r20116: Start merging in the work done to create the new idmap subsystem.

[tprouty/samba.git] / source / auth / auth_unix.c

diff --git a/source/auth/auth_unix.c b/source/auth/auth_unix.c
index 392178f77c147e8ae2f8d7ba8392d435e3ff935e..837c9323654cc2158531eed4f13d9ff3bf3920ea 100644 (file)
--- a/source/auth/auth_unix.c
+++ b/source/auth/auth_unix.c
@@ -30,10 +30,12 @@
  **/
 static BOOL update_smbpassword_file(const char *user, const char *password)
 {
-       SAM_ACCOUNT     *sampass = NULL;
+       struct samu     *sampass;
        BOOL            ret;
        
-       pdb_init_sam(&sampass);
+       if ( !(sampass = samu_new( NULL )) ) {
+               return False;
+       }
        
        become_root();
        ret = pdb_getsampwnam(sampass, user);
@@ -41,7 +43,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password)
 
        if(ret == False) {
                DEBUG(0,("pdb_getsampwnam returned NULL\n"));
-               pdb_free_sam(&sampass);
+               TALLOC_FREE(sampass);
                return False;
        }
 
@@ -50,19 +52,19 @@ static BOOL update_smbpassword_file(const char *user, const char *password)
         * users password from a login.
         */
        if (!pdb_set_acct_ctrl(sampass, pdb_get_acct_ctrl(sampass) & ~ACB_DISABLED, PDB_CHANGED)) {
-               pdb_free_sam(&sampass);
+               TALLOC_FREE(sampass);
                return False;
        }
 
        if (!pdb_set_plaintext_passwd (sampass, password)) {
-               pdb_free_sam(&sampass);
+               TALLOC_FREE(sampass);
                return False;
        }
 
        /* Now write it into the file. */
        become_root();
 
-       ret = pdb_update_sam_account (sampass);
+       ret = NT_STATUS_IS_OK(pdb_update_sam_account (sampass));
 
        unbecome_root();
 
@@ -70,7 +72,7 @@ static BOOL update_smbpassword_file(const char *user, const char *password)
                DEBUG(3,("pdb_update_sam_account returned %d\n",ret));
        }
 
-       pdb_free_sam(&sampass);
+       TALLOC_FREE(sampass);
        return ret;
 }
 
@@ -91,13 +93,13 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
        struct passwd *pass = NULL;
 
        become_root();
-       pass = Get_Pwnam(user_info->internal_username.str);
+       pass = Get_Pwnam(user_info->internal_username);
 
        
        /** @todo This call assumes a ASCII password, no charset transformation is 
            done.  We may need to revisit this **/
        nt_status = pass_check(pass,
-                               pass ? pass->pw_name : user_info->internal_username.str, 
+                               pass ? pass->pw_name : user_info->internal_username, 
                                (char *)user_info->plaintext_password.data,
                                user_info->plaintext_password.length-1,
                                lp_update_encrypted() ? 
@@ -108,7 +110,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
 
        if (NT_STATUS_IS_OK(nt_status)) {
                if (pass) {
-                       make_server_info_pw(server_info, pass);
+                       /* if a real user check pam account restrictions */
+                       /* only really perfomed if "obey pam restriction" is true */
+                       nt_status = smb_pam_accountcheck(pass->pw_name);
+                       if (  !NT_STATUS_IS_OK(nt_status)) {
+                               DEBUG(1, ("PAM account restriction prevents user login\n"));
+                       } else {
+                               make_server_info_pw(server_info, pass->pw_name, pass);
+                       }
                } else {
                        /* we need to do somthing more useful here */
                        nt_status = NT_STATUS_NO_SUCH_USER;
@@ -119,7 +128,7 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
 }
 
 /* module initialisation */
-NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) 
+static NTSTATUS auth_init_unix(struct auth_context *auth_context, const char* param, auth_methods **auth_method) 
 {
        if (!make_auth_methods(auth_context, auth_method)) {
                return NT_STATUS_NO_MEMORY;