12 files changed, 48 insertions, 17 deletions
diff --git a/sesman/access.c b/sesman/access.c
index 00c9c381..692575e5 100644
--- a/sesman/access.c
+++ b/sesman/access.c
@@ -42,7 +42,7 @@ access_login_allowed(char *user)
         return 0;
     }
 
-    if (0 == g_cfg->sec.ts_users_enable)
+    if ((0 == g_cfg->sec.ts_users_enable) && (0==g_cfg->sec.ts_always_group_check))
     {
         LOG_DBG("Terminal Server Users group is disabled, allowing authentication",
                 1);
@@ -57,7 +57,7 @@ access_login_allowed(char *user)
 
     if (g_cfg->sec.ts_users == gid)
     {
-        LOG_DBG("ts_users is user's primary group");
+        log_message(LOG_LEVEL_DEBUG,"ts_users is user's primary group");
         return 1;
     }
 
diff --git a/sesman/auth.h b/sesman/auth.h
index 09bec2e9..39acc0b8 100644
--- a/sesman/auth.h
+++ b/sesman/auth.h
@@ -36,7 +36,7 @@
  *
  */
 long DEFAULT_CC
-auth_userpass(char* user, char* pass);
+auth_userpass(char* user, char* pass, int *errorcode);
 
 /**
  *
diff --git a/sesman/config.c b/sesman/config.c
index 9938249f..e2131c14 100644
--- a/sesman/config.c
+++ b/sesman/config.c
@@ -286,13 +286,18 @@ config_read_security(int file, struct config_security *sc,
                 sc->ts_admins = gid;
             }
         }
+        if (0 == g_strcasecmp(buf, SESMAN_CFG_SEC_ALWAYSGROUPCHECK))
+        {
+            sc->ts_always_group_check = text2bool((char *)list_get_item(param_v, i));
+        }	
     }
 
     /* printing security config */
     g_printf("security configuration:\r\n");
     g_printf("\tAllowRootLogin:       %i\r\n", sc->allow_root);
     g_printf("\tMaxLoginRetry:        %i\r\n", sc->login_retry);
-
+    g_printf("\tAlwaysGroupCheck:     %i\r\n", sc->ts_always_group_check);
+    
     if (sc->ts_users_enable)
     {
         g_printf("\tTSUsersGroup:         %i\r\n", sc->ts_users);
diff --git a/sesman/config.h b/sesman/config.h
index 72c6cac4..263975b3 100644
--- a/sesman/config.h
+++ b/sesman/config.h
@@ -56,6 +56,7 @@
 #define SESMAN_CFG_SEC_ALLOW_ROOT    "AllowRootLogin"
 #define SESMAN_CFG_SEC_USR_GROUP     "TerminalServerUsers"
 #define SESMAN_CFG_SEC_ADM_GROUP     "TerminalServerAdmins"
+#define SESMAN_CFG_SEC_ALWAYSGROUPCHECK "AlwaysGroupCheck"
 
 #define SESMAN_CFG_SESSIONS          "Sessions"
 #define SESMAN_CFG_SESS_MAX          "MaxSessions"
@@ -93,6 +94,11 @@ struct config_security
    */
   int ts_admins_enable;
   int ts_admins;
+  /**
+   * @var ts_always_group_check
+   * @brief if the Groups are not found deny access
+   */
+  int ts_always_group_check;
 };
 
 /**
diff --git a/sesman/scp_v0.c b/sesman/scp_v0.c
index da6ab919..6ecb47b1 100644
--- a/sesman/scp_v0.c
+++ b/sesman/scp_v0.c
@@ -35,8 +35,9 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
     int display = 0;
     tbus data;
     struct session_item *s_item;
+    int errorcode = 0 ;
 
-    data = auth_userpass(s->username, s->password);
+    data = auth_userpass(s->username, s->password,&errorcode);
 
     if (s->type == SCP_GW_AUTHENTICATION)
     {
@@ -47,14 +48,14 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
             if (1 == access_login_allowed(s->username))
             {
                 /* the user is member of the correct groups. */
-                scp_v0s_replyauthentication(c, 0);
+                scp_v0s_replyauthentication(c, errorcode);
                 log_message(LOG_LEVEL_INFO, "Access permitted for user: %s",
                             s->username);
                 /* g_writeln("Connection allowed"); */
             }
             else
             {
-                scp_v0s_replyauthentication(c, 3);
+                scp_v0s_replyauthentication(c, 32+3); /* all first 32 are reserved for PAM errors */
                 log_message(LOG_LEVEL_INFO, "Username okey but group problem for "
                             "user: %s", s->username);
                 /* g_writeln("user password ok, but group problem"); */
@@ -65,7 +66,7 @@ scp_v0_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
             /* g_writeln("username or password error"); */
             log_message(LOG_LEVEL_INFO, "Username or password error for user: %s",
                         s->username);
-            scp_v0s_replyauthentication(c, 2);
+            scp_v0s_replyauthentication(c, errorcode);
         }
 
         auth_end(data);
diff --git a/sesman/scp_v1.c b/sesman/scp_v1.c
index 295fbce4..d3f0ab7f 100644
--- a/sesman/scp_v1.c
+++ b/sesman/scp_v1.c
@@ -50,7 +50,7 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
     retries = g_cfg->sec.login_retry;
     current_try = retries;
 
