summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23928: Merge all "copy-info3-groups-to-sid-array" blocks to a ↵Günther Deschner1-43/+6
sid_array_from_info3() function. Guenther (This used to be commit 1e1e480115e37b3f4c85f979ddd800b8de0b9c57)
2007-10-10r23784: use the GPLv3 boilerplate as recommended by the FSF and the license textAndrew Tridgell1-2/+1
(This used to be commit b0132e94fc5fef936aa766fb99a306b3628e9f07)
2007-10-10r23779: Change from v2 or later to v3 or later.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 407e6e695b8366369b7c76af1ff76869b45347b3)
2007-10-10r23474: Here's a small patch that disables the libkrb5.so replay cacheGerald Carter1-1/+1
when verifying a ticket from winbindd_pam.c. I've found during multiple, fast, automated SSH logins (such as from a cron script) that the replay cache in MIT's krb5 lib will occasionally fail the krb5_rd_req() as a replay attack. There seems to be a small window during which the MIT krb5 libs could reproduce identical time stamps for ctime and cusec in the authenticator since Unix systems only give back milli-seconds rather than the micro-seconds needed by the authenticator. Checked against MIT 1.5.1. Have not researched how Heimdal does it. My thinking is that if someone can spoof the KDC and TDS services we are pretty hopeless anyways. (This used to be commit cbd33da9f78373e29729325bbab1ae9040712b11)
2007-10-10r23225: Attached find a patch that makes use of NetSamLogonEx inVolker Lendecke1-2/+52
winbind. With this and W2k3 DCs around it is possible to use more than one winbind on the same machine account, because NetSamLogonEx does not use the credentials chain. I added the flag domain->can_do_samlogon_ex because this only works against W2k3 and with schannel. The theory is to try if we're AD and have schannel, and fall back to NetSamLogon if this fails. can_do_samlogon_ex is thus a protection against multiple failures. Only checking into 3_0, this needs more review before going into a production release. Feel free to comment :-) (This used to be commit f5d525399b0b03a3d0b223fe72ef0a8a631fc599)
2007-10-10r22904: Fix indent.Günther Deschner1-1/+1
Guenther (This used to be commit dcf5375aa4b2488dccd64c3bbee90183d244bc09)
2007-10-10r22903: Now that we have the on-disc trustdomaincache with type flags we can ↵Günther Deschner1-3/+6
better decide whether it's worth to register a krb5 ticket gain handler while users logon offline. Guenther (This used to be commit 203391623b31bce71268c6e8fc955eab348e92f0)
2007-10-10r22901: When an AD account has UF_DONT_REQUIRE_PREAUTH set we need to ↵Günther Deschner1-0/+8
fallback to ntlm in the kerberized PAM_AUTH. Guenther (This used to be commit ef8f0d35040390f4bb49aab24ca4aad90ea47bc1)
2007-10-10r22844: Introduce const DATA_BLOB data_blob_null = { NULL, 0, NULL }; andVolker Lendecke1-1/+1
replace all data_blob(NULL, 0) calls. (This used to be commit 3d3d61687ef00181f4f04e001d42181d93ac931e)
2007-10-10r22745: Add local groups to the --required-membership-sid test. This needsVolker Lendecke1-90/+62
merging to 3_0_26 once Michael's net conf changes have been merged. It depends on token_utils.c. (This used to be commit a99ab3a2ed44522054175f03b60e63fa05a0378a)
2007-10-10r22738: Fix a debug message.Volker Lendecke1-1/+2
Günther, please check this! Thanks, Volker (This used to be commit 8a038b8cd3f43bb8743eda160b852efdbc80ed70)
2007-10-10r22730: Fix password changes via pam_winbindd when using "winbind normalize ↵Gerald Carter1-0/+2
names" and the username has been munged. Make sure to munge it back before performing the change_password() request. (This used to be commit ff025d451e165383ad7d524e0e8176d987554049)
2007-10-10r22720: Fixes for offline auth when using krb5_auth = yes in pam_winbind.Gerald Carter1-8/+26
Assume that "NO_DOMAIN_CONTROLLERS_FOUND" means that the domain is offline. (This used to be commit 30f9cc52bf8270652624c79691d147e05e476583)
2007-10-10r22719: Missed change for one-way trust support. Ignore password policyGerald Carter1-1/+5
settings from one trusted domain with no incoming trust path. Guenther, I think this is ok as we only need the pw policy to give feedback on upcoming expiration times. (This used to be commit c79ae57388d087496777129d6936cd51aab38d5b)
2007-10-10r22717: Add Everyone and AuthenticatedUsers to the user's tokenGerald Carter1-1/+10
for use by the require-membership-of pam_winbind option. (This used to be commit 11f81c5997a014cca9d98c474e7870ebb07c4642)
2007-10-10r22712: Inform the user when logging in via pam_winbindGerald Carter1-0/+8
and the krb5 tkt cache could not be created due to clock skew. (This used to be commit 24616f7d6be40b090dc74851b1ea7d09d6976811)
2007-10-10r22710: Support one-way trusts.Gerald Carter1-0/+6
