added pam_ntdom. amazingly, it actually works.

12 files changed, 1029 insertions, 90 deletions

diff --git a/source/Makefile.in b/source/Makefile.in
index 2e4004a7b3f..8f4e2c6d269 100644
--- a/source/Makefile.in
+++ b/source/Makefile.in
@@ -619,6 +619,13 @@ RPCCLIENT_OBJ = lib/cmd_interp.o \
 		$(STUB_UID_OBJ)
 RPCCLIENT_LIBS = $(SAMBA_LIBS)
 
+PAM_NTDOM_OBJ = pam_ntdom/pam_ntdom_auth.o \
+		pam_ntdom/rpc_validate.o \
+		pam_ntdom/support.o \
+		$(SIDDB_OBJ) \
+		$(STUB_UID_OBJ)
+PAM_NTDOM_LIBS = $(SAMBA_LIBS)
+
 SMBWRAPPER_OBJ = smbwrapper/smbw.o smbwrapper/wrapped.o \
 		smbwrapper/smbw_dir.o smbwrapper/smbw_stat.o \
 		smbwrapper/realcalls.o smbwrapper/shared.o
@@ -1092,6 +1099,10 @@ nsswitch/ntdom.so: $(NSS_OBJ) $(LIBSAMBA_OBJ)
 	@echo "Linking $@"
 	@$(LINK) -shared -o $@ $(NSS_OBJ) $(LIBSAMBA_OBJ)
 
+bin/pam_ntdom_auth.so: $(PAM_NTDOM_LIBS) $(PAM_NTDOM_OBJ) bin/.dummy
+	@echo Linking $@
+	@$(LINK) -shared -Xlinker -x -o $@ $(PAM_NTDOM_LIBS) $(PAM_NTDOM_OBJ)
+
 install: all \
 	installdirs \
 	install-libs installbin install-sbin \
@@ -1164,6 +1175,11 @@ all_other_proto_for_now:
 	  include/proto.h \
 	  $(PROTO_OBJ)
 
+pam_ntdom_proto:
+	@cd $(srcdir) && $(SHELL) script/mkproto.sh $(AWK) \
+	  -h _PAM_NTDOM_PROTO_H_ pam_ntdom/pam_ntdom_proto.h \
+	  $(PAM_NTDOM_OBJ)
+
 winbindd_proto:
 	@cd $(srcdir) && $(SHELL) script/mkproto.sh $(AWK) \
 	  -h _WINBINDD_PROTO_H_ include/winbindd_proto.h \
diff --git a/source/include/lib_smb_proto.h b/source/include/lib_smb_proto.h
index 4082fe77de4..19f42d6e478 100644
--- a/source/include/lib_smb_proto.h
+++ b/source/include/lib_smb_proto.h
@@ -23,6 +23,74 @@ void MD5Update(struct MD5Context *ctx, uchar const *buf, unsigned len);
 void MD5Final(uchar digest[16], struct MD5Context *ctx);
 void MD5Transform(uint32 buf[4], const uchar inext[64]);
 
+/*The following definitions come from  lib/util_hnd.c  */
+
+struct policy_cache *get_global_hnd_cache(void);
+struct policy_cache *init_policy_cache(int num_pol_hnds);
+void free_policy_cache(struct policy_cache *cache);
+BOOL policy_hnd_set_name(struct policy_cache *cache,
+			 POLICY_HND *hnd, const char *name);
+const char *policy_hnd_get_name(struct policy_cache *cache,
+				const POLICY_HND *hnd);
+BOOL dup_policy_hnd(struct policy_cache *cache,
+				POLICY_HND *hnd,
+				const POLICY_HND *from);
+BOOL register_policy_hnd(struct policy_cache *cache,
+				const vuser_key *key,
+				POLICY_HND *hnd,
+				uint32 access_mask);
+BOOL open_policy_hnd(struct policy_cache *cache, 
+				const vuser_key *key,
+				POLICY_HND *hnd,
+				uint32 access_mask);
+BOOL open_policy_hnd_link(struct policy_cache *cache, 
+				const POLICY_HND *parent_hnd,
+				POLICY_HND *hnd,
+				uint32 access_mask);
+int find_policy_by_hnd(struct policy_cache *cache, const POLICY_HND *hnd);
+BOOL set_policy_state(struct policy_cache *cache, POLICY_HND *hnd, 
+				void(*fn)(void*), void *dev);
+void *get_policy_state_info(struct policy_cache *cache, const POLICY_HND *hnd);
+BOOL policy_hnd_set_state_type(struct policy_cache *cache,
+			       POLICY_HND *hnd, int type);
+int policy_hnd_get_state_type(struct policy_cache *cache,
+			      const POLICY_HND *hnd);
+BOOL policy_hnd_check_state_type(struct policy_cache *cache,
+				 const POLICY_HND *hnd, int type);
+BOOL close_policy_hnd(struct policy_cache *cache, POLICY_HND *hnd);
+BOOL policy_link_key(struct policy_cache *cache, const POLICY_HND *hnd,
+				POLICY_HND *to);
+const vuser_key *get_policy_vuser_key(struct policy_cache *cache,
+				const POLICY_HND *hnd);
+BOOL pol_get_usr_sesskey(struct policy_cache *cache, const POLICY_HND *hnd,
+				uchar usr_sess_key[16]);
+
+/*The following definitions come from  lib/vuser.c  */
+
+BOOL is_valid_user_struct(const vuser_key * key);
+user_struct *get_valid_user_struct(const vuser_key * key);
+void invalidate_vuid(vuser_key * key);
+BOOL validated_username(vuser_key * key, char *name, size_t len);
+uint16 create_vuid(pid_t pid,
+		   uid_t uid, gid_t gid,
+		   int n_groups, gid_t * groups,
+		   const char *unix_name,
+		   const char *requested_name,
+		   const char *real_name,
+		   BOOL guest, const NET_USER_INFO_3 * info3);
+uint16 register_vuid(pid_t pid, uid_t uid, gid_t gid,
+		     const char *unix_name,
+		     const char *requested_name,
+		     BOOL guest, const NET_USER_INFO_3 * info3);
+BOOL check_vuser_ok(struct uid_cache *cache, user_struct * vuser, int snum);
+
+/*The following definitions come from  lib/vuser_db.c  */
+
+BOOL tdb_delete_vuid( const vuser_key *uk);
+BOOL tdb_lookup_vuid( const vuser_key *uk, user_struct **usr);
+BOOL tdb_store_vuid( const vuser_key *uk, user_struct *usr);
+BOOL vuid_init_db(void);
+
 /*The following definitions come from  libsmb/clientgen.c  */
 
