summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17005: Add a new helper mode to ntlm_auth: ntlm-change-password-1Andrew Bartlett1-0/+148
This mode proxies pre-calculated blobs from a remote (probably VPN) client into the domain. This allows clients to change their password over a PPTP connection (where they would not be able to connect to SAMR directly). The precalculated blobs do not reveal the plaintext password. Original patch by Alexey Kobozev <cobedump@gmail.com> (This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
2007-10-10r16610: Subtle one from Klocwork #2076. If multiple flagsJeremy Allison1-0/+3
are set in a winbindd request it might overwrite existing state->response.extra_data.data values without freeing. Jeremy. (This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
2007-10-10r16480: (Ugly) workaround before the set_dc_type_flags & friends cleanup:Günther Deschner1-1/+39
When trying to login using krb5 with a trusted domain account, we need to make sure that our and the remote domain are AD. Guenther (This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
2007-10-10r16473: There is no point in calling set_dc_type_and_flags() before eachGünther Deschner1-2/+9
pam_auth login (when using kerberos). Guenther (This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
2007-10-10r15983: Honour the krb5 principal name change (of the new ads join code) in theGünther Deschner1-1/+1
kerberized winbind pam_auth. Guenther (This used to be commit 216125fe132fa6b886b99139e38988725beb88f0)
2007-10-10r15982: Fix confusing order of DEBUG statements in winbindds pam_auth.Günther Deschner1-3/+3
Guenther (This used to be commit 3f5a2e49c108bfe8f8b875af9e69d5ad3b0567ee)
2007-10-10r15539: Use portable wrapper functions instead of seteuidJeremy Allison1-3/+3
directly in winbindd. Jeremy. (This used to be commit 2e65fcc9def5f1386a33ca4a76e494838e3a0632)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-0/+1
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15398: Attempt to send the correct warning when a password change was attemptedGünther Deschner1-2/+3
too early. Guenther (This used to be commit 7f64a66d25f2a4aa48c2639da8e783c1759c5dd4)
2007-10-10r15396: Cleanup credential caches from winbind's linked list.Günther Deschner1-1/+6
Guenther (This used to be commit 7420b095077689fee4b5c9fb76cdb6533be1d465)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-0/+1
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15229: Save useless roundtrips in pam_auth (fallback to samlogon) when we knowGünther Deschner1-1/+3
that the DC is not available. Guenther (This used to be commit 77407c021997db1b2a86ca26a5d125fa6b782949)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-10/+10
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14753: Fix the kerberized pam_auth: As we could have created a new credentialGünther Deschner1-14/+26
cache with a valid TGT in it but we werent able to get or verify the service ticket for this local host afterwards and therefor didn't get the PAC, we need to remove that ccache entirely. Also remove an ugly pair of (not needed) seteuid calls around the ticket destroy wrapper. Guenther (This used to be commit 25a2fb3896596380d9eecac80defbf247a35e6bb)
2007-10-10r14674: Further cleanup for cached logins, only dump hashes with DEBUG_PASSWORD.Günther Deschner1-0/+2
Guenther (This used to be commit 24afdda2ae7626b8c0b378d158ede391924d1274)
2007-10-10r14597: Merge DCERPC_FAULT constants from Samba 4.Günther Deschner1-1/+1
Guenther (This used to be commit 3f195f8248c88ec8bf8ceb195575ce6bb49d7fc4)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-8/+8
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14514: Fixing last commit. Thanks Volker.Günther Deschner1-1/+1
Guenther (This used to be commit 345d2ab5d399a99f271148cf308271cb7fc2c0ca)
2007-10-10r14513: Fix winbindd_chauthtok: only fallback when the chgpasswd3 call is notGünther Deschner1-2/+5
supported. Is there a better way to check for the 0x1c010002 status code? Guenther (This used to be commit c7268dc9ac304e1b6dac80762087a57484906103)
2007-10-10r14507: Re-disable accidentially re-enabled paranoia check. This should makeGünther Deschner1-1/+4
offline logons work again with NT4 and older Samba3 DCs. Guenther (This used to be commit 0892077fcec913ef76b017b5bfe058d20a322915)
2007-10-10r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain passwordGünther Deschner1-4/+7
policies when requested. No panic, the flags is uint32 so we are not running out of WBFLAG bits. Guenther (This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)
2007-10-10r14493: There is no point in falling back to a samlogon when a krb5login hasGünther Deschner1-0/+17
failed with a clear error indication. This prevents the bad logon count beeing increased on the DC. Guenther (This used to be commit 5fdddffba5cf05ccac23a64fbe404a34e73fa73c)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-1/+1
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r14392: Use KRB5_TGS_NAME.Günther Deschner1-1/+1
Guenther (This used to be commit 4cfd737cc1d8840888f80e360119eeb627acb381)
2007-10-10r14275: Shut-up coverity false positive (bug #199) by making an assertionJeremy Allison1-0/+7
explicit. Jeremy. (This used to be commit aeae20a8d9f3658acb8edd373eb601bdf7eab98b)
