_logpwd(uinfo, &(pass->pw_passwd));
                 }
         }
                         ia_get_logpwd(uinfo, &(pass->pw_passwd));
                 }
         }
@@ -844,23 +891,26 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
         {
                 struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
                 if (pr_pw && pr_pw->ufld.fd_encrypt)
         {
                 struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
                 if (pr_pw && pr_pw->ufld.fd_encrypt)
-                       pass->pw_passwd = pr_pw->ufld.fd_encrypt;
+                       pstrcpy(pass->pw_passwd, pr_pw->ufld.fd_encrypt);
         }
  #endif
  
  #ifdef OSF1_ENH_SEC
         {
                 struct pr_passwd *mypasswd;
         }
  #endif
  
  #ifdef OSF1_ENH_SEC
         {
                 struct pr_passwd *mypasswd;
-               DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n",
-                        user));
-               mypasswd = getprpwnam (user);
-               if (mypasswd) { 
-                       fstrcpy(pass->pw_name,mypasswd->ufld.fd_name);
-                       fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt);
-               } else {
-                       DEBUG(5,("No entry for user %s in protected database !\n",
-                                user));
-                       return(False);
+               DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n",
+                         user));
+               mypasswd = getprpwnam(user);
+               if (mypasswd)
+               {
+                       fstrcpy(pass->pw_name, mypasswd->ufld.fd_name);
+                       fstrcpy(pass->pw_passwd, mypasswd->ufld.fd_encrypt);
+               }
+               else
+               {
+                       DEBUG(5,
+                             ("OSF1_ENH_SEC: No entry for user %s in protected database !\n",
+                              user));
                 }
         }
  #endif
                 }
         }
  #endif
@@ -868,7 +918,8 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
  #ifdef ULTRIX_AUTH
         {
                 AUTHORIZATION *ap = getauthuid(pass->pw_uid);
  #ifdef ULTRIX_AUTH
         {
                 AUTHORIZATION *ap = getauthuid(pass->pw_uid);
-               if (ap) {
+               if (ap)
+               {
                         fstrcpy(pass->pw_passwd, ap->a_password);
                         endauthent();
                 }
                         fstrcpy(pass->pw_passwd, ap->a_password);
                         endauthent();
                 }
@@ -876,75 +927,84 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
  #endif
  
         /* extract relevant info */
  #endif
  
         /* extract relevant info */
-       fstrcpy(this_user,pass->pw_name);  
-       fstrcpy(this_salt,pass->pw_passwd);
+       fstrcpy(this_user, pass->pw_name);
+       fstrcpy(this_salt, pass->pw_passwd);
+
+#if defined(HAVE_TRUNCATED_SALT)
         /* crypt on some platforms (HPUX in particular)
            won't work with more than 2 salt characters. */
         this_salt[2] = 0;
         /* crypt on some platforms (HPUX in particular)
            won't work with more than 2 salt characters. */
         this_salt[2] = 0;
-       
-       fstrcpy(this_crypted,pass->pw_passwd);
-       
-       if (!*this_crypted) {
-               if (!lp_null_passwords()) {
-                       DEBUG(2,("Disallowing %s with null password\n",
-                                this_user));
-                       return(False);
+#endif
+
+       fstrcpy(this_crypted, pass->pw_passwd);
+
+       if (!*this_crypted)
+       {
+               if (!lp_null_passwords())
+               {
+                       DEBUG(2, ("Disallowing %s with null password\n",
+                                 this_user));
+                       return (False);
                 }
                 }
-               if (!*password) {
-                       DEBUG(3,("Allowing access to %s with null password\n",
-                                this_user));
-                       return(True);
+               if (!*password)
+               {
+                       DEBUG(3,
+                             ("Allowing access to %s with null password\n",
+                              this_user));
+                       return (True);
                 }
         }
  
         /* try it as it came to us */
                 }
         }
  
         /* try it as it came to us */
-       if (password_check(password)) {
-               update_protected_database(user,True);
-               if (fn) fn(user,password);
-               return(True);
+       if (password_check(password))
+       {
+               if (fn)
+                       fn(user, password);
+               return (True);
         }
  
         /* if the password was given to us with mixed case then we don't
            need to proceed as we know it hasn't been case modified by the
            client */
         }
  
         /* if the password was given to us with mixed case then we don't
            need to proceed as we know it hasn't been case modified by the
            client */
-       if (strhasupper(password) && strhaslower(password)) {
-               return(False);
+       if (strhasupper(password) && strhaslower(password))
+       {
+               return (False);
         }
  
         /* make a copy of it */
         }
  
         /* make a copy of it */
-       StrnCpy(pass2,password,sizeof(pstring)-1);
-  
+       StrnCpy(pass2, password, sizeof(pstring) - 1);
+
         /* try all lowercase */
         strlower(password);
         /* try all lowercase */
         strlower(password);
-       if (password_check(password)) {
-               update_protected_database(user,True);
-               if (fn) fn(user,password);
-               return(True);
+       if (password_check(password))
+       {
+               if (fn)
+                       fn(user, password);
+               return (True);
         }
  
         /* give up? */
         }
  
         /* give up? */
-       if (level < 1) {
-               update_protected_database(user,False);
+       if (level < 1)
+       {
  
                 /* restore it */
  
                 /* restore it */
-               fstrcpy(password,pass2);
-               
-               return(False);
+               fstrcpy(password, pass2);
+
+               return (False);
         }
  
         /* last chance - all combinations of up to level chars upper! */
         strlower(password);
  
         }
  
         /* last chance - all combinations of up to level chars upper! */
         strlower(password);
  
-       if (string_combinations(password,password_check,level)) {
-               update_protected_database(user,True);
-               if (fn) fn(user,password);
-               return(True);
+       if (string_combinations(password, password_check, level))
+       {
+               if (fn)
+                       fn(user, password);
+               return (True);
         }
  
         }
  
-       update_protected_database(user,False);
-  
         /* restore it */
         /* restore it */
-       fstrcpy(password,pass2);
-  
-       return(False);
+       fstrcpy(password, pass2);
+
+       return (False);
  }
  }