summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r13914: Fix Coverity bug #151.Volker Lendecke1-1/+1
I think this is actually a false warning, but as I've seen it with high gcc warning levels, lets fix it :-) Volker (This used to be commit 3f671033bca7a025f9639728a0a0a0adede6ed35)
2007-10-10r13895: As agreed upon with gd on the phone, remove ↵Volker Lendecke1-12/+0
WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. Volker (This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8)
2007-10-10r13720: Only lockout Administrator after x bad password attempts in offline-modeGünther Deschner1-8/+37
when we are told to do so by the password_properties. Guenther (This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-0/+1
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().Günther Deschner1-6/+2
Guenther (This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-1/+1
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-2/+11
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13442: Implement samr_chgpasswd_user3 server-side.Günther Deschner1-8/+8
Guenther (This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
2007-10-10r13409: No functional changes, just some DEBUG cleanup.Günther Deschner1-1/+1
Guenther (This used to be commit 286f6fc2339cf4ef232c16466b8dffdcddbe343f)
2007-10-10r13377: Fix from Volker: Make offline authentication work with NT4 as wellGünther Deschner1-2/+12
(handle no ACB_NORMAL flag and save name2sid as early as possible). Guenther (This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)
2007-10-10r13375: Match XP behaviour: Don't force 'Administrator' to change an expiredGünther Deschner1-13/+2
password on logon. (this might be true for all domain admins as well). Guenther (This used to be commit 24c6b9fecb521380008cb44e6d987a6f495027dc)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-33/+993
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13042: Fix for bug #3248 Stefan Burkei <stefan@burkei.de>.Jeremy Allison1-1/+2
When doing auth_crap authentication use the client given workstation name not our own. Jeremy. (This used to be commit a2bb2e3e819c56b710885fc8206632e22a6ec0ce)
2007-10-10r12313: Introduce yet another copy of the string_sub function:Volker Lendecke1-6/+12
talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2007-10-10r11851: Display correct error string.Günther Deschner1-1/+1
Guenther (This used to be commit 4d681f560e59dd483f580c5fe5299af6242ae7c2)
2007-10-10r11667: Fix a debug messageVolker Lendecke1-2/+3
(This used to be commit d1f506fa1353cd1b9ddba923dc17a884f7560be6)
2007-10-10r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.Gerald Carter1-2/+2
Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
2007-10-10r11652: Reinstate the netsamlogon_cache in order to workGerald Carter1-0/+8
around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-18/+20
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-114/+58
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10268: Fix for bug #3095 - winbindd checking credentials.Jeremy Allison1-12/+18
Jeremy. (This used to be commit e58d8ee0555a5de0a25757b26cc22e02b9aace31)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-6/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-17/+14
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)
2007-10-10r7454: couple of winbindd fixesGerald Carter1-1/+1
* make sure to use our domain as the account name in the net_req_auth2() request when running on a Samba DC * make sure to lookup the correct domain (not default to ours) when getting an async getpwnam() call (This used to be commit c9c3e3c122a6a04847c448d298b6f1adb4f35a60)
2007-10-10r7415: * big change -- volker's new async winbindd from trunkGerald Carter1-142/+276
(This used to be commit a0ac9a8ffd4af31a0ebc423b4acbb2f043d865b8)
2007-10-10r5331: Support SIDs as %s replacements in the afs username map parameter.Volker Lendecke1-0/+12
Add 'log nt token command' parameter. If set, %s is replaced with the user sid, and %t takes all the group sids. Volker (This used to be commit e7dc9fde45c750013ad07f584599dd51f8eb8a54)
2007-10-10r4286: Give back 8 byte lm_session_key in Netrsamlogon-reply.Günther Deschner1-1/+1
