if (NT_STATUS_IS_OK(nt_status)) {
(*server_info)->was_mapped |= user_info->was_mapped;
+
+ if ( ! (*server_info)->guest) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck((*server_info)->unix_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ cli_shutdown(cli);
+ return nt_status;
+ }
+ }
}
netsamlogon_cache_store( user_info->smb_name, &info3 );
if ( (pass = smb_getpwnam( NULL, user_info->internal_username,
real_username, True )) != NULL )
{
- nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck(pass->pw_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ } else {
+
+ nt_status = make_server_info_pw(server_info, pass->pw_name, pass);
+ }
TALLOC_FREE(pass);
}
else
if (NT_STATUS_IS_OK(nt_status)) {
if (pass) {
- make_server_info_pw(server_info, pass->pw_name, pass);
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ nt_status = smb_pam_accountcheck(pass->pw_name);
+ if ( !NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ } else {
+ make_server_info_pw(server_info, pass->pw_name, pass);
+ }
} else {
/* we need to do somthing more useful here */
nt_status = NT_STATUS_NO_SUCH_USER;
if ( token )
return token;
-
+
if ( !(pw = sys_getpwnam( "root" )) ) {
DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
return NULL;
username_was_mapped = map_username( user );
pw = smb_getpwnam( mem_ctx, user, real_username, True );
+
+ if (pw) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ /* do this before an eventual mappign to guest occurs */
+ ret = smb_pam_accountcheck(pw->pw_name);
+ if ( !NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("PAM account restriction prevents user login\n"));
+ data_blob_free(&ap_rep);
+ data_blob_free(&session_key);
+ talloc_destroy(mem_ctx);
+ TALLOC_FREE(pw);
+ return ERROR_NT(nt_status_squash(ret));
+ }
+ }
+
if (!pw) {
/* this was originally the behavior of Samba 2.2, if a user