summaryrefslogtreecommitdiff
path: root/source3/nsswitch/pam_winbind.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r14508: Return PAM_SUCCESS in pam_sm_close_session when there is no KRB5CCNAMEGünther Deschner1-1/+1
environment. Guenther (This used to be commit 1f1402e45db8d80a7c19208fae934e1b0f3da134)
2007-10-10r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain passwordGünther Deschner1-1/+1
policies when requested. No panic, the flags is uint32 so we are not running out of WBFLAG bits. Guenther (This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)
2007-10-10r13895: As agreed upon with gd on the phone, remove ↵Volker Lendecke1-3/+3
WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. Volker (This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-4/+43
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13391: Only fall into password change when ACB_PWNOEXP is not setGünther Deschner1-2/+2
(got it wrong the first time as administrator has this flag set by default). Guenther (This used to be commit e9ccebf45a5db8964793084950fbb2c23b2469a3)
2007-10-10r13375: Match XP behaviour: Don't force 'Administrator' to change an expiredGünther Deschner1-2/+4
password on logon. (this might be true for all domain admins as well). Guenther (This used to be commit 24c6b9fecb521380008cb44e6d987a6f495027dc)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-267/+724
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r12900: Merge from trunk:Günther Deschner1-1/+43
Correctly handle the case where users logon with an expired password. In that case pam_sm_authenticate has to return PAM_SUCESS instead of PAM_NEW_AUTHTOK_REQD or PAM_AUTHTOK_EXPIRED and pam_sm_acct_mgmt has to take care of requesting an immediate password change. (see the Linux PAM documentation). Fixes Bugzilla #1524, #3205. Tested with login, sshd, kdm and gdm on Linux. Thanks to Scott Barker <Scott_Barker@mtechIT.com>. Guenther (This used to be commit 4cb662ffd76dbe30003c618c94ccf6ebd4afb48c)
2007-10-10r10321: Fix winbindd recursion bug found by Ingo Steuwer ↵Jeremy Allison1-1/+1
<steuwer@univention.de>. Jeremy. (This used to be commit 6795c818a3d63737d5b40faffa3a0b91c71b427b)
2007-10-10r7145: reuse the WINBIND_REQUIRED_MEMBERSHIP constant.Günther Deschner1-12/+14
This is just cosmetic but prevents people from thinking that the pam_winbind "require_membership_of"-option is not yet implemented :) Guenther (This used to be commit ef80a49a858d7d81d427c7bac71fdac4fc0d1bd6)
2007-10-10r5207: patches from Jay Fenlason @ RedHat (scooped from their Fedora packages)Gerald Carter1-2/+2
(This used to be commit 9019a8436162d3606f6b8584701b0832cf5a7439)
2007-10-10r3911: typo.Günther Deschner1-1/+1
Guenther (This used to be commit 52dea588fd0b40a32c56b5634315b149fc088907)
2007-10-10r2779: Some fixes to pam_winbind.c.:Andrew Bartlett1-7/+8
Allow 'require_membership_of' and 'require-membership-of'. Really use a different struct for the SID->Name lookup. Andrew Bartlett (This used to be commit 83dadcd089905aa8ff3392010177ffa1dc8237ba)
2007-10-10r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix theAndrew Bartlett1-7/+9
naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett (This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
2007-10-10r2482: Fix from Arthur van Dongen <avdongen@xs4all.nl> to fix acces -> ↵Jeremy Allison1-2/+2
access typos. Jeremy. (This used to be commit a278dca1b2c103f368d154aee2d3a1edd5604687)
2007-10-10r1971: move counter.Günther Deschner1-1/+1
Guenther (This used to be commit 74287178d208fd2f5b152314a3b797dcfea698a7)
2007-10-10r1942: Add missing semicolon.John Terpstra1-1/+1
(This used to be commit a0b80033c997d50562f66686e79a58fc9603217d)
2007-10-10r1888: Bring the same level of "required_membership"-functionality thatGünther Deschner1-5/+55
ntlm_auth uses, to pam_winbindd as well. This allows to make successfull authentication via PAM dependent on SID-membership. At the moment, both ntlm_auth and pam_winbindd.so accept user/group-names or sid-strings - as discussed, recursive membership (e.g. local aliases) will be added later. Guenther (This used to be commit 7494569655f8d112a0c883a2748a1012bb64ad3a)
2003-01-15*lots of small merges form HEADGerald Carter1-1/+2
*sync up configure.in *don't build torture tools in make all *make sure to remove torture tools as part of make clean (This used to be commit 0fb724b3216eeeb97e61ff12755ca3a31bcad6ef)
2002-10-26Try to catch up on the code I've put into HEAD that should be in 3.0:Andrew Bartlett1-19/+37
- vorlan's hosts allow with DNS names patch - use x_fileno() in debug.c, not the struct directly. - check for server timeout on password change (was reporting success) - better error/status loggin in both the pam_winbind client and winbindd_pam server code. - (pdb_ldap) don't set the ldap version twice - we do it on every bind anyway. (This used to be commit 9fa1863d8e7788eda83911ca2610754486b33069)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-10/+11
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-7/+11
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-0/+9
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-04-03More winbind for HPUX updates from Don Mccall. I think JRA has alreadyAndrew Bartlett1-2/+23
applied these to 2.2. Andrew Bartlett (This used to be commit 51fe3324dda6b1f9a9a45deda7a76b1fff35399a)
2002-03-23Various winbind updates:Andrew Bartlett1-3/+3
- pam_winbind updates from vance, fixing a typo and making some the options work properly. - Extra parinoia in the winbind connection loop - Allow pam_winbind to compile on HP-UX (Don Mcall, more work to do). - Fix up configure.in to use the same method for building the test .so as the Makefile uses. Andrew Bartlett (This used to be commit 8e705dd9215b1cb3f44d6348094679d7dc6a7fbd)
2002-03-13Fix typo in copyrightAndrew Bartlett1-1/+1
(This used to be commit 54e69ed20adc74fdfe007a9642dcb3a55c02d856)
2002-03-11Removed bogus calles to D() debugging function. Perhaps these shouldTim Potter1-16/+1
be replaced by DEBUG() calls? (This used to be commit 33dd07d1fc6946e53d3bdaad025adfc20abfab77)
2002-02-05Drastic impromvents to pam_winbind.Andrew Bartlett1-245/+439
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-01-30Removed silly fprintf(stderr, ...) debug.Tim Potter1-2/+1
Part of Samuel Ziegler's patch to get winbind password changing working again in HEAD. (This used to be commit b5540bee7be957d1def62ee85a84488e0250624b)
2002-01-07Don't log the password in pam_sm_authenticate() unless DEBUG_PASSWORD isTim Potter1-2/+10
defined. This is done with --enable-developer mode. (This used to be commit caff5dc1d66953cb52f94cd6407778b23e1810eb)
2001-05-04Merge from TNG branch.Tim Potter1-57/+183
(This used to be commit 1e7b1c71b9c409859bcf0aeb3d5785acc4aee027)
2000-05-10in head as well ...Andrew Tridgell1-2/+2
renamed ntdom to winbind I think that using winbind in /etc/nsswitch.conf is better than ntdom (This used to be commit 80f85b5359c26dc26f8f88b984f27cfa4ac34e61)
2000-05-09brought the winbindd code into headAndrew Tridgell1-0/+388
this does not yet compile, but I'm working on that. (This used to be commit 3fb862531a4e78dca13d16d958517b16e5bdd4e2)