summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_nss.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-0/+1
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r11137: Compile with only 2 warnings (I'm still working on that code) on a gcc4Jeremy Allison1-2/+2
x86_64 box. Jeremy. (This used to be commit d720867a788c735e56d53d63265255830ec21208)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-4/+4
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10321: Fix winbindd recursion bug found by Ingo Steuwer ↵Jeremy Allison1-0/+2
<steuwer@univention.de>. Jeremy. (This used to be commit 6795c818a3d63737d5b40faffa3a0b91c71b427b)
2007-10-10r7994: This adds support in Winbindd's "security = ads"-mode to retrieve the ↵Günther Deschner1-0/+2
POSIX homedirectory and the loginshell from Active Directory's "Services for Unix". Enable it with: winbind sfu support = yes User-Accounts without SFU-Unix-Attributes will be assigned template-based Shells and Homedirs as before. Note that it doesn't matter which version of Services for Unix you use (2.0, 2.2, 3.0 or 3.5). Samba should detect the correct attributes (msSFULoginShell, msSFU30LoginShell, etc.) automatically. If you also want to share the same uid/gid-space as SFU then also use PADL's ad-idmap-Plugin: idmap backend = ad When using the idmap-plugin only those accounts will appear in Name Service Switch that have those UNIX-attributes which avoids potential uid/gid-space clashes between SFU-ids and automatically assigned idmap-ids. Guenther (This used to be commit 28b59699425b1c954d191fc0e3bd357e4a4e4cd8)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-3/+58
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r7139: trying to reduce the number of diffs between trunk and 3.0; changing ↵Gerald Carter1-11/+1
version to 3.0.20pre1 (This used to be commit 9727d05241574042dd3aa8844ae5c701d22e2da1)
2007-10-10r6643: fix some build issues on IRIX;l patch from james peachGerald Carter1-0/+9
(This used to be commit 8f78ee6abab9c1dd3e8b15ea3d1d96a651ee0426)
2007-10-10r6149: Fixes bugs #2498 and 2484.Derrell Lipman1-1/+1
1. using smbc_getxattr() et al, one may now request all access control entities in the ACL without getting all other NT attributes. 2. added the ability to exclude specified attributes from the result set provided by smbc_getxattr() et al, when requesting all attributes, all NT attributes, or all DOS attributes. 3. eliminated all compiler warnings, including when --enable-developer compiler flags are in use. removed -Wcast-qual flag from list, as that is specifically to force warnings in the case of casting away qualifiers. Note: In the process of eliminating compiler warnings, a few nasties were discovered. In the file libads/sasl.c, PRIVATE kerberos interfaces are being used; and in libsmb/clikrb5.c, both PRIAVE and DEPRECATED kerberos interfaces are being used. Someone who knows kerberos should look at these and determine if there is an alternate method of accomplishing the task. (This used to be commit 994694f7f26da5099f071e1381271a70407f33bb)
2007-10-10r6127: Eliminated all compiler warnings pertaining to mismatched ↵Derrell Lipman1-1/+1
"qualifiers". The whole of samba comiles warning-free with the default compiler flags. Temporarily defined -Wall to locate other potential problems. Found an unused static function (#ifdefed out rather than deleted, in case it's needed for something in progress). There are also a number of uses of undeclared functions, mostly krb5_*. Files with these problems need to have appropriate header files included, but they are not fixed in this update. oplock_linux.c.c has undefined functions capget() and capset(), which need to have "#undef _POSIX_SOURCE" specified before including <sys/capability.h>, but that could potentially have other side effects, so that remains uncorrected as well. The flag -Wall should be added permanently to CFLAGS, and all warnings then generated should be eliminated. (This used to be commit 5b19ede88ed80318e392f8017f4573fbb2ecbe0f)
2007-10-10r4260: Change the license for the winbindd external interface more liberal.Tim Potter1-14/+3
(This used to be commit 82b9faaaa2e1e2986a15102605739e7d13885ac6)
2007-10-10r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix theAndrew Bartlett1-2/+2
naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett (This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
2007-10-10r175: Move this comment to the right place...Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit e5bbb086b2aeb826121d7fef88fcfaa49d876ea4)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-1/+2
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2007-10-10r85: Update the winbind interface version, as I just extended the struct.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 039883043d15902096f6d5e80737f4a502ed0bf8)