 int cli_set_port(struct cli_state *cli, int port);
@@ -236,74 +304,6 @@ BOOL smb_safe_err_msg(uint8 class, uint32 num, char *ret, size_t len);
 BOOL smb_safe_errstr(char *inbuf, char *msg, size_t len);
 char *smb_errstr(char *inbuf);
 
-/*The following definitions come from  lib/util_hnd.c  */
-
-struct policy_cache *get_global_hnd_cache(void);
-struct policy_cache *init_policy_cache(int num_pol_hnds);
-void free_policy_cache(struct policy_cache *cache);
-BOOL policy_hnd_set_name(struct policy_cache *cache,
-			 POLICY_HND *hnd, const char *name);
-const char *policy_hnd_get_name(struct policy_cache *cache,
-				const POLICY_HND *hnd);
-BOOL dup_policy_hnd(struct policy_cache *cache,
-				POLICY_HND *hnd,
-				const POLICY_HND *from);
-BOOL register_policy_hnd(struct policy_cache *cache,
-				const vuser_key *key,
-				POLICY_HND *hnd,
-				uint32 access_mask);
-BOOL open_policy_hnd(struct policy_cache *cache, 
-				const vuser_key *key,
-				POLICY_HND *hnd,
-				uint32 access_mask);
-BOOL open_policy_hnd_link(struct policy_cache *cache, 
-				const POLICY_HND *parent_hnd,
-				POLICY_HND *hnd,
-				uint32 access_mask);
-int find_policy_by_hnd(struct policy_cache *cache, const POLICY_HND *hnd);
-BOOL set_policy_state(struct policy_cache *cache, POLICY_HND *hnd, 
-				void(*fn)(void*), void *dev);
-void *get_policy_state_info(struct policy_cache *cache, const POLICY_HND *hnd);
-BOOL policy_hnd_set_state_type(struct policy_cache *cache,
-			       POLICY_HND *hnd, int type);
-int policy_hnd_get_state_type(struct policy_cache *cache,
-			      const POLICY_HND *hnd);
-BOOL policy_hnd_check_state_type(struct policy_cache *cache,
-				 const POLICY_HND *hnd, int type);
-BOOL close_policy_hnd(struct policy_cache *cache, POLICY_HND *hnd);
-BOOL policy_link_key(struct policy_cache *cache, const POLICY_HND *hnd,
-				POLICY_HND *to);
-const vuser_key *get_policy_vuser_key(struct policy_cache *cache,
-				const POLICY_HND *hnd);
-BOOL pol_get_usr_sesskey(struct policy_cache *cache, const POLICY_HND *hnd,
-				uchar usr_sess_key[16]);
-
-/*The following definitions come from  lib/vuser.c  */
-
-BOOL is_valid_user_struct(const vuser_key * key);
-user_struct *get_valid_user_struct(const vuser_key * key);
-void invalidate_vuid(vuser_key * key);
-BOOL validated_username(vuser_key * key, char *name, size_t len);
-uint16 create_vuid(pid_t pid,
-		   uid_t uid, gid_t gid,
-		   int n_groups, gid_t * groups,
-		   const char *unix_name,
-		   const char *requested_name,
-		   const char *real_name,
-		   BOOL guest, const NET_USER_INFO_3 * info3);
-uint16 register_vuid(pid_t pid, uid_t uid, gid_t gid,
-		     const char *unix_name,
-		     const char *requested_name,
-		     BOOL guest, const NET_USER_INFO_3 * info3);
-BOOL check_vuser_ok(struct uid_cache *cache, user_struct * vuser, int snum);
-
-/*The following definitions come from  lib/vuser_db.c  */
-
-BOOL tdb_delete_vuid( const vuser_key *uk);
-BOOL tdb_lookup_vuid( const vuser_key *uk, user_struct **usr);
-BOOL tdb_store_vuid( const vuser_key *uk, user_struct *usr);
-BOOL vuid_init_db(void);
-
 /*The following definitions come from  rpc_parse/parse_creds.c  */
 
