summaryrefslogtreecommitdiff
path: root/source3/nsswitch/pam_winbind.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21632: Remove ununsed variableGerald Carter1-1/+0
(This used to be commit 82dc19f844af65a8815c629e4ec1f354d208a53f)
2007-10-10r21612: Make pam_winbind do the same username fixup on AIX as the WINBINDDGerald Carter1-2/+32
LAM module does to work around a system that does not support >8 character usernames. Without the change, pam_winbind tries to authenticate _#uid in the domain. (This used to be commit 7f0ba72e05acbd958fbf768a04d16c29189dc8f7)
2007-10-10r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a userGünther Deschner1-6/+56
changed a password via pam_chauthtok. Only do this if a) a user logs on using an expired password (or a password that needs to be changed immediately) or b) the user itself changes his password. Also make sure to delete the in-memory krb5 credential cache (when a user did not request a FILE based cred cache). Finally honor the krb5 settings in the first pam authentication in the chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when NTLM samlogon authentication is still possible with the old password after the password has been already changed (on w2k3 sp1 dcs). Guenther (This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
2007-10-10r21318: Fix Bug #4225.Günther Deschner1-6/+8
Cached logon with pam_winbind should work now also for NT4 and samba3 domains. Guenther (This used to be commit b2f91154820219959b8008b15802c70e1d76d158)
2007-10-10r21310: Fix invalid printfs in pam_winbind.Günther Deschner1-12/+20
Guenther (This used to be commit 5a7b2fccb3cdc6a849aedcd256eea86faec1d54c)
2007-10-10r21309: Add PRINTF_ATTRIBUTE checks for log statements.Günther Deschner1-0/+3
Guenther (This used to be commit 968dfcc8218cacdd97c2c66929e95f5062ff464a)
2007-10-10r21161: Another fix for pam_winbind: Move the entire pwd expiry handling intoGünther Deschner1-14/+14
the PAM_SUCCESS block. Guenther (This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)
2007-10-10r21160: Some more pam_winbind fixes:Günther Deschner1-32/+79
* Consolidate all pam_winbind password expiry warnings in the one _pam_send_password_expiry_message() call. * Also convert some more NTSTATUS codes to error messages. * Add paranoia check to only do all the post-processing after PAM_SUCCESS. Guenther (This used to be commit 02713f314b65a14e659e801f7eebea453756ac44)
2007-10-10r21159: Cleanup pam_sm_chauthtok() in pam_winbind:Günther Deschner1-30/+27
Set info3 strings, krb5ccname and returned username after we changed a password and sucessfully re-authenticated afterwards. In that case we ended up without this information. Guenther (This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83)
2007-10-10r21158: Add _pam_setup_krb5_env() and _pam_warn_logon_type() functions forGünther Deschner1-31/+70
pam_winbind. Guenther (This used to be commit 1feb961577475dceb97948cd2fdb987005890498)
2007-10-10r21155: Forgot one _PAM_LOG_STATE_DATA_STRING call (only in 3_0).Günther Deschner1-0/+1
Guenther (This used to be commit 86b34cd5d6675c8f0a0becdcded36de4a815c898)
2007-10-10r21154: Add PAM_WINBIND_LOGONSERVER, also merge the various pam_set_data calls.Günther Deschner1-36/+68
Guenther (This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e)
2007-10-10r21152: Correctly omit pam conversations when PAM_SILENT has been set by theGünther Deschner1-47/+51
calling application. Guenther (This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05)
2007-10-10r21145: Convert some int to BOOL in pam_winbind (only in 3_0).Günther Deschner1-13/+13
Guenther (This used to be commit 1b82c5fa0e363942947453a8e1b74aa2b95d8733)
2007-10-10r21144: Create more accurate warning message when the pam_winbind chauthtok hasGünther Deschner1-12/+76
received NT_STATUS_PASSWORD_RESTRICTION. Guenther (This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
2007-10-10r21143: Fix wrong check for pam error codes for getpwnam and lookup winbindGünther Deschner1-13/+26
requests in pam_winbind (Bug #4094). Inspired by fix from Lars Heete. Guenther (This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