-    data = auth_userpass(s->username, s->password);
+    data = auth_userpass(s->username, s->password,NULL);
     /*LOG_DBG("user: %s\npass: %s", s->username, s->password);*/
 
     while ((!data) && ((retries == 0) || (current_try > 0)))
@@ -65,7 +65,7 @@ scp_v1_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
         {
             case SCP_SERVER_STATE_OK:
                 /* all ok, we got new username and password */
-                data = auth_userpass(s->username, s->password);
+                data = auth_userpass(s->username, s->password,NULL);
 
                 /* one try less */
                 if (current_try > 0)
diff --git a/sesman/scp_v1_mng.c b/sesman/scp_v1_mng.c
index 0e20007d..9d1da0f5 100644
--- a/sesman/scp_v1_mng.c
+++ b/sesman/scp_v1_mng.c
@@ -42,7 +42,7 @@ scp_v1_mng_process(struct SCP_CONNECTION *c, struct SCP_SESSION *s)
     int scount;
     int end = 0;
 
-    data = auth_userpass(s->username, s->password);
+    data = auth_userpass(s->username, s->password,NULL);
     /*LOG_DBG("user: %s\npass: %s", s->username, s->password);*/
 
     if (!data)
diff --git a/sesman/sesman.ini b/sesman/sesman.ini
index f2a210a4..571e063b 100644
--- a/sesman/sesman.ini
+++ b/sesman/sesman.ini
@@ -10,6 +10,9 @@ AllowRootLogin=1
 MaxLoginRetry=4
 TerminalServerUsers=tsusers
 TerminalServerAdmins=tsadmins
+# When AlwaysGroupCheck = false access will be permitted 
+# if the group TerminalServerUsers is not defined.
+AlwaysGroupCheck = false
 
 [Sessions]
 X11DisplayOffset=10
diff --git a/sesman/verify_user.c b/sesman/verify_user.c
index 8765d7c2..5bd89c73 100644
--- a/sesman/verify_user.c
+++ b/sesman/verify_user.c
@@ -48,7 +48,7 @@ auth_account_disabled(struct spwd *stp);
 /******************************************************************************/
 /* returns boolean */
 long DEFAULT_CC
-auth_userpass(char *user, char *pass)
+auth_userpass(char *user, char *pass, int *errorcode)
 {
     char salt[13] = "$1$";
     char hash[35] = "";
diff --git a/sesman/verify_user_kerberos.c b/sesman/verify_user_kerberos.c
index c4a7ecde..fc0d4aa2 100644
--- a/sesman/verify_user_kerberos.c
+++ b/sesman/verify_user_kerberos.c
@@ -396,7 +396,7 @@ cleanup:
 /******************************************************************************/
 /* returns boolean */
 int DEFAULT_CC
-auth_userpass(char *user, char *pass)
+auth_userpass(char *user, char *pass, int *errorcode)
 {
     struct k_opts opts;
     struct k5_data k5;
diff --git a/sesman/verify_user_pam.c b/sesman/verify_user_pam.c
index b81398de..b7a7bef7 100644
--- a/sesman/verify_user_pam.c
+++ b/sesman/verify_user_pam.c
@@ -98,9 +98,11 @@ get_service_name(char *service_name)
 }
 
 /******************************************************************************/
-/* returns long, zero is no go */
+/* returns long, zero is no go 
+ Stores the detailed error code in the errorcode variable*/
+
 long DEFAULT_CC
-auth_userpass(char *user, char *pass)
+auth_userpass(char *user, char *pass, int *errorcode)
 {
     int error;
     struct t_auth_info *auth_info;
@@ -116,6 +118,9 @@ auth_userpass(char *user, char *pass)
 
     if (error != PAM_SUCCESS)
     {
+	if(errorcode!=NULL){
+		*errorcode = error ;
+	}
         g_printf("pam_start failed: %s\r\n", pam_strerror(auth_info->ph, error));
         g_free(auth_info);
         return 0;
@@ -125,16 +130,27 @@ auth_userpass(char *user, char *pass)
 
     if (error != PAM_SUCCESS)
     {
+	if(errorcode!=NULL){
+		*errorcode = error ;
+	}
         g_printf("pam_authenticate failed: %s\r\n",
                  pam_strerror(auth_info->ph, error));
         g_free(auth_info);
         return 0;
     }
-
+    /* From man page:  
+       The pam_acct_mgmt function is used to determine if the users account is
+       valid. It checks for authentication token and account expiration and
+       verifies access restrictions. It is typically called after the user has
+       been authenticated.
+     */
     error = pam_acct_mgmt(auth_info->ph, 0);
 
     if (error != PAM_SUCCESS)
     {
+	if(errorcode!=NULL){
+		*errorcode = error ;
+	}
         g_printf("pam_acct_mgmt failed: %s\r\n",
                  pam_strerror(auth_info->ph, error));
         g_free(auth_info);
diff --git a/sesman/verify_user_pam_userpass.c b/sesman/verify_user_pam_userpass.c
index 9fa2d9e5..4d6aac40 100644
--- a/sesman/verify_user_pam_userpass.c
+++ b/sesman/verify_user_pam_userpass.c
@@ -34,7 +34,7 @@
 /******************************************************************************/
 /* returns boolean */
 int DEFAULT_CC
-auth_userpass(char *user, char *pass)
+auth_userpass(char *user, char *pass, int *errorcode)
 {
     pam_handle_t *pamh;
     pam_userpass_t userpass;