 BOOL make_creds_unix(CREDS_UNIX *r_u, const char* user_name,
diff --git a/source/include/rpc_client_proto.h b/source/include/rpc_client_proto.h
index f28b8ce2748..d80889b992f 100644
--- a/source/include/rpc_client_proto.h
+++ b/source/include/rpc_client_proto.h
@@ -499,6 +499,14 @@ BOOL modify_trust_password(const char *domain, const char *srv_name,
 			   const uchar orig_trust_passwd_hash[16],
 			   const uchar new_trust_passwd_hash[16],
 			   uint16 sec_chan);
+uint32 domain_client_validate(const char *server,
+			      const char *user, const char *domain,
+			      const char *acct_name, uint16 acct_type,
+			      const char *challenge,
+			      const char *smb_apasswd,
+			      int smb_apasslen,
+			      const char *smb_ntpasswd,
+			      int smb_ntpasslen, NET_USER_INFO_3 * info3);
 uint32 check_domain_security(const char *orig_user, const char *domain,
 			     const uchar * challenge,
 			     const char *smb_apasswd, int smb_apasslen,
diff --git a/source/ltconfig b/source/ltconfig
index e7b25105795..1d2d9e377b9 100644
--- a/source/ltconfig
+++ b/source/ltconfig
@@ -185,7 +185,7 @@ enable_shared=yes
 # which needs '.lib').
 enable_static=yes
 enable_fast_install=yes
-enable_dlopen=unknown
+enable_dlopen=yes
 enable_win32_dll=no
 ltmain=
 silent=
diff --git a/source/pam_ntdom/README b/source/pam_ntdom/README
new file mode 100644
index 00000000000..30f9006ef76
--- /dev/null
+++ b/source/pam_ntdom/README
@@ -0,0 +1,176 @@
+This is the README for pam_ntdom v0.25
+--------------------------------------
+
+Getting pam_ntdom:
+
+	http://samba.org/cvs.html, obtain Samba with a tag of SAMBA_TNG.
+
+This Plug-in Authentication Module allows a Linux user to authenticate
+against an NT Server, Samba Server compiled with NT Domains enabled,
+AT & T Advance File/Print Sharer or SCO Domain Controller, using the NT
+Domain Authentication Protocol.
+
+This module is based on pam_smb (including this README file) which in
+turn was based on pam_unix_auth.
+
+Please see the end of this file for contact details.
+
+
+*****************
+  Configuration
+*****************
+
+Linux workstation
+-----------------
+
+This version of pam_ntdom works in conjunction with SAMBA_TNG installed
+on your local system.  You should not need to make any changes to your
+Samba configuration on the local system (except that it must be the
+SAMBA_TNG version).
+
+This version of pam_ntdom reads your Samba smb.conf file, so no additional
+configuration is required.
+
+
+**************
+  Installing
+**************
+
+1) Obtain (cvs or ftp) the SAMBA_TNG distribution.
+
+2) Run configure
+./configure
+
+3) run make bin/pam_ntdom_auth.so
+
+4) This will produce bin/.libs/pam_ntdom_auth.so.
+   Copy this file into the pam modules directory which for Redhat-4.2 is
+   /lib/security and for Solaris 2.6 is /usr/lib/security.
+
+   *** DO NOT COPY bin/pam_ntdom_auth.so it is only a libtool script! ***
+
+5) Install the module into the PAM system:
+
+For Linux:
+	You then need to change the configuration files in /etc/pam.d for the
+	applications you wish to use NT authentication with.
+
+My /etc/pam.d/login is as follows for NT authenticated logins.
+Note the pam_ntdom_auth.so line.
+
+#%PAM-1.0
+auth       required	/lib/security/pam_securetty.so
+auth	   required	/lib/security/pam_ntdom_auth.so
+auth       required	/lib/security/pam_nologin.so
+account    required	/lib/security/pam_pwdb.so
+password   required	/lib/security/pam_cracklib.so
+password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
+session    required	/lib/security/pam_pwdb.so
+
+For Solaris:
+	You need to change the /etc/pam.conf other line to
+
+other   auth required   /usr/lib/security/pam_ntdom_auth.so.1
+
+
+6) If you have not already installed and configured SAMBA_TNG, follow
+   the instructions in source/README.  You will not need to do
+   ./configure again, as that was already done in step 2) as instructed
+   in *this* README.
+
+   *** YOU MUST do a make install of SAMBA_TNG ***
+
+   this will copy the shared libraries into the location required by
+   pam_ntdom_auth.so.
+
+
+*************************
+  Further Configuration
+*************************
+
+The pam_ntdom modules has two configuration steps,
+	a) Command line options
+	b) Configuration file.
+
+A) Command line options
+	Most installations can skip this step as the module will 
+	work grand without any command line arguments.
+	These arguments go in the /etc/pam.d 
+	file on the auth line containing the pam_ntdom_auth.so module.
+
+	The pam_ntdom module accepts 3 command line options.
+	1. debug - This switches on syslog debugging of the module.
+
+	2. use_first_pass - This is a standard PAM Module command line option.
+	*********** N.B. Danger lurks here somewhere *****************
+
+	3. nolocal - This allows authentication of a username/password
+			pair which are not in the local password file.
+		 Do not switch this on unless you know what you are at.
+	**************************************************************
+
+************************
+Notes
+************************
+
+- The user must be in the password file to allow the user to login.
+
+- If the user hasn't a starred password the password in the file
+  will work.
+
+- If the user has a starred password it will go to the NT server
+  and validate the user in the domain specified in the smb.conf file
+
+
+************************
+Samba NT Domains
+************************
+
+As of 10jan98, the version of Samba required that supports NT Domains
+is available under the cvs tag SAMBA_TNG.  cvs instructions are at:
+
+	http://samba.org/cvs.html.
+
+Samba, the Digest Archives and a list of Commercial companies that
+support Samba is available from:
+
+	http://samba.org/listproc
+
+Details on NT Domain Authentication and progress being made is
+available from:
+
+	http://cb1.com/~lkcl/ntdomain.html
+
+
+************************
+Credits
+************************
+
+- Dave Airlie <David.Airlie@ul.ie> -- the Author of pam-smb, as all i've done
+  is replace his Validate_User function and rewrite this README file.
+	
+- Andrew Morgan <morgan@parc.power.net> -- the Linux PAM project person, and 
+  writer of the pam_unix_auth.c module, on which Dave Airlie based pam-smb.
+