2007-10-10r14259: Fix coverity #42. Ensure contact_domain can't be null derefedJeremy Allison1-4/+6
in error code path. Jeremy. (This used to be commit 9f5fcdd8fb437882568e38e174e2df27bd077ba3)
2007-10-10r14148: Removing the not very well tested krb5 ticket refresh handling activatedGünther Deschner1-8/+1
over --with-kcm. No time to look after it for the moment. Guenther (This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
2007-10-10r13914: Fix Coverity bug #151.Volker Lendecke1-1/+1
I think this is actually a false warning, but as I've seen it with high gcc warning levels, lets fix it :-) Volker (This used to be commit 3f671033bca7a025f9639728a0a0a0adede6ed35)
2007-10-10r13895: As agreed upon with gd on the phone, remove ↵Volker Lendecke1-12/+0
WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. Volker (This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8)
2007-10-10r13720: Only lockout Administrator after x bad password attempts in offline-modeGünther Deschner1-8/+37
when we are told to do so by the password_properties. Guenther (This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-0/+1
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().Günther Deschner1-6/+2
Guenther (This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-1/+1
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-2/+11
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13442: Implement samr_chgpasswd_user3 server-side.Günther Deschner1-8/+8
Guenther (This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
2007-10-10r13409: No functional changes, just some DEBUG cleanup.Günther Deschner1-1/+1
Guenther (This used to be commit 286f6fc2339cf4ef232c16466b8dffdcddbe343f)
2007-10-10r13377: Fix from Volker: Make offline authentication work with NT4 as wellGünther Deschner1-2/+12
(handle no ACB_NORMAL flag and save name2sid as early as possible). Guenther (This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)
2007-10-10r13375: Match XP behaviour: Don't force 'Administrator' to change an expiredGünther Deschner1-13/+2
password on logon. (this might be true for all domain admins as well). Guenther (This used to be commit 24c6b9fecb521380008cb44e6d987a6f495027dc)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-33/+993
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13042: Fix for bug #3248 Stefan Burkei <stefan@burkei.de>.Jeremy Allison1-1/+2
When doing auth_crap authentication use the client given workstation name not our own. Jeremy. (This used to be commit a2bb2e3e819c56b710885fc8206632e22a6ec0ce)
2007-10-10r12313: Introduce yet another copy of the string_sub function:Volker Lendecke1-6/+12
talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2007-10-10r11851: Display correct error string.Günther Deschner1-1/+1
Guenther (This used to be commit 4d681f560e59dd483f580c5fe5299af6242ae7c2)
2007-10-10r11667: Fix a debug messageVolker Lendecke1-2/+3
(This used to be commit d1f506fa1353cd1b9ddba923dc17a884f7560be6)
2007-10-10r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.Gerald Carter1-2/+2
Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
2007-10-10r11652: Reinstate the netsamlogon_cache in order to workGerald Carter1-0/+8
around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
2007-10-10r11573: Adding Andrew Bartlett's patch to make machine accountJeremy Allison1-18/+20
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes the auth module interface to 2 (from 1). The effect of this is that clients can access resources as a machine account if they set these flags. This is the same as Windows (think of a VPN where the vpn client authenticates itself to a VPN server using machine account credentials - the vpn server checks that the machine password was valid by performing a machine account check with the PDC in the same was as it would a user account check. I may add in a restriction (parameter) to allow this behaviour to be turned off (as it was previously). That may be on by default. Andrew Bartlett please review this change carefully. Jeremy. (This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
2007-10-10r10656: BIG merge from trunk. Features not copied overGerald Carter1-114/+58
* \PIPE\unixinfo * winbindd's {group,alias}membership new functions * winbindd's lookupsids() functionality * swat (trunk changes to be reverted as per discussion with Deryck) (This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
2007-10-10r10268: Fix for bug #3095 - winbindd checking credentials.Jeremy Allison1-12/+18
Jeremy. (This used to be commit e58d8ee0555a5de0a25757b26cc22e02b9aace31)
2007-10-10r9588: remove netsamlogon_cache interface...everything seems to work fine. ↵Gerald Carter1-6/+0
Will deal with any fallout from special environments using a non-cache solution (This used to be commit e1de6f238f3981d81e49fb41919fdce4f07c8280)
2007-10-10r7785: This looks much larger than it is. It changes the top-level functions ↵Volker Lendecke1-17/+14
of the parent winbind not to return winbindd_result. This is to hopefully fix all the problems where a result has been scheduled for write twice. The problematic ones have been the functions that might have been delayed as well as under other circumstances immediately gets answered from the cache. Now a request needs to be explicitly replied to with a request_error() or request_ok(). Volker (This used to be commit 7365c9accf98ec1dd78a59dd7f62462bbb8528d4)