summaryrefslogtreecommitdiff
path: root/source3/nsswitch/pam_winbind.c
AgeCommit message (Collapse)AuthorFilesLines
2007-12-20Only retrieve password policies in pam_auth when WBFLAG_PAM_GET_PWD_POLICY ↵Michael Adam1-0/+1
is set. This essentially re-establishes r14496 (2155bb0535656f294bd054d6a0a7d16a9a71c31b) which was undone in r17723 (43bd8c00abb38eb23a1497a255d194fb1bbffffb) for reasons that are unclear to me. Maybe I am being too naive. Now we do again only retrieve the password policy when called from the pam_winbind module. This fixes logons delegated to AD trusted domain controllers: We need to connect to the sam to retrieve the password policy. But auhtenticated session setup is not possible when contacting the trusted domain dc and afterwards, SamrConnect also fails with whatever credentials and method used. Michael (This used to be commit 6d765e0de523211a2d0b43a2c4c4117f5f0c662f)
2007-10-10r25426: Fix another implicit cast warning.Michael Adam1-1/+1
Michael (This used to be commit 4a053d5bf9db82b5ae9ac342f68e90ef89ba292f)
2007-10-10r25148: Adapt to coding conventions.Günther Deschner1-414/+697
Guenther (This used to be commit c3b423c52a2bf3f50870158d8c7ffd314c8ac935)
2007-10-10r25143: rename public functions from winbind_client.hStefan Metzmacher1-6/+6
init_request => winbindd_init_request free_response => winbindd_free_response read_reply => winbindd_read_reply write_sock => winbind_write_sock read_sock => winbind_read_sock close_sock => winbind_close_sock(void) metze (This used to be commit 8a95d7a7edcfa5e45bccc6eda5c45d9c308cb95d)
2007-10-10r25130: make use only of base types which are provided by libreplaceStefan Metzmacher1-56/+56
in winbind client and nss/pam stuff metze (This used to be commit 2e13e05fa91788bd128e6940bccc0d2cc7140986)
2007-10-10r24786: Fix another build warning.Günther Deschner1-5/+5
Guenther (This used to be commit 29a56dcc78c49653bcf72dea6313fd4852de8f72)
2007-10-10r24722: Squashed commit of the following:Gerald Carter1-2/+99
commit fb52f971986dd298abbcd9745ddf702820ce0184 Author: Gerald Carter <coffeedude@plainjoe.org> Date: Mon Aug 27 13:50:26 2007 -0500 Check correct return type for pam_winbind_request_log() wnibind_upn_to_username which is an int and not NSS_STATUS. commit 7382edf6fc0fe555df89d5b2a94d12b35049b279 Author: Gerald Carter <coffeedude@plainjoe.org> Date: Mon Aug 27 13:30:26 2007 -0500 Allow wbinfo -n to convert a UPN to a SID commit 8266c0fe1ccf2141e5a983f3213356419e626dda Author: Gerald Carter <coffeedude@plainjoe.org> Date: Fri Aug 3 09:53:16 2007 -0500 Merge some of Guenther UPN work for pam_winbind.c (check the winbind separator and better pam logging when converting a upn to a username). commit 15156c17bc81dbcadf32757015c4e5158823bf3f Author: Gerald Carter <coffeedude@plainjoe.org> Date: Fri Aug 3 08:52:50 2007 -0500 Include Universal groups from the cached PAC/SamLogon info when generating the list of domain group SIDs for a user's token. commit 979053c0307b051954261d539445102c55f309c7 Author: Gerald Carter <coffeedude@plainjoe.org> Date: Thu Aug 2 17:35:41 2007 -0500 merge upnlogon patch from my tree (This used to be commit 98fb5bcd5702d5086bdf9b58105a67efb90950f4)
2007-10-10r23708: - Add define for WINBIND_WARN_PWD_EXPIRE.Lars Müller1-2/+11
- Add parameter config_flag to get_config_item_int() and do the same check as in get_conf_item_string. (This used to be commit d1d1baa264587911e1c97b3b35d5ed2bc56bf12b)
2007-10-10r23707: - Move the asprintf() call to create the key even inLars Müller1-14/+12
get_conf_item_string() to the later if statement. - Also move the key definition to the later if statement in get_conf_item_string() and get_conf_item_int(). (This used to be commit 3a82ec943a3828b843dd47aaa0e360844d4dfb91)
2007-10-10r23704: Add pam_pwd_expire feature as discussed on samba-technical.Lars Müller1-10/+94
This is a slightly modified version to set warn_pwd_expire to the default value if 0, no, or a broken value is set. This version also has one if statement less in get_config_item_int(). Thanks a lot to Andreas 'GlaDiaC' Schneider for this feature! (This used to be commit d26914c978457ae0ec097cc40c8e33a7cee9ebcf)
2007-10-10r22794: Add "debug_state" and "silent" to pam_winbind.conf template. Honor ↵Günther Deschner1-0/+2
the silent argument when parsing pam configuration file options. Guenther (This used to be commit 5b4a4df26f32fe1947a0c4fb741a4cb89e308f92)
2007-10-10r22712: Inform the user when logging in via pam_winbindGerald Carter1-0/+27
and the krb5 tkt cache could not be created due to clock skew. (This used to be commit 24616f7d6be40b090dc74851b1ea7d09d6976811)
2007-10-10r22402: Fix build warning.Günther Deschner1-1/+1
Guenther (This used to be commit bf9131fed30b3d6f80c41734c04450a1e6bcba5b)
2007-10-10r22393: fix cut&paste errorSimo Sorce1-1/+1
(This used to be commit 70878d698532aa8b0e151e7772894e251290186e)
2007-10-10r22388: clearer message, thanks DavidSimo Sorce1-1/+1
