r19980: Implement pam account stack checks when obey pam restrictions is true.

It was missing for security=server/domain/ads

Simo.

diff --git a/source/auth/auth_domain.c b/source/auth/auth_domain.c
index 8ad6329da9818cb6eddec2437ed17605b5d9b054..6468c18cb0ea592c7c2a06aaec288cc6f343c6c1 100644 (file)
--- a/source/auth/auth_domain.c
+++ b/source/auth/auth_domain.c
@@ -269,6 +269,17 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 
                if (NT_STATUS_IS_OK(nt_status)) {
                        (*server_info)->was_mapped |= user_info->was_mapped;
+
+                       if ( ! (*server_info)->guest) {
+                               /* if a real user check pam account restrictions */
+                               /* only really perfomed if "obey pam restriction" is true */
+                               nt_status = smb_pam_accountcheck((*server_info)->unix_name);
+                               if (  !NT_STATUS_IS_OK(nt_status)) {
+                                       DEBUG(1, ("PAM account restriction prevents user login\n"));
+                                       cli_shutdown(cli);
+                                       return nt_status;
+                               }
+                       }
                }
 
                netsamlogon_cache_store( user_info->smb_name, &info3 );

diff --git a/source/auth/auth_server.c b/source/auth/auth_server.c
index 7ffea1ca11b04a5724db262fd25dd0fbddfe04f6..8a8ecfa575e587b6178f5103b25969224959fb25 100644 (file)
--- a/source/auth/auth_server.c
+++ b/source/auth/auth_server.c
@@ -383,7 +383,15 @@ use this machine as the password server.\n"));
                if ( (pass = smb_getpwnam( NULL, user_info->internal_username, 
                        real_username, True )) != NULL ) 
                {
-                       nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+                       /* if a real user check pam account restrictions */
+                       /* only really perfomed if "obey pam restriction" is true */
+                       nt_status = smb_pam_accountcheck(pass->pw_name);
+                       if (  !NT_STATUS_IS_OK(nt_status)) {
+                               DEBUG(1, ("PAM account restriction prevents user login\n"));
+                       } else {
+
+                               nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+                       }
                        TALLOC_FREE(pass);
                }
                else

diff --git a/source/auth/auth_unix.c b/source/auth/auth_unix.c
index efe5203b2336e79e62db0743d15531ce8db53796..837c9323654cc2158531eed4f13d9ff3bf3920ea 100644 (file)
--- a/source/auth/auth_unix.c
+++ b/source/auth/auth_unix.c
@@ -110,7 +110,14 @@ static NTSTATUS check_unix_security(const struct auth_context *auth_context,
 
        if (NT_STATUS_IS_OK(nt_status)) {
                if (pass) {
-                       make_server_info_pw(server_info, pass->pw_name, pass);
+                       /* if a real user check pam account restrictions */
+                       /* only really perfomed if "obey pam restriction" is true */
+                       nt_status = smb_pam_accountcheck(pass->pw_name);
+                       if (  !NT_STATUS_IS_OK(nt_status)) {
+                               DEBUG(1, ("PAM account restriction prevents user login\n"));
+                       } else {
+                               make_server_info_pw(server_info, pass->pw_name, pass);
+                       }
                } else {
                        /* we need to do somthing more useful here */
                        nt_status = NT_STATUS_NO_SUCH_USER;

diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 82a13fd9e78be472c41c09a090f96f8b360bf3bd..357ca5f6266f4bcccbf77620853378a6935fa5dc 100644 (file)
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -496,7 +496,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
        
        if ( token )
                return token;
-               
+
        if ( !(pw = sys_getpwnam( "root" )) ) {
                DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
                return NULL;

diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
index ae6dd496639417542346cbc092d3094e1c4990a0..11c5e9bbf9b92f6b527e0e468e62ca0ee2ce6ddf 100644 (file)
--- a/source/smbd/sesssetup.c
+++ b/source/smbd/sesssetup.c
@@ -292,6 +292,22 @@ static int reply_spnego_kerberos(connection_struct *conn,
        username_was_mapped = map_username( user );
 
        pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+       if (pw) {
+               /* if a real user check pam account restrictions */
+               /* only really perfomed if "obey pam restriction" is true */
+               /* do this before an eventual mappign to guest occurs */
+               ret = smb_pam_accountcheck(pw->pw_name);
+               if (  !NT_STATUS_IS_OK(ret)) {
+                       DEBUG(1, ("PAM account restriction prevents user login\n"));
+                       data_blob_free(&ap_rep);
+                       data_blob_free(&session_key);
+                       talloc_destroy(mem_ctx);
+                       TALLOC_FREE(pw);
+                       return ERROR_NT(nt_status_squash(ret));
+               }
+       }
+
        if (!pw) {
 
                /* this was originally the behavior of Samba 2.2, if a user