2007-10-10r84: Implement --required-membership-of=, an ntlm_auth option that restrictsAndrew Bartlett1-0/+3
all authentication to members of this particular group. Also implement an option to allow ntlm_auth to get 'squashed' error codes, which are safer to communicate to remote network clients. Andrew Bartlett (This used to be commit eb1c1b5eb086f49a230142ad2de45dc0e9691df3)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett1-2/+2
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2004-04-01This restructures lib/afs.c so that the token data can be but into aVolker Lendecke1-0/+1
stream. This is to implement wbinfo -k that asks winbind for authentication which then creates the AFS token for the authenticated user. Volker (This used to be commit 2df6750a079820826013360fb9e47f90bc8223a5)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-1/+2
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-04Commit the translation of the realm to the netbios domain name in the kerberosVolker Lendecke1-0/+11
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett1-0/+1
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-11-19as discussed on irc, this is a small patch that allows a few moreAndrew Tridgell1-0/+3
winbind functions to be accessed via NSS. This provides a much cleaner way for applications that need (for example) to provide name->sid mappings to do this via NSS rather than having to know the winbindd pipe protocol (as this might change). This patch also adds a varient of the winbindd_getgroups() call called winbindd_getusersids() that provides direct SID->SIDs listing of a users supplementary groups. This is enough to allow non-Samba applications to do ACL checking. A test program for the new functionality will be committed shortly. I also added the 'wbinfo --user-sids' option to expose the new function in wbinfo. (This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
2003-08-10add --domain=DOMAINNAME to wbinfoGerald Carter1-0/+1
Add support for geting the sequence number, list of users, and list of groups for a specific domain (assuming on reported back by wbinfo -m) wbinfo -u --domain=DOA (This used to be commit 34fc6e1bf97d514d3b1763a808d08d730191e03b)
2003-07-11moving more code around.Gerald Carter1-0/+2
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-17/+38
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07and so it begins....Gerald Carter1-6/+7
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-04-07Winbind merges from HEAD:Andrew Bartlett1-2/+2
- fix winbindd_pam bugs - give a better error message for unauthorized access to auth_crap - show this message in wbinfo - fix spelling: privilaged -> privileged ** This changes the location of the winbindd privileged pipe ** (thanks to tpot) Andrew Bartlett (This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
2003-03-24(merge from HEAD)Andrew Bartlett1-1/+4
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-01-28Merge from HEAD:Andrew Bartlett1-1/+3
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor. - also consequential changes to the NTLMSSP and SPNEGO parsing functions - and the client code that uses the same functions - Add ntlm_auth, a NTLMSSP authentication interface for use by applications like Squid and Apache. - also consquential changes to use common code for base64 encode/decode. - Winbind changes to support ntlm_auth (I don't want this program to need to read smb.conf, instead getting all it's details over the pipe). - nmbd changes for fstrcat() instead of fstrcpy(). Andrew Bartlett (This used to be commit fbb46da79cf322570a7e3318100c304bbf33409e)
2003-01-04The winbind in Samba 3.0 doesn't use the 'proof' for ntlm_auth_crap, so don'tAndrew Bartlett1-1/+0
include it in the struct. (Important becouse it currently has the same version number as the one in HEAD, which also doesn't have this). Andrew Bartlett (This used to be commit 0d2da985906219d68e2558a840905a272803bfcc)
2002-12-23Finish adding strings to all talloc_init() calls.Jeremy Allison1-0/+1
Jeremy. (This used to be commit aa8439a49ec4b9f433745fefa1e769e45398f4df)
2002-12-20Merge from HEAD.Tim Potter1-2/+2
- null termination of winbind request fix - bail out if we can't open winbind socket (This used to be commit 102e490d683c0758a9798a3c15e748509690c95b)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-0/+3
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-1/+11
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-0/+3
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-03-29merge winbindd WINS changes from 2.2Herb Lewis1-0/+8
(This used to be commit 205399dc17e464360b0152538329b9e111b0e7f4)
2002-02-05Drastic impromvents to pam_winbind.Andrew Bartlett1-1/+8