The old #ifdef JRATEST-block was copying 16 bytes and thus overwriting acct_flags with bizarre values, breaking a lot of things. This patch is successfully running in a production environment for quite some time now and is required to finally allow Exchange 5.5 to access another Exchange Server when both are running on NT4 in a samba-controlled domain. This also allows Exchange Replication to take place, Exchange Administrator to access other Servers in the network, etc. Fixes Bugzilla #1136. Thanks abartlet for helping me with that one. Guenther (This used to be commit bd4c5125d6989cebc90152a23e113b345806c660)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-4/+4
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix theAndrew Bartlett1-35/+19
naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett (This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
2007-10-10r2755: Fix NTLMv2 for use with pam_winbind, the plaintext ntlm_auth modes,Andrew Bartlett1-4/+50
and the wbinfo -a test tool. If 'client ntlmv2 auth' is set, then we will send an NTLMv2, rather than an NT/LM response to the server. Andrew Bartlett (This used to be commit ce2456e436c5d57cd95cd10c6edf759592d0e843)
2007-10-10r2177: use the correct counter when copying group rids from the user_info3 ↵Gerald Carter1-3/+3
struct; patch from Dimitri van der Spek <dwspek@aboveit.nl> (This used to be commit aa89806deb9d4c9cbd23ccdd41bb98346e395078)
2007-10-10r2086: fix bug with winbindd_getpwnam() caused by Microsoft DC's not filling ↵Gerald Carter1-2/+2
in the username in the user_info3 (This used to be commit 4703a71fa88dff8bdc932f6c9af3a9d25a88938f)
2007-10-10r1887: Fix deadlock loop in winbind's required_membership_sid-verification.Günther Deschner1-1/+1
Guenther (This used to be commit a0a6d7d72f2a24c422db255acf6c439a9b0921df)
2007-10-10r1492: Rework our random number generation system.Andrew Bartlett1-1/+1
On systems with /dev/urandom, this avoids a change to secrets.tdb for every fork(). For other systems, we now only re-seed after a fork, and on startup. No need to do it per-operation. This removes the 'need_reseed' parameter from generate_random_buffer(). Andrew Bartlett (This used to be commit 36741d3cf53a7bd17d361251f2bb50851cdb035f)
2007-10-10r565: Uninitialized data fixes from kawasa_r@itg.hitachi.co.jp.Jeremy Allison1-0/+1
Jeremy. (This used to be commit c23a73324b335e42877551283b274f6d12f2c1a7)
2007-10-10r333: other half of fix for winbindd crask from gd@suse.deGerald Carter1-3/+7
(This used to be commit f902d52c82c31d38157d4f1c77c27ee1c395afc3)
2007-10-10r319: Fix a segfault in winbind. Thanks to Guenther Deschner for his ↵Volker Lendecke1-2/+6
valgrind log :-) Volker (This used to be commit 91296a6003417e8704114ea63511c2c9201da122)
2007-10-10r84: Implement --required-membership-of=, an ntlm_auth option that restrictsAndrew Bartlett1-5/+114
all authentication to members of this particular group. Also implement an option to allow ntlm_auth to get 'squashed' error codes, which are safer to communicate to remote network clients. Andrew Bartlett (This used to be commit eb1c1b5eb086f49a230142ad2de45dc0e9691df3)
2007-10-10r69: Global rename of 'nt_session_key' -> 'user_session_key'. The session ↵Andrew Bartlett1-2/+2
key could be anything, and may not be based on anything 'NT'. This is also what microsoft calls it. (This used to be commit 724e8d3f33719543146280062435c69a835c491e)
2004-04-01This restructures lib/afs.c so that the token data can be but into aVolker Lendecke1-0/+35
stream. This is to implement wbinfo -k that asks winbind for authentication which then creates the AFS token for the authenticated user. Volker (This used to be commit 2df6750a079820826013360fb9e47f90bc8223a5)
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett1-8/+2
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-14Remove duplicate comment.Andrew Bartlett1-2/+0
Andrew Bartlett (This used to be commit b0b2010461d8554334b033c4f07d78c308e73e7f)
2004-01-05Grumble... grumble... fix the build...Andrew Bartlett1-5/+7
(This used to be commit 687aececa66c2c1ba8e5bc3127d8ca79a97436d1)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-45/+73
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett1-13/+35
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-3/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett1-0/+26
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-11-25Add a comment, and a useful debug message.Andrew Bartlett1-0/+2
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett1-2/+8
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)