summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-18/+20
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-114/+58
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10268: Fix for bug #3095 - winbindd checking credentials.Jeremy Allison1-12/+18
Jeremy. (This used to be commit e58d8ee0555a5de0a25757b26cc22e02b9aace31)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-6/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-17/+14
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)
2007-10-10r7454: couple of winbindd fixesGerald Carter1-1/+1
* make sure to use our domain as the account name in the net_req_auth2() request when running on a Samba DC * make sure to lookup the correct domain (not default to ours) when getting an async getpwnam() call (This used to be commit c9c3e3c122a6a04847c448d298b6f1adb4f35a60)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-142/+276
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r5331: Support SIDs as %s replacements in the afs username map parameter.Volker Lendecke1-0/+12
Add 'log nt token command' parameter. If set, %s is replaced with the user sid, and %t takes all the group sids. Volker (This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-1/+1
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-4/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix theAndrew Bartlett1-35/+19
naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett (This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
2007-10-10r2755: Fix NTLMv2 for use with pam_winbind, the plaintext ntlm_auth modes,Andrew Bartlett1-4/+50
and the wbinfo -a test tool. If 'client ntlmv2 auth' is set, then we will send an NTLMv2, rather than an NT/LM response to the server. Andrew Bartlett (This used to be commit ce2456e436c5d57cd95cd10c6edf759592d0e843)
2007-10-10r2177: use the correct counter when copying group rids from the user_info3 ↵Gerald Carter1-3/+3
struct; patch from Dimitri van der Spek <dwspek@aboveit.nl> (This used to be commit aa89806deb9d4c9cbd23ccdd41bb98346e395078)
2007-10-10r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling ↵Gerald Carter1-2/+2
in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f)
2007-10-10r1887: Fix deadlock loop in winbind's required_membership_sid-verification.Günther Deschner1-1/+1
Guenther (This used to be commit a0a6d7d72f2a24c422db255acf6c439a9b0921df)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-1/+1
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r565: Uninitialized data fixes from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-0/+1
Jeremy. (This used to be commit c23a73324b335e42877551283b274f6d12f2c1a7)
2007-10-10r333: other half of fix for winbindd crask from gd@suse.deGerald Carter1-3/+7
(This used to be commit f902d52c82c31d38157d4f1c77c27ee1c395afc3)
2007-10-10r319: Fix a segfault in winbind. Thanks to Guenther Deschner for his ↵Volker Lendecke1-2/+6
valgrind log :-) Volker (This used to be commit 91296a6003417e8704114ea63511c2c9201da122)
2007-10-10r84: Implement --required-membership-of=, an ntlm_auth option that restrictsAndrew Bartlett1-5/+114
all authentication to members of this particular group. Also implement an option to allow ntlm_auth to get 'squashed' error codes, which are safer to communicate to remote network clients. Andrew Bartlett (This used to be commit eb1c1b5eb086f49a230142ad2de45dc0e9691df3)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett1-2/+2
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2004-04-01This restructures lib/afs.c so that the token data can be but into aVolker Lendecke1-0/+35
stream. This is to implement wbinfo -k that asks winbind for authentication which then creates the AFS token for the authenticated user. Volker (This used to be commit 2df6750a079820826013360fb9e47f90bc8223a5)
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett1-8/+2
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-14Remove duplicate comment.Andrew Bartlett1-2/+0
Andrew Bartlett (This used to be commit b0b2010461d8554334b033c4f07d78c308e73e7f)
2004-01-05Grumble... grumble... fix the build...Andrew Bartlett1-5/+7
(This used to be commit 687aececa66c2c1ba8e5bc3127d8ca79a97436d1)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-45/+73
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett1-13/+35
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-3/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett1-0/+26
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-11-25Add a comment, and a useful debug message.Andrew Bartlett1-0/+2
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-2/+8
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-09-24fixing a bug in the retry loop for winbindd_pam_auth[_crap]()Gerald Carter1-15/+25
(This used to be commit a83266a927b81a9f7a62b211793faaf8d401767c)
2003-09-17Obviously correct typo bugfix from Lin Li <linl@xandros.com>.Jeremy Allison1-1/+1
Jeremy. (This used to be commit a43ca66290ac1df9b00e3e43e32d8117b3d1b873)
2003-09-08fix valgrind errors; don't access cli_state pointer after it has been shutdownGerald Carter1-17/+13
(This used to be commit 02ae82fb3f70dc37e815d8e88bfd31a8c3ff43db)
2003-09-06fix bug 382: make sure to free and reset the cli_state pointer after ↵Gerald Carter1-0/+6
flushing connections in winbindd_pam_auth[_crap]() (This used to be commit 60c8796edd84249db5419329a0fea4bbc7f9bb98)
2003-08-12Fix for bug 269. Change wbinfo and ntlm_auth to convert domain, usernameTim Potter1-4/+8