2007-10-10r21122: Simplify code in pam_winbind a bit.Günther Deschner1-23/+20
Guenther (This used to be commit 08ca5ea6f1b09506055b2508aa79704f39b3bbd7)
2007-10-10r21020: Some pam_winbind fixes:Günther Deschner1-14/+13
* make debug_state also configurable from the config file * minor code cleanup Guenther (This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
2007-10-10r21019: Fix typo.Günther Deschner1-1/+1
Guenther (This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
2007-10-10r21016: Fix pam_sm_setcred again.Günther Deschner1-1/+1
Jerry, the switch statement must ignore the PAM_SILENT flag. Guenther (This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
2007-10-10r21015: fix typo that breaks the buildGerald Carter1-1/+1
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
2007-10-10r21013: * Remove "inline" keywordGerald Carter1-5/+5
* Remove anpther check for PAM_SILENT that prevents logging to syslog * Add missing check for TRY_FIRST_PASS when using authtok (missed from previous merge) (This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
2007-10-10r21012: Patch from Danilo Almeida @ Centeris (via me):Gerald Carter1-21/+167
Details: Improve PAM logging - The improved logging is far tracking down PAM-related bugs - PAM_SILENT was being mis-used to suppress syslog output instead of suppressing user output. This lets PAM_SILENT still log to syslog. - Allow logging of item & data state via debug_state config file option. - Logging tracks the pam handle used. (This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
2007-10-10r21011: Another patch from Danilo Almeida @ Centeris (via me):Gerald Carter1-4/+7
Details: Reset the "new password prompt required" state whenever we do a new auth. In more detail, in pam_sm_authenticate, if not settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially present PAM_WINBIND_NEW_AUTHTOK_REQD. (This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
2007-10-10r21009: Patch from Danilo Almeida @ Centeris (via me).Gerald Carter1-39/+170
Patch details: Support most options in pam_winbind.conf; support comma-separated names in require-membership-of. Details below: 1) Provides support for almost all config options in pam_winbind.conf (all except for use_first_pass, use_authtok, and unknown_ok). - That allows us to work well when invoked via call_modules from pam_unix2.conf as well as allowing use of spaces in names used w/require_membership_of. 2) Support for comma-separated list of names or SID strings in require_membership_of/require-membership-of. - Increased require_membership_of field in winbind request from fstring (256) to pstring (1024). - In PAM side, parse out multiple names or SID strings and convert all of them to SID strings. - In Winbind side, support membership check against multiple SID strings. (This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
2007-10-10r20687: Implement grace logons for offline authentications in pam_winbind.Günther Deschner1-3/+20
In case a user authenticated sucessfully and his password just expired while beeing disconnected, we should allow a user to logon (given a clear warning). We currently forced the user into a password change dialogue in that scenario; this did not make much sense while offline. Guenther (This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
2007-10-10r20651: Fix "password expires soon" warning message for pam_winbind.Günther Deschner1-12/+67
We were incorrectly calculating the days until the password expires and we also need to look at the info3 pass_must_change_time for expiry calculation. Guenther (This used to be commit 22d79237127a064a934928d175182adecc6300de)
2007-10-10r20304: Smaller fixes for pam_winbind:Günther Deschner1-30/+65
* fail on invalid credential flags in pam_sm_setcred * parse config file for pam_sm_acct_mgmt and pam_sm_open_session Guenther (This used to be commit 2a428ac814d03880de63656ea97827126ccfec5c)
2007-10-10r20249: Fail when parsing invalid options in _pam_parse.Günther Deschner1-1/+2
Guenther (This used to be commit f6c9421abdf5731e894cd2ccc1b7431a3c368bbf)