(This used to be commit 7961476784713267efc19d305aa66c68275ccaa1)
2007-10-10r22348: 3_0 as wellSimo Sorce1-1/+1
(This used to be commit ad57434faf806a6ad27beb0f75b73d5389a35382)
2007-10-10r21933: Change the write_sock() call in pam_winbind_request()Gerald Carter1-1/+1
to not request a privileged pipe operation for everything as this cannot be done from a process running under the context of a user (e.g. screensaver). Thanks to Danilo Almeida <dalmeida@centeris.com> for the help in pointing out the change to write_sock(). (This used to be commit 80790f935abc8905542338b08f54d61ebacf2ff1)
2007-10-10r21878: Fix a bug with smbd serving a windows terminal server: If winbind ↵Volker Lendecke1-1/+1
decides smbd to be idle it might happen that smbd needs to do a winbind operation (for example sid2name) as non-root. This then fails to get the privileged pipe. When later on on the same connection another authentication request comes in, we try to do the CRAP auth via the non-privileged pipe. This adds a winbindd_priv_request_response() request that kills the existing winbind pipe connection if it's not privileged. Volker (This used to be commit e5741e27c4c22702c9f8b07877641fecc7eef39c)
2007-10-10r21632: Remove ununsed variableGerald Carter1-1/+0
(This used to be commit 82dc19f844af65a8815c629e4ec1f354d208a53f)
2007-10-10r21612: Make pam_winbind do the same username fixup on AIX as the WINBINDDGerald Carter1-2/+32
LAM module does to work around a system that does not support >8 character usernames. Without the change, pam_winbind tries to authenticate _#uid in the domain. (This used to be commit 7f0ba72e05acbd958fbf768a04d16c29189dc8f7)
2007-10-10r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a userGünther Deschner1-6/+56
changed a password via pam_chauthtok. Only do this if a) a user logs on using an expired password (or a password that needs to be changed immediately) or b) the user itself changes his password. Also make sure to delete the in-memory krb5 credential cache (when a user did not request a FILE based cred cache). Finally honor the krb5 settings in the first pam authentication in the chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when NTLM samlogon authentication is still possible with the old password after the password has been already changed (on w2k3 sp1 dcs). Guenther (This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
2007-10-10r21318: Fix Bug #4225.Günther Deschner1-6/+8
Cached logon with pam_winbind should work now also for NT4 and samba3 domains. Guenther (This used to be commit b2f91154820219959b8008b15802c70e1d76d158)
2007-10-10r21310: Fix invalid printfs in pam_winbind.Günther Deschner1-12/+20
Guenther (This used to be commit 5a7b2fccb3cdc6a849aedcd256eea86faec1d54c)
2007-10-10r21309: Add PRINTF_ATTRIBUTE checks for log statements.Günther Deschner1-0/+3
Guenther (This used to be commit 968dfcc8218cacdd97c2c66929e95f5062ff464a)
2007-10-10r21161: Another fix for pam_winbind: Move the entire pwd expiry handling intoGünther Deschner1-14/+14
the PAM_SUCCESS block. Guenther (This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)
2007-10-10r21160: Some more pam_winbind fixes:Günther Deschner1-32/+79
* Consolidate all pam_winbind password expiry warnings in the one _pam_send_password_expiry_message() call. * Also convert some more NTSTATUS codes to error messages. * Add paranoia check to only do all the post-processing after PAM_SUCCESS. Guenther (This used to be commit 02713f314b65a14e659e801f7eebea453756ac44)
2007-10-10r21159: Cleanup pam_sm_chauthtok() in pam_winbind:Günther Deschner1-30/+27
Set info3 strings, krb5ccname and returned username after we changed a password and sucessfully re-authenticated afterwards. In that case we ended up without this information. Guenther (This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83)
2007-10-10r21158: Add _pam_setup_krb5_env() and _pam_warn_logon_type() functions forGünther Deschner1-31/+70
pam_winbind. Guenther (This used to be commit 1feb961577475dceb97948cd2fdb987005890498)
2007-10-10r21155: Forgot one _PAM_LOG_STATE_DATA_STRING call (only in 3_0).Günther Deschner1-0/+1
Guenther (This used to be commit 86b34cd5d6675c8f0a0becdcded36de4a815c898)
2007-10-10r21154: Add PAM_WINBIND_LOGONSERVER, also merge the various pam_set_data calls.Günther Deschner1-36/+68
Guenther (This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e)
2007-10-10r21152: Correctly omit pam conversations when PAM_SILENT has been set by theGünther Deschner1-47/+51
calling application. Guenther (This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05)
2007-10-10r21145: Convert some int to BOOL in pam_winbind (only in 3_0).Günther Deschner1-13/+13
Guenther (This used to be commit 1b82c5fa0e363942947453a8e1b74aa2b95d8733)
2007-10-10r21144: Create more accurate warning message when the pam_winbind chauthtok hasGünther Deschner1-12/+76
received NT_STATUS_PASSWORD_RESTRICTION. Guenther (This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