and workstation to utf8 before sending the winbindd request. Also, don't continue when the call to pull_utf8() fails but rather return a winbind error. (This is what was causing the crash) (This used to be commit ca1c463360b75538a93b56a87cbb4a6ee7b6cec6)
2003-07-31working on transtive trusts issue:Gerald Carter1-49/+0
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-3/+3
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-20Typo fixes.Rafal Szczesniak1-1/+1
(This used to be commit 85df8213fc67a9c8e8712cb64f27e5559dc11af9)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-4/+4
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-07and so it begins....Gerald Carter1-25/+38
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-03fix for bug #200. flush connections if the machine trsut accountGerald Carter1-1/+31
changed underneath us. (This used to be commit 6a1ad1ded1d619394ed4ca9e05fdffaa3b902b3b)
2003-06-30* rename samstrict auth method to samGerald Carter1-73/+78
* rename original sam auth method to sam_ignoredomain * remove samstrict_dc auth method (now covered by 'sam') * fix wbinfo -a '...' and getent passwd bugs when running winbindd on a samba PDC (reported by Volker) (This used to be commit 52166faee793d337e045d64f7cb27ea7ac895f60)
2003-06-29Here's the code to make winbindd work on a Samba DCGerald Carter1-18/+44
to handle domain trusts. Jeremy and I talked about this and it's going in as working code. It keeps winbind clean and solves the trust problem with minimal changes. To summarize, there are 2 basic cases where the deadlock would occur. (1) lookuping up secondary groups for a user, and (2) get[gr|pw]nam() calls that fall through the NSS layer because they don't exist anywhere. o To handle case #1, we bypass winbindd in sys_getgrouplist() unless the username includes the 'winbind separator'. o Case #2 is handled by adding checks in winbindd to return failure if we are a DC and the domain matches our own. This code has been tested using basic share connections, domain logons, and with pam_winbind (both with and without 'winbind use default domain'). The 'trustdomain' auth module should work as well if an admin wants to manually create UNIX users for acounts in the trusted domains. Other misc fixes: * we need to fix check_ntlm_password() to be able to determine if an auth module is authoritative over a user (NT_STATUS_WRONG_PASSWORD, etc...). I worked around my specific situation, but this needs to be fixed. the winbindd auth module was causing delays. * fix named server mutex deadlock between trust domain auth module and winbindd looking up a uid * make sure SAM_ACCOUNT gets stored in the server_info struct for the _net_sam_logon() reply. Configuration details: The recommended method for supporting trusts is to use winbind. The gets us around some of the server mutex issues as well. * set 'files winbind' for passwd: and group: in /etc/nsswitch.conf * create domain trusts like normal * join winbind on the pdc to the Samba domain using 'net rpc join' * add normal parameters to smb.conf for winbind * set 'auth method = guest sam winbind' * start smbd, nmbd, & winbindd Problems that remain: * join a Windows 2k/XP box to a Samba domain. * create a 2-way trust between the Samba domain and an NT domain * logon to the windows client as a user from theh trusted domain * try to browse server in the trusted domain (or other workstations). an NT client seems to work ok, but 2k and XP either prompt for passwords or fail with errors. apparanently this never got tested since no one has ever been able to logon as a trusted user to a Samba domain from a Windows client. (This used to be commit f804b590f9dbf1f0147c06a0a2f12e221ae6fc3b)
2003-06-21merge of the netsamlogon caching code from APPLIANCE_HEADGerald Carter1-5/+5
This replaces the universal group caching code (was originally based on that code). Only applies to the the RPC code. One comment: domain local groups don't show up in 'getent group' that's easy to fix. Code has been tested against 2k domain but doesn't change anything with respect to NT4 domains. netsamlogon caching works pretty much like the universal group caching code did but has had much more testing and puts winbind mostly back in sync between branches. (This used to be commit aac01dc7bc95c20ee21c93f3581e2375d9a894e1)
2003-05-08This puts real netlogon connection caching to winbind. This becomesVolker Lendecke1-28/+60
important once we start doing schannel, as there would be a lot more roundtrips for the second PIPE open and bind. With this patch logging in to a member server is a matter of two (three if you count the ack...) packets between us and the DC. Volker (This used to be commit 5b3cb7725a974629d0bd8b707bc2940c36b8745e)
2003-04-21Merge from HEAD - save the type of channel used to contact the DC.Andrew Bartlett1-9/+10
This allows us to join as a BDC, without appearing on the network as one until we have the database replicated, and the admin changes the configuration. This also change the SID retreval order from secrets.tdb, so we no longer require a 'net rpc getsid' - the sid fetch during the domain join is sufficient. Also minor fixes to 'net'. Andrew Bartlett (This used to be commit 876e00fd112e4aaf7519eec27f382eb99ec7562a)
2003-04-07Winbind merges from HEAD:Andrew Bartlett1-5/+18
- fix winbindd_pam bugs - give a better error message for unauthorized access to auth_crap - show this message in wbinfo - fix spelling: privilaged -> privileged ** This changes the location of the winbindd privileged pipe ** (thanks to tpot) Andrew Bartlett (This used to be commit 92c2a33483cc9ddd1dd627224192a3023f8caff8)
2003-03-24(merge from HEAD)Andrew Bartlett1-7/+6
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)