+- Paul Ashton <paul@argo.demon.co.uk> -- Paul kicked the whole NT Domain
+  Authentication ball rolling, and first implemented NT Domains in Samba.
+  And second implemented it.
+
+- Andrew Tridgell and the Samba Team.  Andrew for inviting me to join
+  the team, back in August 96, and to the other Samba Team members for
+  putting up with and encouraging me ever since.
+
+- The Microsoft NT Development Team, for an exceptionally good design of a
+  remote administration / authentication protocol.
+
+
+************************
+Bugs and Comments
+************************
+
+Please report any bugs, comments and suggestions to:
+
+	samba-technical@samba.org
+
+putting "[PAM-NTDOM]" at the start of the subject line.
+
diff --git a/source/pam_ntdom/pam_ntdom_auth.c b/source/pam_ntdom/pam_ntdom_auth.c
new file mode 100644
index 00000000000..035fb5c5708
--- /dev/null
+++ b/source/pam_ntdom/pam_ntdom_auth.c
@@ -0,0 +1,359 @@
+/*
+ * Copyright Alexander O. Yuriev, 1996.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ * 
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* 
+   This code has been changed heavily for smb authentication by
+
+   pam_ntdom_auth -- David Airlie 1998 v1.3a ( airlied@samba.org ) 
+   http://www.csn.ul.ie/~airlied
+
+   all changes are (C) David Airlie 1998.
+*/
+
+#include "includes.h"
+
+#ifdef HAVE_SECURITY_PAM_APPL_H
+
+#include <security/pam_appl.h>
+
+#endif
+
+#define _PAM_EXTERN_FUNCTIONS
+
+#ifdef HAVE_SECURITY_PAM_MODULES_H
+#include <security/pam_modules.h>
+#endif
+
+#ifndef PAM_EXTERN
+#define PAM_EXTERN extern
+#endif
+
+extern int DEBUGLEVEL;
+
+#include "pam_ntdom_proto.h"
+
+#if 0
+extern int converse(pam_handle_t * pamh,
+		    int nargs,
+		    struct pam_message **message,
+		    struct pam_response **response);
+
+extern int _set_auth_tok(pam_handle_t * pamh,
+			 int flags, int argc, const char **argv);
+
+static int _pam_auth_smb(pam_handle_t * pamh,
+			 int flags, int argc, const char **argv);
+
+static int _pam_set_credentials_smb(pam_handle_t * pamh,
+				    int flags, int argc, const char **argv);
+
+
+#endif
+
+/* 
+ * 
+ * _pam_auth_smb() actually performs UNIX/shadow authentication and
+ * then performs the NT Validation.
+ *
+ *	First, if shadow support is available, attempt to perform
+ *	authentication using shadow passwords. If shadow is not
+ *	available, or user does not have a shadow password, fallback
+ *	onto a normal UNIX authentication
+ *      If neither shadow nor normal succeed it will send the username
+ *      and password to a local server, which will do the authentication.
+ */
+
+static int _pam_auth_smb(pam_handle_t * pamh,
+			 int flags, int argc, const char **argv)
+{
+	int retval;
+	struct passwd *pw;
+	const char *name;
+	char *p, *pp;
+	int w, loop;
+	const char *salt;
+	fstring domain;
+	fstring ntname;
+	int debug = 0, use_first_pass = 0;
+	int unknown_user = 0;
+	int nolocal = 0;
+
+#ifdef HAVE_SHADOW_H
+
+	struct spwd *sp;
+
+#endif
+
+	DEBUGLEVEL = 0;
+
+	/* Parse Command line options */
+
+	for (loop = 0; loop < argc; loop++)
+	{
+		if (!strcmp(argv[loop], "debug"))
+		{
+			debug = 1;
+			DEBUGLEVEL = 100;
+		}
+		else if (!strcmp(argv[loop], "use_first_pass"))
+			use_first_pass = 1;
+		else if (!strcmp(argv[loop], "nolocal"))
+			nolocal = 1;
+#ifdef USE_LOGAUTH
+		else
+			syslog(LOG_AUTHPRIV | LOG_ERR,
+			       "pam_ntdom: Unknown Command Line Option in pam.d : %s",
+			       argv[loop]);
+#endif
+	}
+
+	if (!rpc_initialise())
+	{
+#ifdef USE_LOGAUTH
+		if (debug)
+		{
+			syslog(LOG_AUTHPRIV | LOG_ERR,
+			       "pam_ntdom: initialisation failed\n");
+		}
+#endif
+		return PAM_SERVICE_ERR;
+	}
+	/* get the user'name' */
+
+	if ((retval = pam_get_user(pamh, &name, "login: ")) != PAM_SUCCESS)
+	{
+#ifdef USE_LOGAUTH
+		syslog(LOG_AUTHPRIV | LOG_ERR, "pam_ntdom: User not found");
+#endif
+		return retval;
+	}
+
+	pam_get_item(pamh, PAM_AUTHTOK, (void *)&p);
+
+	if (!p)
+	{
+		if (use_first_pass != 1)
+		{
+			retval = _set_auth_tok(pamh, flags, argc, argv);
+			if (retval != PAM_SUCCESS)
+				return retval;
+		}
+		else
+			return PAM_AUTH_ERR;
+	}
+
+	/* 
+	   We have to call pam_get_item() again because value of p should
+	   change 
+	 */
+
+	pam_get_item(pamh, PAM_AUTHTOK, (void *)&p);
+
+	if (!split_domain_name(name, domain, ntname))
+	{
+		return PAM_BUF_ERR;
+	}
+
+	/* If nolocal is specified pam_ntdom does not try and do local
+	   username/password authentication .. this is a command line option
+	   to pam_ntdom_auth.so in /etc/pam.d/ */
+
+	if (nolocal == 0)
+	{
+		pw = getpwnam(name);
+
+		if (pw)
+		{
+
+#ifdef HAVE_SHADOW_H
+
+			/*
+			 * Support for shadow passwords on Linux and SVR4-based
+			 * systems.  Shadow passwords are optional on Linux - if
+			 * there is no shadow password, use the non-shadow one.
+			 */
+
+			sp = getspnam(name);
+			if (sp && (!strcmp(pw->pw_passwd, "x")))
+			{
+				/* TODO: check if password has expired etc. */
+				salt = sp->sp_pwdp;
+			}
+			else
+#endif
+				salt = pw->pw_passwd;
+		}
+		else
+			unknown_user = 1;
+
+		/* The 'always-encrypt' method does not make sense in PAM
+		   because the framework requires return of a different
+		   error code for non-existant users -- alex */
+		if (!unknown_user)
+		{
+			if ((!pw->pw_passwd) && (!p))
+				if (flags && PAM_DISALLOW_NULL_AUTHTOK)
+					return PAM_SUCCESS;
+
+			pp = crypt(p, salt);
+
+			if (strcmp(pp, salt) == 0)
+			{
+				if (debug)
+#ifdef USE_LOGAUTH
+					syslog(LOG_AUTHPRIV | LOG_DEBUG,
+					       "pam_ntdom: Local UNIX username/password pair correct.");
+#endif
+				return PAM_SUCCESS;
+			}
+
+			if (debug)
+			{
+#ifdef USE_LOGAUTH
+				syslog(LOG_AUTHPRIV | LOG_DEBUG,
+				       "pam_ntdom: Local UNIX username/password check incorrect.");
+#endif
+			}
+		}
+	}			/* End of Local Section */
+	else
+	{			/* If Local System Authentication is switched off */
+#ifdef USE_LOGAUTH
+		if (debug)
+			syslog(LOG_AUTHPRIV | LOG_DEBUG,
+			       "No Local authentication done, relying on other modules for password file entry.");
+#endif
+	}
+
+#ifdef USE_LOGAUTH
+	if (debug)
+	{
+		syslog(LOG_AUTHPRIV | LOG_DEBUG,
+		       "pam_ntdom: Configuration Data, Domain %s.", domain);
+	}
+#endif
+
+#ifdef USE_LOGAUTH
+	if (debug)
+	{
