summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17897: Store the uid in the memory creds. Don't request theJeremy Allison1-0/+1
krb5 refresh creds when doing cached NTLM auth, request the memory creds instead. Jeremy. (This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
2007-10-10r17837: Split out the storing of memory cached credentialsJeremy Allison1-49/+62
from the krb5 ticket renewal code. This allows cached credentials to be stored for single sign-on via ntlm_auth for machines in a domain still using NTLM. Also (hopefully) fixes the reference counting problem with pam_logon/logoff so multiple logons/logoffs won't lose cached credentials. This compiles, but I'm intending to test it over the weekend so don't complain too much :-). I also want it in the tree so Coverity can scan it for errors. Guenther, check this over please - I ran through the architecture with Jerry and he's ok with it, but this is modifying your code a lot. Jeremy. (This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
2007-10-10r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from ↵Gerald Carter1-38/+9
AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
2007-10-10r17617: Take Andrew Bartletts excellent advice and don't storeJeremy Allison1-2/+22
the nt hash directly in the winbindd cache, store a salted version (MD5 of salt + nt_hash). This is what we do in the LDAP password history code. We store this salted cache entry under the same name as an old entry (CRED/<sid>) but detect it on read by checking if there are 17 bytes of data after the first stored hash (1 byte len, 16 bytes hash). GD PLEASE CHECK. Jeremy. (This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
2007-10-10r17610: Added the ability for firefox to drive the winbinddJeremy Allison1-2/+2
ntlm_auth module to allow it to use winbindd cached credentials.The credentials are currently only stored in a krb5 MIT environment - we need to add an option to winbindd to allow passwords to be stored even in an NTLM-only environment. Patch from Robert O'Callahan, modified with some fixes by me. Jeremy. (This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
2007-10-10r17605: Some C++ warningsVolker Lendecke1-4/+6
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17005: Add a new helper mode to ntlm_auth: ntlm-change-password-1Andrew Bartlett1-0/+148
This mode proxies pre-calculated blobs from a remote (probably VPN) client into the domain. This allows clients to change their password over a PPTP connection (where they would not be able to connect to SAMR directly). The precalculated blobs do not reveal the plaintext password. Original patch by Alexey Kobozev <cobedump@gmail.com> (This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
2007-10-10r16610: Subtle one from Klocwork #2076. If multiple flagsJeremy Allison1-0/+3
are set in a winbindd request it might overwrite existing state->response.extra_data.data values without freeing. Jeremy. (This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
2007-10-10r16480: (Ugly) workaround before the set_dc_type_flags & friends cleanup:Günther Deschner1-1/+39
When trying to login using krb5 with a trusted domain account, we need to make sure that our and the remote domain are AD. Guenther (This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
2007-10-10r16473: There is no point in calling set_dc_type_and_flags() before eachGünther Deschner1-2/+9
pam_auth login (when using kerberos). Guenther (This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
2007-10-10r15983: Honour the krb5 principal name change (of the new ads join code) in theGünther Deschner1-1/+1
kerberized winbind pam_auth. Guenther (This used to be commit 216125fe132fa6b886b99139e38988725beb88f0)
2007-10-10r15982: Fix confusing order of DEBUG statements in winbindds pam_auth.Günther Deschner1-3/+3
Guenther (This used to be commit 3f5a2e49c108bfe8f8b875af9e69d5ad3b0567ee)
2007-10-10r15539: Use portable wrapper functions instead of seteuidJeremy Allison1-3/+3
directly in winbindd. Jeremy. (This used to be commit 2e65fcc9def5f1386a33ca4a76e494838e3a0632)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-0/+1
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15398: Attempt to send the correct warning when a password change was attemptedGünther Deschner1-2/+3
too early. Guenther (This used to be commit 7f64a66d25f2a4aa48c2639da8e783c1759c5dd4)
2007-10-10r15396: Cleanup credential caches from winbind's linked list.Günther Deschner1-1/+6
Guenther (This used to be commit 7420b095077689fee4b5c9fb76cdb6533be1d465)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-0/+1
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15229: Save useless roundtrips in pam_auth (fallback to samlogon) when we knowGünther Deschner1-1/+3
that the DC is not available. Guenther (This used to be commit 77407c021997db1b2a86ca26a5d125fa6b782949)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-10/+10
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14753: Fix the kerberized pam_auth: As we could have created a new credentialGünther Deschner1-14/+26
cache with a valid TGT in it but we werent able to get or verify the service ticket for this local host afterwards and therefor didn't get the PAC, we need to remove that ccache entirely. Also remove an ugly pair of (not needed) seteuid calls around the ticket destroy wrapper. Guenther (This used to be commit 25a2fb3896596380d9eecac80defbf247a35e6bb)
2007-10-10r14674: Further cleanup for cached logins, only dump hashes with DEBUG_PASSWORD.Günther Deschner1-0/+2