2007-10-10r20241: Slightly improve readability of the pam_vsyslog replacement function.Günther Deschner1-6/+5
Guenther (This used to be commit 222320373f8a251fc2cf3ff8c3fec93a7a48f9df)
2007-10-10r20240: Be a little more verbose about the credential flags when the debug flagGünther Deschner1-2/+16
is set. Guenther (This used to be commit ecbab58826a51ace2a0d1181a41391f5d170ff06)
2007-10-10r20239: Parse the configfile for pam_sm_setcred as wellGünther Deschner1-1/+7
(e.g. to get the debug flag) Guenther (This used to be commit 2c549f71f15b066ac1f415544848b582558abd5d)
2007-10-10r20180: Ensure that pam returns the correct error messagesJeremy Allison1-38/+78
when offline and or doing password changes. Jeremy. (This used to be commit 4a74c553845c960a355ddb86abaadfe0d550271f)
2007-10-10r20136: Fix #4290. Properly compute time to password expiration in message fromJim McDonough1-1/+2
pam_winbind. Thanks to Andrew Benham <andrew.benham@thus.net> (This used to be commit 0d03f5137936546253a8b3334995f536f3621d57)
2007-10-10r19710: Fix memory leak in get_conf_item_string(). AsJeremy Allison1-5/+1
we're just doing strchr on a const string there's no need to strdup it before, we're never modifying it. Just remove the variable "parm". Jeremy. (This used to be commit 1af18f613b1399220e38e7ab40665c2ca177c5a7)
2007-10-10r19703: Don't free a string if you want to return it!Simo Sorce1-1/+0
(This used to be commit 3fed72ac3efd1fa7df8fb7d1e2cb9772d66bb4bd)
2007-10-10r19351: Also export the info3 profilepath via the PAM_WINBIND_PROFILEPATH dataGünther Deschner1-0/+12
field. Guenther (This used to be commit 66b92f27fa4edec180b8c8eee929ec8f31ef6a08)
2007-10-10r19349: Fix invalid free on the PAM_WINBIND_PWD_LAST_SET data.Günther Deschner1-1/+1
Guenther (This used to be commit a4d17ee9c960abdf21b9af1601bd1042e0cd7636)
2007-10-10r19348: Fix uninitialized dictionary handle, found by valgrind.Günther Deschner1-3/+3
Guenther (This used to be commit 9621bb420a13e634badcc922c73c8bfb30aa6120)
2007-10-10r18927: Fix build. *please* compile the code at least once before checking ↵Gerald Carter1-2/+2
it in. (This used to be commit 4e464a2c35984752244f30ce9bb259eb16149e3f)
2007-10-10r18924: Minor cleanup.Günther Deschner1-8/+8
Guenther (This used to be commit 143a48927b0e21d31a9f54cfc720b5d04a4b6751)
2007-10-10r18667: Two C++ warningsVolker Lendecke1-1/+1
(This used to be commit 8c60e71229cd577f3b17345c5824363dd202eba9)
2007-10-10r18507: Added debug log for returned username.Jeremy Allison1-0/+1
Jeremy. (This used to be commit 7644fa70ba4f7c88d887930e23b5ee2e1632473b)
2007-10-10r18484: Start some cleanup on pam_winbind's syslogging:Günther Deschner1-113/+154
* as openlog() is non-reentrant and pam_winbind thereby overrides the syslog settings of the calling application, directly call syslog (or pam_vsyslog if available) * support the PAM_SILENT flag to avoid any log messages beeing created Guenther (This used to be commit 0f7e37ffc4759a4e29f63ab83f39ddb31c8240f6)
2007-10-10r18158: Stop winbindd from accumulating memory creds infinitely when doingGünther Deschner1-4/+4
pam offline logons. Guenther (This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
2007-10-10r18062: Fix to ensure the name used by pam matches theJeremy Allison1-4/+25
name that will be returned by winbindd. This (should) fix the bug where the user logs in with DOMAIN\user but winbindd returns only "user" for the username due to 'winbind use default domain' being set. Jeremy. (This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
2007-10-10r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from ↵Gerald Carter1-4/+4
AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
2007-10-10r17584: Some C++ WarningsVolker Lendecke1-1/+1
(This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497)
2007-10-10r17366: Save the logon script path from the info3 in the PAM session allowingGünther Deschner1-4/+18
other PAM modules to pick it up from there. Guenther (This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5)
2007-10-10r17365: Fix memleak.Günther Deschner1-1/+4
Guenther (This used to be commit 62a8e0b08919e71c6a575ce6d89d8a4a09acbd87)