+		syslog(LOG_AUTHPRIV | LOG_DEBUG,
+		       "pam_ntdom: user: %s domain: %s password: %s",
+		       ntname, domain, p);
+	}
+#endif
+
+	w = Valid_User(ntname, p, domain);
+
+	/* Users valid user for return value 0 is success
+	   1 and 2 indicate Network and protocol failures and
+	   3 is not logged on 
+	 */
+
+	switch (w)
+	{
+		case 0:
+#ifdef USE_LOGAUTH
+			if (debug)
+			{
+				syslog(LOG_AUTHPRIV | LOG_DEBUG,
+				       "pam_ntdom: Correct NT username/password pair");
+			}
+#endif
+			return PAM_SUCCESS;
+		case 1:
+		case 2:
+#ifdef USE_LOGAUTH
+			if (debug)
+			{
+				syslog(LOG_AUTHPRIV | LOG_DEBUG,
+				       "pam_ntdom: Authentication unavailable\n");
+			}
+#endif
+			return PAM_AUTHINFO_UNAVAIL;
+			break;
+		case 3:
+		default:
+#ifdef USE_LOGAUTH
+			syslog(LOG_AUTHPRIV | LOG_NOTICE,
+			       "pam_ntdom: Incorrect NT password for username : %s",
+			       ntname);
+#endif
+			return PAM_AUTH_ERR;
+			break;
+	}
+
+#ifdef USE_LOGAUTH
+	if (debug)
+	{
+		syslog(LOG_AUTHPRIV | LOG_DEBUG,
+		       "pam_ntdom: Authentication failed\n");
+	}
+#endif
+	return PAM_AUTH_ERR;
+
+}
+
+/* 
+ * The _pam_set_credentials_smb() does nothing.
+  */
+
+static int _pam_set_credentials_smb(pam_handle_t * pamh,
+				    int flags, int argc, const char **argv)
+{
+	return PAM_SUCCESS;	/* This is a wrong result code. From what I
+				   remember from reafing one of the guides
+				   there's an error-level saying 'N/A func'
+				   -- AOY
+				 */
+}
+
+/*
+ * PAM framework looks for these entry-points to pass control to the
+ * authentication module.
+ */
+
+PAM_EXTERN
+	int pam_sm_authenticate(pam_handle_t * pamh,
+				int flags, int argc, const char **argv)
+{
+	return _pam_auth_smb(pamh, flags, argc, argv);
+}
+
+PAM_EXTERN
+	int pam_sm_setcred(pam_handle_t * pamh,
+			   int flags, int argc, const char **argv)
+{
+	return _pam_set_credentials_smb(pamh, flags, argc, argv);
+}
diff --git a/source/pam_ntdom/pam_ntdom_proto.h b/source/pam_ntdom/pam_ntdom_proto.h
new file mode 100644
index 00000000000..2366a708790
--- /dev/null
+++ b/source/pam_ntdom/pam_ntdom_proto.h
@@ -0,0 +1,64 @@
+#ifndef _PAM_NTDOM_PROTO_H_
+#define _PAM_NTDOM_PROTO_H_
+/* This file is automatically generated with "make proto". DO NOT EDIT */
+
+
+/*The following definitions come from  lib/sids.c  */
+
+struct sid_map* add_sidmap_to_array(uint32 *len, struct sid_map ***array,
+				const struct sid_map *name);
+BOOL get_member_domain_sid(void);
+void generate_wellknown_sids(void);
+BOOL create_sidmap_table(void);
+BOOL generate_sam_sid(char *domain_name, DOM_SID *sid);
+BOOL pwdb_initialise(BOOL is_server);
+BOOL map_domain_name_to_sid(DOM_SID *sid, char **nt_domain);
+BOOL map_wk_sid_to_name(const DOM_SID *sid, char *nt_domain, uint32 *type);
+BOOL map_domain_sid_to_name(DOM_SID *sid, char *nt_domain);
+BOOL map_domain_sid_to_any_dc(DOM_SID *sid, char *dc_name);
+BOOL split_domain_name(const char *fullname, char *domain, char *name);
+BOOL enumtrustdoms(char ***doms, uint32 *num_entries);
+
+/*The following definitions come from  lib/stub_uid.c  */
+
+void become_root(BOOL save_dir);
+void unbecome_root(BOOL restore_dir);
+const vuser_key *get_sec_ctx(void);
+
+/*The following definitions come from  lib/util_seaccess.c  */
+
+BOOL se_access_check(const SEC_DESC * sd, const NET_USER_INFO_3 * user,
+		     uint32 acc_req, uint32 prev_grant_acc,
+		     uint32 * acc_grant,
+		     uint32 * status);
+
+/*The following definitions come from  pam_ntdom/pam_ntdom_auth.c  */
+
+
+/*The following definitions come from  pam_ntdom/rpc_validate.c  */
+
+BOOL rpc_initialise(void);
+int Valid_User(char *username, char *plaintext_pwd, char *domainname);
+
+/*The following definitions come from  pam_ntdom/support.c  */
+
+int converse(		pam_handle_t *pamh,
+			int nargs, 
+			struct pam_message **message,
+			struct pam_response **response	);
+
+int _set_auth_tok(	pam_handle_t *pamh, 
+			int flags, 
+			int argc, 
+			const char **argv	);
+
+/* Implementation */
+
+int converse(	pam_handle_t *pamh,
+		int nargs, 
+		struct pam_message **message,
+		struct pam_response **response	);
+int _set_auth_tok(	pam_handle_t *pamh, 
+			int flags, int argc, 
+			const char **argv	);
+#endif /* _PAM_NTDOM_PROTO_H_ */
diff --git a/source/pam_ntdom/rpc_validate.c b/source/pam_ntdom/rpc_validate.c
new file mode 100644
index 00000000000..bf7db5a9df8
--- /dev/null
+++ b/source/pam_ntdom/rpc_validate.c
@@ -0,0 +1,128 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 2.0
+   PAM for NT Domains
+   Copyright (C) Andrew Tridgell              1994-2000
+   Copyright (C) Luke Kenneth Casson Leighton 1996-2000
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "rpc_validate.h"
+#include "nterr.h"
+
+extern int DEBUGLEVEL;
+
+static BOOL initialised = False;
+
+extern pstring global_myname;
+
+FILE *out_hnd;
+
+
+/****************************************************************************
+  main program
+****************************************************************************/
+BOOL rpc_initialise(void)
+{
+	extern pstring debugf;
+	extern BOOL append_log;
+
+	pstring servicesf = CONFIGFILE;
+	mode_t myumask = 0755;
+
+	if (initialised)
+	{
+		return True;
+	}
+
+	DEBUGLEVEL = 100;
+
+	out_hnd = stdout;
+
+	append_log = True;
+	slprintf(debugf, sizeof(debugf) - 1, "%s/log.pam_ntdom", LOGFILEBASE);
+
+	TimeInit();
+	charset_initialise();
+	init_connections();
+
+	myumask = umask(0);
+	umask(myumask);
+
+	if (!get_myname(global_myname, NULL))
+	{
+		fprintf(stderr, "Failed to get my hostname.\n");
+		return False;
+	}
+
+	codepage_initialise(lp_client_code_page());
+
+	setup_logging(debugf, False);
+	reopen_logs();
+
+	if (!lp_load(servicesf, True, False, False))
+	{
+		fprintf(stderr,
+			"Can't load %s - run testparm to debug it\n",
+			servicesf);
+		return False;
+	}
+
+	load_interfaces();
+
+	if (!pwdb_initialise(False))
+	{
+		return False;
+	}
+
+	initialised = True;
+
+	return True;
+}
+
+/****************************************************************************
+ validates a user.
+ ****************************************************************************/
+int Valid_User(char *username, char *plaintext_pwd, char *domainname)
+{
+	NET_USER_INFO_3 info3;
+	uchar ntpw[16];
+	uchar lmpw[16];
+
+	uint32 status;
