On Sat, 2002-11-30 at 20:14, Andrew Bartlett wrote: > Really quick, and really ugly hack is to make Samba call the pam > function with some invalid password after failing the encrypted password > check... Just watch that some parts of Samba may cause the password > check to fail, even when the right password is entered (it will try > again with the other password (NT or LM) in this case).
I wanted to let you know that I made such a change, in smbd/password.c, so that after we have a failure validating the encrypted password, we call the smb_pam_passcheck() function, using the same username and password - which of course fail. That causes the pam_tally count to be incremented as desired when the domain logon via Samba fails. So this simple 2 line change does the trick... With a check to see if pam support is enabled via the smb.conf file (obey pam restrictions = yes), I don't see why this cannot serve other people with the same need I have run into. Here's the change: diff -r samba-2.2.7.orig/source/smbd/password.c samba-2.2.7/source/smbd/password.c 617a618,624 > #if defined(WITH_PAM) > // Jim Morris, 12/03/2002. UGLY HACK TO FORCE PAM_TALLY COUNTER TO > // BE UPDATED WHEN LOGON FAILS USING SMBPASSWD FILE. > if (lp_obey_pam_restrictions() && (ret == FALSE)) > smb_pam_passcheck( user, password ); > #endif > -- /----------------------------------------------- | Jim Morris | Email: [EMAIL PROTECTED] | | AIM: JFM2001 \-----------------------------------------------
