Author: idra Date: 2006-12-01 15:16:37 +0000 (Fri, 01 Dec 2006) New Revision: 19983
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19983 Log: sync up pam and memleak patches from SAMBA_3_0 Modified: branches/SAMBA_3_0_24/source/auth/auth_domain.c branches/SAMBA_3_0_24/source/auth/auth_server.c branches/SAMBA_3_0_24/source/auth/auth_unix.c branches/SAMBA_3_0_24/source/auth/auth_util.c branches/SAMBA_3_0_24/source/smbd/sesssetup.c Changeset: Modified: branches/SAMBA_3_0_24/source/auth/auth_domain.c =================================================================== --- branches/SAMBA_3_0_24/source/auth/auth_domain.c 2006-12-01 15:12:22 UTC (rev 19982) +++ branches/SAMBA_3_0_24/source/auth/auth_domain.c 2006-12-01 15:16:37 UTC (rev 19983) @@ -269,6 +269,17 @@ if (NT_STATUS_IS_OK(nt_status)) { (*server_info)->was_mapped |= user_info->was_mapped; + + if ( ! (*server_info)->guest) { + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck((*server_info)->unix_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + cli_shutdown(cli); + return nt_status; + } + } } netsamlogon_cache_store( user_info->smb_name, &info3 ); Modified: branches/SAMBA_3_0_24/source/auth/auth_server.c =================================================================== --- branches/SAMBA_3_0_24/source/auth/auth_server.c 2006-12-01 15:12:22 UTC (rev 19982) +++ branches/SAMBA_3_0_24/source/auth/auth_server.c 2006-12-01 15:16:37 UTC (rev 19983) @@ -383,7 +383,15 @@ if ( (pass = smb_getpwnam( NULL, user_info->internal_username, real_username, True )) != NULL ) { - nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck(pass->pw_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + } else { + + nt_status = make_server_info_pw(server_info, pass->pw_name, pass); + } TALLOC_FREE(pass); } else Modified: branches/SAMBA_3_0_24/source/auth/auth_unix.c =================================================================== --- branches/SAMBA_3_0_24/source/auth/auth_unix.c 2006-12-01 15:12:22 UTC (rev 19982) +++ branches/SAMBA_3_0_24/source/auth/auth_unix.c 2006-12-01 15:16:37 UTC (rev 19983) @@ -110,7 +110,14 @@ if (NT_STATUS_IS_OK(nt_status)) { if (pass) { - make_server_info_pw(server_info, pass->pw_name, pass); + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + nt_status = smb_pam_accountcheck(pass->pw_name); + if ( !NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + } else { + make_server_info_pw(server_info, pass->pw_name, pass); + } } else { /* we need to do somthing more useful here */ nt_status = NT_STATUS_NO_SUCH_USER; Modified: branches/SAMBA_3_0_24/source/auth/auth_util.c =================================================================== --- branches/SAMBA_3_0_24/source/auth/auth_util.c 2006-12-01 15:12:22 UTC (rev 19982) +++ branches/SAMBA_3_0_24/source/auth/auth_util.c 2006-12-01 15:16:37 UTC (rev 19983) @@ -496,7 +496,7 @@ if ( token ) return token; - + if ( !(pw = sys_getpwnam( "root" )) ) { DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n")); return NULL; Modified: branches/SAMBA_3_0_24/source/smbd/sesssetup.c =================================================================== --- branches/SAMBA_3_0_24/source/smbd/sesssetup.c 2006-12-01 15:12:22 UTC (rev 19982) +++ branches/SAMBA_3_0_24/source/smbd/sesssetup.c 2006-12-01 15:16:37 UTC (rev 19983) @@ -292,6 +292,22 @@ username_was_mapped = map_username( user ); pw = smb_getpwnam( mem_ctx, user, real_username, True ); + + if (pw) { + /* if a real user check pam account restrictions */ + /* only really perfomed if "obey pam restriction" is true */ + /* do this before an eventual mappign to guest occurs */ + ret = smb_pam_accountcheck(pw->pw_name); + if ( !NT_STATUS_IS_OK(ret)) { + DEBUG(1, ("PAM account restriction prevents user login\n")); + data_blob_free(&ap_rep); + data_blob_free(&session_key); + talloc_destroy(mem_ctx); + TALLOC_FREE(pw); + return ERROR_NT(nt_status_squash(ret)); + } + } + if (!pw) { /* this was originally the behavior of Samba 2.2, if a user @@ -335,7 +351,8 @@ SAFE_FREE(client); data_blob_free(&ap_rep); data_blob_free(&session_key); - talloc_destroy(mem_ctx); + TALLOC_FREE(mem_ctx); + TALLOC_FREE(pw); return ERROR_NT(nt_status_squash(ret)); } @@ -348,7 +365,8 @@ SAFE_FREE(client); data_blob_free(&ap_rep); data_blob_free(&session_key); - talloc_destroy(mem_ctx); + TALLOC_FREE(mem_ctx); + TALLOC_FREE(pw); return ERROR_NT(nt_status_squash(ret)); } @@ -372,6 +390,7 @@ SAFE_FREE(client); data_blob_free(&ap_rep); data_blob_free(&session_key); + TALLOC_FREE(pw); TALLOC_FREE( mem_ctx ); TALLOC_FREE( server_info ); return ERROR_NT(nt_status_squash(ret)); @@ -415,7 +434,8 @@ data_blob_free(&ap_rep); data_blob_free(&ap_rep_wrapped); data_blob_free(&response); - talloc_destroy(mem_ctx); + TALLOC_FREE(mem_ctx); + TALLOC_FREE(pw); return -1; /* already replied */ }