* Rely on the fact that name2sid will work for any name in a trusted domain will work against our primary domain (even in the absense of an incoming trust path) * Only logons will reliably work and the idmap backend is responsible for being able to manage id's without contacting the trusted domain * "getent passwd" and "getent group" for trusted users and groups will work but we cannot get the group membership of a user in any fashion without the user first logging on (via NTLM or krb5) and the netsamlogon_cache being updated. (This used to be commit dee2bce2af6aab8308dcef4109cc5248cfba5ef5)
2007-10-10r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and makeGünther Deschner1-2/+2
winbindd's kerberized pam_auth use that. Guenther (This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)
2007-10-10r22001: change prototype of dump_data(), so that it takes unsigned char * now,Stefan Metzmacher1-3/+3
which matches what samba4 has. also fix all the callers to prevent compiler warnings metze (This used to be commit fa322f0cc9c26a9537ba3f0a7d4e4a25941317e7)
2007-10-10r21887: Fix annoying bug where in a pam_close_session (or a pam_setcred with theGünther Deschner1-1/+29
PAM_DELETE_CREDS flag set) any user could delete krb5 credential caches. Make sure that only root can do this. Jerry, Jeremy, please check. Guenther (This used to be commit 947a59a849e9132631ec56b7ade09137e508d5d6)
2007-10-10r21873: This is winbindd_pam.c, not pam_winbind.c :-)Volker Lendecke1-1/+1
(This used to be commit e1fbfbe1c49d3ff1ca71a33e66fae1f2d48fb7a7)
2007-10-10r21872: Fix a debug messageVolker Lendecke1-1/+1
(This used to be commit fcec3d1c46affbf802fb411913c8cc59c02102fa)
2007-10-10r21860: Fixes for "winbind normalize names" functionality:Gerald Carter1-0/+4
* Fix getgroups() call called using a normalized name * Fix some more name mappings that could cause for example a user to be unable to unlock the screen as the username would not match in the PAM authenticate call. (This used to be commit 505fc669a1b2c36e1639924b9639c97988056d8d)
2007-10-10r21537: Avoid to trigger the confusing "cached entry differs." warning whenGünther Deschner1-2/+8
there is just no cache around for a user. Guenther (This used to be commit a6c249b59228c6891cde624f72fff23879dbd19f)
2007-10-10r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a userGünther Deschner1-0/+11
changed a password via pam_chauthtok. Only do this if a) a user logs on using an expired password (or a password that needs to be changed immediately) or b) the user itself changes his password. Also make sure to delete the in-memory krb5 credential cache (when a user did not request a FILE based cred cache). Finally honor the krb5 settings in the first pam authentication in the chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when NTLM samlogon authentication is still possible with the old password after the password has been already changed (on w2k3 sp1 dcs). Guenther (This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
2007-10-10r21318: Fix Bug #4225.Günther Deschner1-5/+61
Cached logon with pam_winbind should work now also for NT4 and samba3 domains. Guenther (This used to be commit b2f91154820219959b8008b15802c70e1d76d158)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+2
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21009: Patch from Danilo Almeida @ Centeris (via me).Gerald Carter1-9/+65
Patch details: Support most options in pam_winbind.conf; support comma-separated names in require-membership-of. Details below: 1) Provides support for almost all config options in pam_winbind.conf (all except for use_first_pass, use_authtok, and unknown_ok). - That allows us to work well when invoked via call_modules from pam_unix2.conf as well as allowing use of spaces in names used w/require_membership_of. 2) Support for comma-separated list of names or SID strings in require_membership_of/require-membership-of. - Increased require_membership_of field in winbind request from fstring (256) to pstring (1024). - In PAM side, parse out multiple names or SID strings and convert all of them to SID strings. - In Winbind side, support membership check against multiple SID strings. (This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
2007-10-10r20905: Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION if the pwGerald Carter1-3/+11
chnage fails due to policy settings where as 2003 (the chgpasswd3() request) fails with NT_STATUS_PASSWORD_RESTRICTION. Thunk down to the same return code so we correctly retreive the password policy in both cases. (This used to be commit 262bb80e9cf7fb6dbf93144ae0b939c84ec0ea04)
2007-10-10r20725: Get rid of a bool passed down -- gd, please checkVolker Lendecke1-2/+0
(This used to be commit 1ef910f423a9ec69af6abf5a4e2137e8a4e81755)
2007-10-10r20687: Implement grace logons for offline authentications in pam_winbind.Günther Deschner1-18/+22
In case a user authenticated sucessfully and his password just expired while beeing disconnected, we should allow a user to logon (given a clear warning). We currently forced the user into a password change dialogue in that scenario; this did not make much sense while offline. Guenther (This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
2007-10-10r20254: The pam_chauthtok needs to go through the async interface as well.Günther Deschner1-14/+26