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error conversions, and uses them to make the error handling in pam_winbind sane. In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...' stuff, and logs the NTSTATUS error that winbind now sends over the pipe. Added code to wbinfo to display these - makes a big difference in debugging winbindd. The main change here is the code to allow pam_winbind password changing to correctly stack - This code ripped from pam_unix, and the copyright attached. (Same as for all pam modules, including pam_winbind) Andrew Bartlett (This used to be commit dc1a72f896b83bc1ad3c7bf6c12c36ace3967280)
2002-01-31added 'wbinfo --sequence' to show sequence numbers of all domainsAndrew Tridgell1-0/+2
(This used to be commit bcd234a3dad2cd3d1c57780f4a7a3833ea611764)
2002-01-30Removed version number from file header.Tim Potter1-2/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-26Change the winbind interface to use seperate 'domain' and 'username' feilds forAndrew Bartlett1-3/+9
the sid->uid and uid->sid conversions. Remove some duplicate arguments from these funcitons, and update the request/response structures for this and the 'winbind domain name' feature. As such 'winbindd_lookup_name' now takes both a domain and username. (This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
2002-01-10Since AB has been changing the winbind interface it's time to add the "mockTim Potter1-5/+8
swedish" test to client calls. This is putting a length field at the start of a request so we can disconnect clients talking with an out of date libnss_winbind.so rather than deadlock them. Misc cleanups: - made some int values uint32 - moved WINBIND_INTERFACE_VERSION to start of cmd list (This used to be commit a4af65b9b93671f13f277d49279a85042a8fd1d5)
2002-01-10Return the winbind separator over the socket, so programs don't have to parseAndrew Bartlett1-0/+10
smb.conf to get it right. While wb_client needs its lp_load() for samba dependency reasons, it now uses the new method both to example and test the new code. Also add an interface version function, and return the winbind's samba version string. In preperation for default domains, its now up to winbindd to reject plaintext auths that don't have a seperator, but NTLM (CRAP) auths now have two feilds, hence need parsing. Andrew Bartlett (This used to be commit 2bd2a092ee3d49a74d896385688d7c7256aa297e)
2002-01-10This changes the winbind protcol a bit:Andrew Bartlett1-0/+2
It adds a 'ping' request, just to check winbind is in fact alive It also changes winbindd_pam_auth_crap to take usernames and domain seperatly. (backward incompatible change, needs merge to 2.2, but this is not yet released code, so no workarounds) Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do it). Andrew Bartlett (This used to be commit 6df29bfe335144a968f5367f624ef2b4cf9e69b0)
2002-01-10A big tidyup while thinking about getting trusted domains being re-readTim Potter1-4/+4
when they are added or removed on the PDC. - renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID} - renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID} - use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in preparation for moving to smbcontrol type messages (not sure whether to ditch this altogether or not) - tidy debugging messages in top level winbind user and group routines - convert talloc_init() to talloc_init_named() - make enumerations of the domain list use the same local variable names (This used to be commit eeb8af9c1a66bfcd80823d7b406acbab79857a16)
2001-11-21Preparing to implement +ve and -ve caching for lookupname/lookupsid calls.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 1f6cc536b2db0c36feee45cfd6ac1ad5ee8fb05a)
2001-11-14Got ready to implement Martin's idea, but request doesn't have a lengthJeremy Allison1-5/+5
field.... well, now at least the code is there when it does :-). Jeremy. (This used to be commit 22e323ca47325482b6ae527070509ed9c6cbccee)
2001-09-17move to SAFE_FREE()Simo Sorce1-0/+4
(This used to be commit 03dc67788f68c9e01b5a82fdf43f837cb19f4608)
2001-09-05fixed a bunch of compilation errors on Solaris, mostly people getting ↵Andrew Tridgell1-1/+1
NSS_STATUS and WINBINDD error codes mixed up (This used to be commit 66698d6b841df809a8654012a8385bffacb9dc4a)
2001-08-22Added another authentication interface to winbindd. The Challenge ResponseTim Potter1-0/+9
Authentication Protocol (CRAP) takes a tuple of (username, random challenge, encrypted lm password, encrypted nt password) where the passwords are encrypted with the random challenge ala ntlmssp. (This used to be commit 11f72a78e3a16bbb17b576d80b47a9eb818ee428)
2000-10-11Renamed WINBINDD_INITGROUPS constant to WINBINDD_GETGROUPS.Tim Potter1-1/+1
(This used to be commit 5f3cf2eb78bfa6fb00890d449d38e9f13964712c)