2007-10-10r21143: Fix wrong check for pam error codes for getpwnam and lookup winbindGünther Deschner1-13/+26
requests in pam_winbind (Bug #4094). Inspired by fix from Lars Heete. Guenther (This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
2007-10-10r21122: Simplify code in pam_winbind a bit.Günther Deschner1-23/+20
Guenther (This used to be commit 08ca5ea6f1b09506055b2508aa79704f39b3bbd7)
2007-10-10r21020: Some pam_winbind fixes:Günther Deschner1-14/+13
* make debug_state also configurable from the config file * minor code cleanup Guenther (This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
2007-10-10r21019: Fix typo.Günther Deschner1-1/+1
Guenther (This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
2007-10-10r21016: Fix pam_sm_setcred again.Günther Deschner1-1/+1
Jerry, the switch statement must ignore the PAM_SILENT flag. Guenther (This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
2007-10-10r21015: fix typo that breaks the buildGerald Carter1-1/+1
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
2007-10-10r21013: * Remove "inline" keywordGerald Carter1-5/+5
* Remove anpther check for PAM_SILENT that prevents logging to syslog * Add missing check for TRY_FIRST_PASS when using authtok (missed from previous merge) (This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
2007-10-10r21012: Patch from Danilo Almeida @ Centeris (via me):Gerald Carter1-21/+167
Details: Improve PAM logging - The improved logging is far tracking down PAM-related bugs - PAM_SILENT was being mis-used to suppress syslog output instead of suppressing user output. This lets PAM_SILENT still log to syslog. - Allow logging of item & data state via debug_state config file option. - Logging tracks the pam handle used. (This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
2007-10-10r21011: Another patch from Danilo Almeida @ Centeris (via me):Gerald Carter1-4/+7
Details: Reset the "new password prompt required" state whenever we do a new auth. In more detail, in pam_sm_authenticate, if not settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially present PAM_WINBIND_NEW_AUTHTOK_REQD. (This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
2007-10-10r21009: Patch from Danilo Almeida @ Centeris (via me).Gerald Carter1-39/+170
Patch details: Support most options in pam_winbind.conf; support comma-separated names in require-membership-of. Details below: 1) Provides support for almost all config options in pam_winbind.conf (all except for use_first_pass, use_authtok, and unknown_ok). - That allows us to work well when invoked via call_modules from pam_unix2.conf as well as allowing use of spaces in names used w/require_membership_of. 2) Support for comma-separated list of names or SID strings in require_membership_of/require-membership-of. - Increased require_membership_of field in winbind request from fstring (256) to pstring (1024). - In PAM side, parse out multiple names or SID strings and convert all of them to SID strings. - In Winbind side, support membership check against multiple SID strings. (This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
2007-10-10r20687: Implement grace logons for offline authentications in pam_winbind.Günther Deschner1-3/+20
In case a user authenticated sucessfully and his password just expired while beeing disconnected, we should allow a user to logon (given a clear warning). We currently forced the user into a password change dialogue in that scenario; this did not make much sense while offline. Guenther (This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
2007-10-10r20651: Fix "password expires soon" warning message for pam_winbind.Günther Deschner1-12/+67
We were incorrectly calculating the days until the password expires and we also need to look at the info3 pass_must_change_time for expiry calculation. Guenther (This used to be commit 22d79237127a064a934928d175182adecc6300de)
2007-10-10r20304: Smaller fixes for pam_winbind:Günther Deschner1-30/+65
* fail on invalid credential flags in pam_sm_setcred * parse config file for pam_sm_acct_mgmt and pam_sm_open_session Guenther (This used to be commit 2a428ac814d03880de63656ea97827126ccfec5c)
2007-10-10r20249: Fail when parsing invalid options in _pam_parse.Günther Deschner1-1/+2
Guenther (This used to be commit f6c9421abdf5731e894cd2ccc1b7431a3c368bbf)
2007-10-10r20241: Slightly improve readability of the pam_vsyslog replacement function.Günther Deschner1-6/+5
Guenther (This used to be commit 222320373f8a251fc2cf3ff8c3fec93a7a48f9df)
2007-10-10r20240: Be a little more verbose about the credential flags when the debug flagGünther Deschner1-2/+16
is set. Guenther (This used to be commit ecbab58826a51ace2a0d1181a41391f5d170ff06)
2007-10-10r20239: Parse the configfile for pam_sm_setcred as wellGünther Deschner1-1/+7
(e.g. to get the debug flag) Guenther (This used to be commit 2c549f71f15b066ac1f415544848b582558abd5d)