Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 82dc19f844af65a8815c629e4ec1f354d208a53f)
|
|
LAM module does to work around a system that does not support
>8 character usernames. Without the change, pam_winbind tries
to authenticate _#uid in the domain.
(This used to be commit 7f0ba72e05acbd958fbf768a04d16c29189dc8f7)
|
|
changed a password via pam_chauthtok. Only do this if
a) a user logs on using an expired password (or a password that needs to
be changed immediately) or
b) the user itself changes his password.
Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).
Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).
Guenther
(This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
|
|
Cached logon with pam_winbind should work now also for NT4 and samba3
domains.
Guenther
(This used to be commit b2f91154820219959b8008b15802c70e1d76d158)
|
|
Guenther
(This used to be commit 5a7b2fccb3cdc6a849aedcd256eea86faec1d54c)
|
|
Guenther
(This used to be commit 968dfcc8218cacdd97c2c66929e95f5062ff464a)
|
|
the PAM_SUCCESS block.
Guenther
(This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)
|
|
* Consolidate all pam_winbind password expiry warnings in the one
_pam_send_password_expiry_message() call.
* Also convert some more NTSTATUS codes to error messages.
* Add paranoia check to only do all the post-processing after PAM_SUCCESS.
Guenther
(This used to be commit 02713f314b65a14e659e801f7eebea453756ac44)
|
|
Set info3 strings, krb5ccname and returned username after we changed a
password and sucessfully re-authenticated afterwards. In that case we
ended up without this information.
Guenther
(This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83)
|
|
pam_winbind.
Guenther
(This used to be commit 1feb961577475dceb97948cd2fdb987005890498)
|
|
Guenther
(This used to be commit 86b34cd5d6675c8f0a0becdcded36de4a815c898)
|
|
Guenther
(This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e)
|
|
calling application.
Guenther
(This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05)
|
|
Guenther
(This used to be commit 1b82c5fa0e363942947453a8e1b74aa2b95d8733)
|
|
received NT_STATUS_PASSWORD_RESTRICTION.
Guenther
(This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
|
|
requests in pam_winbind (Bug #4094).
Inspired by fix from Lars Heete.
Guenther
(This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
|
|
Guenther
(This used to be commit 08ca5ea6f1b09506055b2508aa79704f39b3bbd7)
|
|
* make debug_state also configurable from the config file
* minor code cleanup
Guenther
(This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
|
|
Guenther
(This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
|
|
Jerry, the switch statement must ignore the PAM_SILENT flag.
Guenther
(This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
|
|
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
|
|
* Remove anpther check for PAM_SILENT that prevents logging to syslog
* Add missing check for TRY_FIRST_PASS when using authtok (missed
from previous merge)
(This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
|
|
Details: Improve PAM logging
- The improved logging is far tracking down PAM-related bugs
- PAM_SILENT was being mis-used to suppress syslog output instead of
suppressing user output. This lets PAM_SILENT still log to syslog.
- Allow logging of item & data state via debug_state config file option.
- Logging tracks the pam handle used.
(This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
|
|
Details: Reset the "new password prompt required" state whenever
we do a new auth. In more detail, in pam_sm_authenticate, if not
settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially
present PAM_WINBIND_NEW_AUTHTOK_REQD.
(This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
|
|
Patch details:
Support most options in pam_winbind.conf; support comma-separated names in
require-membership-of. Details below:
1) Provides support for almost all config options in pam_winbind.conf
(all except for use_first_pass, use_authtok, and unknown_ok).
- That allows us to work well when invoked via call_modules from
pam_unix2.conf as well as allowing use of spaces in names used
w/require_membership_of.
2) Support for comma-separated list of names or SID strings in
require_membership_of/require-membership-of.
- Increased require_membership_of field in winbind request from fstring
(256) to pstring (1024).
- In PAM side, parse out multiple names or SID strings and convert
all of them to SID strings.
- In Winbind side, support membership check against multiple SID strings.
(This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
|
|
In case a user authenticated sucessfully and his password just expired
while beeing disconnected, we should allow a user to logon (given a
clear warning). We currently forced the user into a password change
dialogue in that scenario; this did not make much sense while offline.
Guenther
(This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
|
|
We were incorrectly calculating the days until the password expires and
we also need to look at the info3 pass_must_change_time for expiry
calculation.
Guenther
(This used to be commit 22d79237127a064a934928d175182adecc6300de)
|
|
* fail on invalid credential flags in pam_sm_setcred
* parse config file for pam_sm_acct_mgmt and pam_sm_open_session
Guenther
(This used to be commit 2a428ac814d03880de63656ea97827126ccfec5c)
|
|
Guenther
(This used to be commit f6c9421abdf5731e894cd2ccc1b7431a3c368bbf)
|
|
Guenther
(This used to be commit 222320373f8a251fc2cf3ff8c3fec93a7a48f9df)
|
|
is set.
Guenther
(This used to be commit ecbab58826a51ace2a0d1181a41391f5d170ff06)
|
|
(e.g. to get the debug flag)
Guenther
(This used to be commit 2c549f71f15b066ac1f415544848b582558abd5d)
|
|
when offline and or doing password changes.
Jeremy.
(This used to be commit 4a74c553845c960a355ddb86abaadfe0d550271f)
|
|
pam_winbind. Thanks to Andrew Benham <andrew.benham@thus.net>
(This used to be commit 0d03f5137936546253a8b3334995f536f3621d57)
|
|
we're just doing strchr on a const string there's
no need to strdup it before, we're never modifying
it. Just remove the variable "parm".
Jeremy.
(This used to be commit 1af18f613b1399220e38e7ab40665c2ca177c5a7)
|
|
(This used to be commit 3fed72ac3efd1fa7df8fb7d1e2cb9772d66bb4bd)
|
|
field.
Guenther
(This used to be commit 66b92f27fa4edec180b8c8eee929ec8f31ef6a08)
|
|
Guenther
(This used to be commit a4d17ee9c960abdf21b9af1601bd1042e0cd7636)
|
|
Guenther
(This used to be commit 9621bb420a13e634badcc922c73c8bfb30aa6120)
|
|
it in.
(This used to be commit 4e464a2c35984752244f30ce9bb259eb16149e3f)
|
|
Guenther
(This used to be commit 143a48927b0e21d31a9f54cfc720b5d04a4b6751)
|
|
(This used to be commit 8c60e71229cd577f3b17345c5824363dd202eba9)
|
|
Jeremy.
(This used to be commit 7644fa70ba4f7c88d887930e23b5ee2e1632473b)
|
|
* as openlog() is non-reentrant and pam_winbind thereby overrides the
syslog settings of the calling application, directly call syslog (or
pam_vsyslog if available)
* support the PAM_SILENT flag to avoid any log messages beeing created
Guenther
(This used to be commit 0f7e37ffc4759a4e29f63ab83f39ddb31c8240f6)
|
|
pam offline logons.
Guenther
(This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
|
|
name that will be returned by winbindd. This
(should) fix the bug where the user logs in
with DOMAIN\user but winbindd returns only
"user" for the username due to 'winbind use
default domain' being set.
Jeremy.
(This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
|
|
AD DC
* Merge patches from SLES10 to make sure we talk to the correct
winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
|
|
(This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497)
|
|
other PAM modules to pick it up from there.
Guenther
(This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5)
|
|
Guenther
(This used to be commit 62a8e0b08919e71c6a575ce6d89d8a4a09acbd87)
|