This fixes pam password changes in the online case. Guenther (This used to be commit 2d2de1ac27180756df095c586211fe2e7694b94e)
2007-10-10r20180: Ensure that pam returns the correct error messagesJeremy Allison1-10/+13
when offline and or doing password changes. Jeremy. (This used to be commit 4a74c553845c960a355ddb86abaadfe0d550271f)
2007-10-10r20171: Don't delete the krb5 credential if others still reference to it.Günther Deschner1-14/+5
Guenther (This used to be commit a1378979be4fe5ac5148b0a7830859aebb97838c)
2007-10-10r19207: Properly canonicalize incoming names to theJeremy Allison1-3/+12
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth. That way we ensure winbindd only deals with fully qualified names internally. The NSS protocols auth_crap and chng_pswd_auth_crap should be fixed to do the same thing. Jeremy. (This used to be commit dbd2454d3337f64cddbdaf39e9efd6505e6b2590)
2007-10-10r19148: Finish last nights patch - make offlineJeremy Allison1-2/+2
work again. Still under test. Jeremy. (This used to be commit 40a455db78f805daa6bfeb9e78fb78dcc12fd9a7)
2007-10-10r18871: Fix copy/paste mixup.Günther Deschner1-1/+1
Guenther (This used to be commit 2a605a0b175dc0ccc65ee2dc68e394bef7c954d1)
2007-10-10r18710: Prevent that our offline cache can get outdated after a password change.Günther Deschner1-1/+8
Guenther (This used to be commit 8006cf962b4a33278414fcdf07bf94d739cb4aab)
2007-10-10r18551: Implement a 30 seconds from startup, during which weJeremy Allison1-0/+12
try hard to connect a DC even if we might be offline. Jeremy. (This used to be commit a9f115140700487767bafa058db744eea5ee8f77)
2007-10-10r18271: Big change:Gerald Carter1-1/+1
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r18259: Fix the non-krb5 builds.Günther Deschner1-1/+2
Guenther (This used to be commit 576488933b8e04ddd6cb45a7992374efe174a404)
2007-10-10r18239: THIS IS GUENTHER'S WORK !!! He's allowing me to mergeJeremy Allison1-4/+67
this at the moment as I'm working on this area. Thanks a lot Guenther. Add the capability to get krb5 tickets even if we log on in the offline state and have to cache the credentials. Once we go online we should start getting krb5 tickets again. Currently this code waits until lp_winbind_cache_time() seconds (5 minutes by default) before getting tickets. This is correct in the DC down case, but not in the global offline -> online case. I'll later add a trigger to force an immediate refresh on the offline -> online state transition. Jeremy. (This used to be commit 04fe034f4a222c83a8d788040f7edc370afe9fa6)
2007-10-10r18188: merge 3.0-libndr branchJelmer Vernooij1-8/+8
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
2007-10-10r18158: Stop winbindd from accumulating memory creds infinitely when doingGünther Deschner1-12/+21
pam offline logons. Guenther (This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
2007-10-10r18062: Fix to ensure the name used by pam matches theJeremy Allison1-4/+35
name that will be returned by winbindd. This (should) fix the bug where the user logs in with DOMAIN\user but winbindd returns only "user" for the username due to 'winbind use default domain' being set. Jeremy. (This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
2007-10-10r18028: Fix warnings on non-krb5 systemsVolker Lendecke1-13/+19
(This used to be commit 30df6cb65f2dcc1829ea362ea0bc2a5e10f9819a)
2007-10-10r17897: Store the uid in the memory creds. Don't request theJeremy Allison1-0/+1
krb5 refresh creds when doing cached NTLM auth, request the memory creds instead. Jeremy. (This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
2007-10-10r17837: Split out the storing of memory cached credentialsJeremy Allison1-49/+62
from the krb5 ticket renewal code. This allows cached credentials to be stored for single sign-on via ntlm_auth for machines in a domain still using NTLM. Also (hopefully) fixes the reference counting problem with pam_logon/logoff so multiple logons/logoffs won't lose cached credentials. This compiles, but I'm intending to test it over the weekend so don't complain too much :-). I also want it in the tree so Coverity can scan it for errors. Guenther, check this over please - I ran through the architecture with Jerry and he's ok with it, but this is modifying your code a lot. Jeremy. (This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
2007-10-10r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from ↵Gerald Carter1-38/+9
AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
2007-10-10r17617: Take Andrew Bartletts excellent advice and don't storeJeremy Allison1-2/+22
the nt hash directly in the winbindd cache, store a salted version (MD5 of salt + nt_hash). This is what we do in the LDAP password history code. We store this salted cache entry under the same name as an old entry (CRED/<sid>) but detect it on read by checking if there are 17 bytes of data after the first stored hash (1 byte len, 16 bytes hash). GD PLEASE CHECK. Jeremy. (This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)