+
+	ZERO_STRUCT(info3);
+
+	DEBUG(3, ("%s pam_ntdom (version %s) login.  user:%s domain:%s\n",
+		  timestring(False), VERSION, username, domainname));
+
+	nt_lm_owf_gen(plaintext_pwd, ntpw, lmpw),
+		status = domain_client_validate("\\\\.", username, domainname,
+						global_myname, SEC_CHAN_WKSTA,
+						NULL,
+						lmpw, sizeof(lmpw),
+						ntpw, sizeof(ntpw), &info3);
+
+	if (status != NT_STATUS_NOPROBLEMO)
+	{
+		fprintf(stderr, "login of %s to domain %s rejected.\n",
+			username, domainname);
+		return NTV_LOGON_ERROR;
+	}
+
+	return NTV_NO_ERROR;
+}
diff --git a/source/pam_ntdom/rpc_validate.h b/source/pam_ntdom/rpc_validate.h
new file mode 100644
index 00000000000..209908e4114
--- /dev/null
+++ b/source/pam_ntdom/rpc_validate.h
@@ -0,0 +1,11 @@
+#ifndef _RPC_VALIDATE_H_
+#define _RPC_VALIDATE_H_
+/* SMB User verification function */
+
+#define NTV_NO_ERROR 0
+#define NTV_SERVER_ERROR 1
+#define NTV_PROTOCOL_ERROR 2
+#define NTV_LOGON_ERROR 3
+#define NTV_INITIALISATION_ERROR 1
+
+#endif
diff --git a/source/pam_ntdom/support.c b/source/pam_ntdom/support.c
new file mode 100644
index 00000000000..6730ffd8d39
--- /dev/null
+++ b/source/pam_ntdom/support.c
@@ -0,0 +1,177 @@
+/* 
+ * $Header: /data/src/mirror/cvs/samba/source/pam_ntdom/Attic/support.c,v 1.1.2.1 2000/04/09 02:04:30 lkcl Exp $ 
+ */
+ 
+/*
+ * Copyright Andrew Morgan, 1996.  All rights reserved.
+ * Modified by Alexander O. Yuriev
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ * 
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ * 
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * $Log: support.c,v $
+ * Revision 1.1.2.1  2000/04/09 02:04:30  lkcl
+ * added pam_ntdom.  amazingly, it actually works.
+ *
+ * Revision 1.1  1998/04/17 15:34:25  lkcl
+ *
+ * adding pam_ntdom to samba source repository.  this version is known as 0.21
+ *
+ * further work to be done is:
+ *
+ * - to add the "change machine password" support so that the transmission
+ * of the user's password is secure.
+ *
+ * - the session key needs to be generated from a random number.
+ *
+ * - the domain server needs to be automatically detected (using a UDP 138
+ *   broadcast SAMQUERY packet to \\DOMAIN-NAME\MAILSLOT\NTLOGON)
+ *
+ * - the code to be changed from SamLogon immediately followed by SamLogoff
+ *   to SamLogon when PAM user session starts followed by SamLogoff (or
+ *   drop SMB connection) when PAM user session ends.
+ *
+ *   this will result in the user _really_ joining the domain from the
+ *   workstation, will all the benefits thereof (including that of the
+ *   administrator being able to disconnect them!)
+ *
+ * Revision 1.1  1996/11/09 19:44:35  morgan
+ * Initial revision
+ *
+ * Revision 1.1  1996/04/17 01:11:08  alex
+ * Initial revision
+ *
+ */
+ 
+#include <stdlib.h>					/* define NULL */
+
+#ifndef LINUX 
+
+	#include <security/pam_appl.h>
+
+#endif  /* LINUX */
+
+#include <security/pam_modules.h>
+
+
+#ifndef NDEBUG
+
+	#include <syslog.h>
+
+#endif	/* NDEBUG */
+
+
+/* Phototype declarations */
+
+int converse(		pam_handle_t *pamh,
+			int nargs, 
+			struct pam_message **message,
+			struct pam_response **response	);
+
+int _set_auth_tok(	pam_handle_t *pamh, 
+			int flags, 
+			int argc, 
+			const char **argv	);
+
+/* Implementation */
+
+int converse(	pam_handle_t *pamh,
+		int nargs, 
+		struct pam_message **message,
+		struct pam_response **response	)
+
+{
+	int retval;
+	struct pam_conv *conv;
+
+	retval = pam_get_item(	pamh, PAM_CONV,  (const void **) &conv ) ; 
+	if ( retval == PAM_SUCCESS )
+		{
+	  		retval = conv->conv( 	nargs,  
+	  					( const struct pam_message ** ) message, 
+	  					response, 
+	  					conv->appdata_ptr );
+     		}
+	return retval;
+}
+
+/***************************************************************************/
+/* prompt user for a using conversation calls 				   */
+/***************************************************************************/
+
+int _set_auth_tok(	pam_handle_t *pamh, 
+			int flags, int argc, 
+			const char **argv	)
+{
+	int	retval;
+	char	*p;
+	
+	struct pam_message msg[1],*pmsg[1];
+	struct pam_response *resp;
+
+	/* set up conversation call */
+
+	pmsg[0] = &msg[0];
+	msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
+	msg[0].msg = "Password: ";
+	resp = NULL;
+
+	if ( ( retval = converse( pamh, 1 , pmsg, &resp ) ) != PAM_SUCCESS ) 
+		return retval;
+
+	if ( resp ) 
+		{
+			if ( ( flags & PAM_DISALLOW_NULL_AUTHTOK ) && 
+							resp[0].resp == NULL ) 
+		       		{
+					free( resp );
+					return PAM_AUTH_ERR;
+		  		}
+
+			p = resp[ 0 ].resp;
+			
+			/* This could be a memory leak. If resp[0].resp 
+			   is malloc()ed, then it has to be free()ed! 
+			   	-- alex 
+			*/
+			
+		  	resp[ 0 ].resp = NULL; 		  				  
+
+	     	} 
+	else 
+		return PAM_CONV_ERR;
+
+	free( resp );
+	pam_set_item( pamh, PAM_AUTHTOK, p );
+	return PAM_SUCCESS;
+}
diff --git a/source/rpc_client/msrpc_netlogon.c b/source/rpc_client/msrpc_netlogon.c
index 480414fbaa9..2e4c6a6dd6d 100644
--- a/source/rpc_client/msrpc_netlogon.c
+++ b/source/rpc_client/msrpc_netlogon.c
@@ -64,14 +64,14 @@ BOOL modify_trust_password(const char *domain, const char *srv_name,
  Do the same as security=server, but using NT Domain calls and a session
  key from the workstation trust account password.
 ************************************************************************/
-static uint32 domain_client_validate(const char *user, const char *domain,
-				     const char *acct_name, uint16 acct_type,
-				     const char *challenge,
-				     const char *smb_apasswd,
-				     int smb_apasslen,
-				     const char *smb_ntpasswd,
-				     int smb_ntpasslen,
-				     NET_USER_INFO_3 * info3)
+uint32 domain_client_validate(const char *server,
+			      const char *user, const char *domain,
+			      const char *acct_name, uint16 acct_type,
+			      const char *challenge,
+			      const char *smb_apasswd,
+			      int smb_apasslen,
+			      const char *smb_ntpasswd,
+			      int smb_ntpasslen, NET_USER_INFO_3 * info3)
 {
 	unsigned char trust_passwd[16];
 	NET_ID_INFO_CTR ctr;
@@ -91,7 +91,11 @@ static uint32 domain_client_validate(const char *user, const char *domain,
 	fstrcpy(trust_acct, acct_name);
 	fstrcat(trust_acct, "$");
 
