Only set this to "on" if you know you have your PAM set up correctly.....
NB. Doesn't apply to plaintext password authentication, which must use
pam when compiled in.
Jeremy.
/*
* PAM Externally accessible Session handler
*/
+
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
PAM_username = user;
PAM_password = NULL;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
PAM_username = user;
PAM_password = password;
+ /*
+ * Note we can't ignore PAM here as this is the only
+ * way of doing auths on plaintext passwords when
+ * compiled --with-pam.
+ */
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {
BOOL lp_readraw(void);
BOOL lp_writeraw(void);
BOOL lp_null_passwords(void);
+BOOL lp_obey_pam_restrictions(void);
BOOL lp_strip_dot(void);
BOOL lp_encrypted_passwords(void);
BOOL lp_update_encrypted(void);
BOOL bUpdateEncrypt;
BOOL bStripDot;
BOOL bNullPasswords;
+ BOOL bObeyPamRestrictions;
BOOL bLoadPrinters;
BOOL bUseRhosts;
BOOL bReadRaw;
{"min password length", P_INTEGER, P_GLOBAL, &Globals.min_passwd_length, NULL, NULL, 0},
{"map to guest", P_ENUM, P_GLOBAL, &Globals.map_to_guest, NULL, enum_map_to_guest, 0},
{"null passwords", P_BOOL, P_GLOBAL, &Globals.bNullPasswords, NULL, NULL, 0},
+ {"obey pam restrictions", P_BOOL, P_GLOBAL, &Globals.bObeyPamRestrictions, NULL, NULL, 0},
{"password server", P_STRING, P_GLOBAL, &Globals.szPasswordServer, NULL, NULL, 0},
{"smb passwd file", P_STRING, P_GLOBAL, &Globals.szSMBPasswdFile, NULL, NULL, 0},
{"private dir", P_STRING, P_GLOBAL, &Globals.szPrivateDir, NULL, NULL, 0},
Globals.bReadPrediction = False;
Globals.bReadbmpx = False;
Globals.bNullPasswords = False;
+ Globals.bObeyPamRestrictions = False;
Globals.bStripDot = False;
Globals.syslog = 1;
Globals.bSyslogOnly = False;
FN_GLOBAL_BOOL(lp_readraw, &Globals.bReadRaw)
FN_GLOBAL_BOOL(lp_writeraw, &Globals.bWriteRaw)
FN_GLOBAL_BOOL(lp_null_passwords, &Globals.bNullPasswords)
+FN_GLOBAL_BOOL(lp_obey_pam_restrictions, &Globals.bObeyPamRestrictions)
FN_GLOBAL_BOOL(lp_strip_dot, &Globals.bStripDot)
FN_GLOBAL_BOOL(lp_encrypted_passwords, &Globals.bEncryptPasswords)
FN_GLOBAL_BOOL(lp_update_encrypted, &Globals.bUpdateEncrypt)
/*
* PAM Externally accessible Session handler
*/
+
BOOL smb_pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
user = strdup(in_user);
if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
PAM_username = user;
PAM_password = NULL;
+ /* Ignore PAM if told to. */
+
+ if (!lp_obey_pam_restrictions())
+ return True;
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_account(pamh, user, NULL, False)) {
return( smb_pam_end(pamh));
PAM_username = user;
PAM_password = password;
+ /*
+ * Note we can't ignore PAM here as this is the only
+ * way of doing auths on plaintext passwords when
+ * compiled --with-pam.
+ */
+
if( smb_pam_start(&pamh, user, NULL)) {
if ( smb_pam_auth(pamh, user, password)) {
if ( smb_pam_account(pamh, user, password, True)) {
projects / thirdparty / samba.git / commitdiff