Guenther (This used to be commit 24afdda2ae7626b8c0b378d158ede391924d1274)
2007-10-10r14597: Merge DCERPC_FAULT constants from Samba 4.Günther Deschner1-1/+1
Guenther (This used to be commit 3f195f8248c88ec8bf8ceb195575ce6bb49d7fc4)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-8/+8
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14514: Fixing last commit. Thanks Volker.Günther Deschner1-1/+1
Guenther (This used to be commit 345d2ab5d399a99f271148cf308271cb7fc2c0ca)
2007-10-10r14513: Fix winbindd_chauthtok: only fallback when the chgpasswd3 call is notGünther Deschner1-2/+5
supported. Is there a better way to check for the 0x1c010002 status code? Guenther (This used to be commit c7268dc9ac304e1b6dac80762087a57484906103)
2007-10-10r14507: Re-disable accidentially re-enabled paranoia check. This should makeGünther Deschner1-1/+4
offline logons work again with NT4 and older Samba3 DCs. Guenther (This used to be commit 0892077fcec913ef76b017b5bfe058d20a322915)
2007-10-10r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain passwordGünther Deschner1-4/+7
policies when requested. No panic, the flags is uint32 so we are not running out of WBFLAG bits. Guenther (This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)
2007-10-10r14493: There is no point in falling back to a samlogon when a krb5login hasGünther Deschner1-0/+17
failed with a clear error indication. This prevents the bad logon count beeing increased on the DC. Guenther (This used to be commit 5fdddffba5cf05ccac23a64fbe404a34e73fa73c)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter1-1/+1
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r14392: Use KRB5_TGS_NAME.Günther Deschner1-1/+1
Guenther (This used to be commit 4cfd737cc1d8840888f80e360119eeb627acb381)
2007-10-10r14275: Shut-up coverity false positive (bug #199) by making an assertionJeremy Allison1-0/+7
explicit. Jeremy. (This used to be commit aeae20a8d9f3658acb8edd373eb601bdf7eab98b)
2007-10-10r14259: Fix coverity #42. Ensure contact_domain can't be null derefedJeremy Allison1-4/+6
in error code path. Jeremy. (This used to be commit 9f5fcdd8fb437882568e38e174e2df27bd077ba3)
2007-10-10r14148: Removing the not very well tested krb5 ticket refresh handling activatedGünther Deschner1-8/+1
over --with-kcm. No time to look after it for the moment. Guenther (This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
2007-10-10r13914: Fix Coverity bug #151.Volker Lendecke1-1/+1
I think this is actually a false warning, but as I've seen it with high gcc warning levels, lets fix it :-) Volker (This used to be commit 3f671033bca7a025f9639728a0a0a0adede6ed35)
2007-10-10r13895: As agreed upon with gd on the phone, remove ↵Volker Lendecke1-12/+0
WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. Volker (This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8)
2007-10-10r13720: Only lockout Administrator after x bad password attempts in offline-modeGünther Deschner1-8/+37
when we are told to do so by the password_properties. Guenther (This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter1-0/+1
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().Günther Deschner1-6/+2
Guenther (This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter1-1/+1
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner1-2/+11
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13442: Implement samr_chgpasswd_user3 server-side.Günther Deschner1-8/+8
Guenther (This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
2007-10-10r13409: No functional changes, just some DEBUG cleanup.Günther Deschner1-1/+1
Guenther (This used to be commit 286f6fc2339cf4ef232c16466b8dffdcddbe343f)
2007-10-10r13377: Fix from Volker: Make offline authentication work with NT4 as wellGünther Deschner1-2/+12
(handle no ACB_NORMAL flag and save name2sid as early as possible). Guenther (This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)
2007-10-10r13375: Match XP behaviour: Don't force 'Administrator' to change an expiredGünther Deschner1-13/+2
password on logon. (this might be true for all domain admins as well). Guenther (This used to be commit 24c6b9fecb521380008cb44e6d987a6f495027dc)
2007-10-10r13316: Let the carnage begin....Gerald Carter1-33/+993
Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
2007-10-10r13042: Fix for bug #3248 Stefan Burkei <stefan@burkei.de>.Jeremy Allison1-1/+2
When doing auth_crap authentication use the client given workstation name not our own. Jeremy. (This used to be commit a2bb2e3e819c56b710885fc8206632e22a6ec0ce)
2007-10-10r12313: Introduce yet another copy of the string_sub function:Volker Lendecke1-6/+12
talloc_string_sub. Someone with time on his hands could convert all the callers of all_string_sub to this. realloc_string_sub is *only* called from within substitute.c, it could be moved there I think. Volker (This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
2007-10-10r11851: Display correct error string.Günther Deschner1-1/+1
Guenther (This used to be commit 4d681f560e59dd483f580c5fe5299af6242ae7c2)
2007-10-10r11667: Fix a debug messageVolker Lendecke1-2/+3
(This used to be commit d1f506fa1353cd1b9ddba923dc17a884f7560be6)
2007-10-10r11661: Store the INFO3 in the PAC data into the netsamlogon_cache.Gerald Carter1-2/+2
Also remove the mem_ctx from the netsamlogon_cache_store() API. Guenther, what should we be doing with the other fields in the PAC_LOGON_INFO? (This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)