-	if (!get_any_dc_name(domain, srv_name))
+	if (server != NULL)
+	{
+		fstrcpy(srv_name, server);
+	}
+	else if (!get_any_dc_name(domain, srv_name))
 	{
 		DEBUG(3,
 		      ("domain_client_validate: could not find domain %s, using local SAM\n",
@@ -128,10 +132,9 @@ static uint32 domain_client_validate(const char *user, const char *domain,
 	   * Now start the NT Domain stuff :-).
 	 */
 
-	status =
-		cli_nt_setup_creds(srv_name, domain, global_myname,
-				   trust_acct, trust_passwd, acct_type,
-				   &validation_level);
+	status = cli_nt_setup_creds(srv_name, domain, global_myname,
+				    trust_acct, trust_passwd, acct_type,
+				    &validation_level);
 	if (status != 0x0)
 	{
 		DEBUG(0, ("domain_client_validate: credentials failed (%s)\n",
@@ -201,10 +204,9 @@ static uint32 domain_client_validate(const char *user, const char *domain,
 
 	if (status != 0x0)
 	{
-		DEBUG(0,
-		      ("domain_client_validate: unable to validate password for user %s in domain \
-		%s to Domain controller %s.\n",
-		       user, domain, srv_name));
+		DEBUG(0, ("domain_client_validate: unable to validate \
+			password for user %s in domain %s to \
+			Domain controller %s.\n", user, domain, srv_name));
 		return status;
 	}
 
@@ -214,7 +216,7 @@ static uint32 domain_client_validate(const char *user, const char *domain,
 	 * locked out / disabled" etc!!!!
 	 */
 
-	DEBUG(10, ("domain_client_validate: user %s\%s OK\n", domain, user));
+	DEBUG(10, ("domain_client_validate: user %s\\%s OK\n", domain, user));
 	DEBUG(3, ("domain_client_validate: check lockout / pwd expired!\n"));
 
 	return 0x0;
@@ -263,7 +265,7 @@ uint32 check_domain_security(const char *orig_user, const char *domain,
 
 	DEBUG(10, ("check_domain_security: %s(%d)\n", acct_name, acct_type));
 
-	return domain_client_validate(orig_user, domain,
+	return domain_client_validate(NULL, orig_user, domain,
 				      acct_name, acct_type,
 				      challenge,
 				      smb_apasswd, smb_apasslen,
diff --git a/source/samrd/srv_samr_passdb.c b/source/samrd/srv_samr_passdb.c
index dade2fa0df6..49e534277df 100644
--- a/source/samrd/srv_samr_passdb.c
+++ b/source/samrd/srv_samr_passdb.c
@@ -989,10 +989,8 @@ uint32 _samr_query_dispinfo(const POLICY_HND * domain_pol, uint16 level,
  ********************************************************************/
 uint32 _samr_delete_dom_user(POLICY_HND *user_pol)
 {
-        fstring user_name;
         uint32 user_rid = 0x0;
         DOM_SID user_sid;
-	struct sam_passwd *sam_pass;
 
         /* find the policy handle.  open a policy on it. */
         if (!get_policy_samr_sid(get_global_hnd_cache(), user_pol, &user_sid))