summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21537: Avoid to trigger the confusing "cached entry differs." warning whenGünther Deschner1-2/+8
there is just no cache around for a user. Guenther (This used to be commit a6c249b59228c6891cde624f72fff23879dbd19f)
2007-10-10r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a userGünther Deschner1-0/+11
changed a password via pam_chauthtok. Only do this if a) a user logs on using an expired password (or a password that needs to be changed immediately) or b) the user itself changes his password. Also make sure to delete the in-memory krb5 credential cache (when a user did not request a FILE based cred cache). Finally honor the krb5 settings in the first pam authentication in the chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when NTLM samlogon authentication is still possible with the old password after the password has been already changed (on w2k3 sp1 dcs). Guenther (This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
2007-10-10r21318: Fix Bug #4225.Günther Deschner1-5/+61
Cached logon with pam_winbind should work now also for NT4 and samba3 domains. Guenther (This used to be commit b2f91154820219959b8008b15802c70e1d76d158)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner1-1/+2
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21009: Patch from Danilo Almeida @ Centeris (via me).Gerald Carter1-9/+65
Patch details: Support most options in pam_winbind.conf; support comma-separated names in require-membership-of. Details below: 1) Provides support for almost all config options in pam_winbind.conf (all except for use_first_pass, use_authtok, and unknown_ok). - That allows us to work well when invoked via call_modules from pam_unix2.conf as well as allowing use of spaces in names used w/require_membership_of. 2) Support for comma-separated list of names or SID strings in require_membership_of/require-membership-of. - Increased require_membership_of field in winbind request from fstring (256) to pstring (1024). - In PAM side, parse out multiple names or SID strings and convert all of them to SID strings. - In Winbind side, support membership check against multiple SID strings. (This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
2007-10-10r20905: Windows 2000 returns NT_STATUS_ACCOUNT_RESTRICTION if the pwGerald Carter1-3/+11
chnage fails due to policy settings where as 2003 (the chgpasswd3() request) fails with NT_STATUS_PASSWORD_RESTRICTION. Thunk down to the same return code so we correctly retreive the password policy in both cases. (This used to be commit 262bb80e9cf7fb6dbf93144ae0b939c84ec0ea04)
2007-10-10r20725: Get rid of a bool passed down -- gd, please checkVolker Lendecke1-2/+0
(This used to be commit 1ef910f423a9ec69af6abf5a4e2137e8a4e81755)
2007-10-10r20687: Implement grace logons for offline authentications in pam_winbind.Günther Deschner1-18/+22
In case a user authenticated sucessfully and his password just expired while beeing disconnected, we should allow a user to logon (given a clear warning). We currently forced the user into a password change dialogue in that scenario; this did not make much sense while offline. Guenther (This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
2007-10-10r20254: The pam_chauthtok needs to go through the async interface as well.Günther Deschner1-14/+26
This fixes pam password changes in the online case. Guenther (This used to be commit 2d2de1ac27180756df095c586211fe2e7694b94e)
2007-10-10r20180: Ensure that pam returns the correct error messagesJeremy Allison1-10/+13
when offline and or doing password changes. Jeremy. (This used to be commit 4a74c553845c960a355ddb86abaadfe0d550271f)
2007-10-10r20171: Don't delete the krb5 credential if others still reference to it.Günther Deschner1-14/+5
Guenther (This used to be commit a1378979be4fe5ac5148b0a7830859aebb97838c)
2007-10-10r19207: Properly canonicalize incoming names to theJeremy Allison1-3/+12
NSS protocols auth, chauthtok, logoff, ccache_ntlm_auth. That way we ensure winbindd only deals with fully qualified names internally. The NSS protocols auth_crap and chng_pswd_auth_crap should be fixed to do the same thing. Jeremy. (This used to be commit dbd2454d3337f64cddbdaf39e9efd6505e6b2590)
2007-10-10r19148: Finish last nights patch - make offlineJeremy Allison1-2/+2
work again. Still under test. Jeremy. (This used to be commit 40a455db78f805daa6bfeb9e78fb78dcc12fd9a7)
2007-10-10r18871: Fix copy/paste mixup.Günther Deschner1-1/+1
Guenther (This used to be commit 2a605a0b175dc0ccc65ee2dc68e394bef7c954d1)
2007-10-10r18710: Prevent that our offline cache can get outdated after a password change.Günther Deschner1-1/+8
Guenther (This used to be commit 8006cf962b4a33278414fcdf07bf94d739cb4aab)
2007-10-10r18551: Implement a 30 seconds from startup, during which weJeremy Allison1-0/+12
try hard to connect a DC even if we might be offline. Jeremy. (This used to be commit a9f115140700487767bafa058db744eea5ee8f77)
2007-10-10r18271: Big change:Gerald Carter1-1/+1
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r18259: Fix the non-krb5 builds.Günther Deschner1-1/+2
Guenther (This used to be commit 576488933b8e04ddd6cb45a7992374efe174a404)
2007-10-10r18239: THIS IS GUENTHER'S WORK !!! He's allowing me to mergeJeremy Allison1-4/+67
this at the moment as I'm working on this area. Thanks a lot Guenther. Add the capability to get krb5 tickets even if we log on in the offline state and have to cache the credentials. Once we go online we should start getting krb5 tickets again. Currently this code waits until lp_winbind_cache_time() seconds (5 minutes by default) before getting tickets. This is correct in the DC down case, but not in the global offline -> online case. I'll later add a trigger to force an immediate refresh on the offline -> online state transition. Jeremy. (This used to be commit 04fe034f4a222c83a8d788040f7edc370afe9fa6)
2007-10-10r18188: merge 3.0-libndr branchJelmer Vernooij1-8/+8
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
2007-10-10r18158: Stop winbindd from accumulating memory creds infinitely when doingGünther Deschner1-12/+21
pam offline logons. Guenther (This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
2007-10-10r18062: Fix to ensure the name used by pam matches theJeremy Allison1-4/+35
name that will be returned by winbindd. This (should) fix the bug where the user logs in with DOMAIN\user but winbindd returns only "user" for the username due to 'winbind use default domain' being set. Jeremy. (This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
2007-10-10r18028: Fix warnings on non-krb5 systemsVolker Lendecke1-13/+19
(This used to be commit 30df6cb65f2dcc1829ea362ea0bc2a5e10f9819a)
2007-10-10r17897: Store the uid in the memory creds. Don't request theJeremy Allison1-0/+1
krb5 refresh creds when doing cached NTLM auth, request the memory creds instead. Jeremy. (This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
2007-10-10r17837: Split out the storing of memory cached credentialsJeremy Allison1-49/+62
from the krb5 ticket renewal code. This allows cached credentials to be stored for single sign-on via ntlm_auth for machines in a domain still using NTLM. Also (hopefully) fixes the reference counting problem with pam_logon/logoff so multiple logons/logoffs won't lose cached credentials. This compiles, but I'm intending to test it over the weekend so don't complain too much :-). I also want it in the tree so Coverity can scan it for errors. Guenther, check this over please - I ran through the architecture with Jerry and he's ok with it, but this is modifying your code a lot. Jeremy. (This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
2007-10-10r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from ↵Gerald Carter1-38/+9
AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
2007-10-10r17617: Take Andrew Bartletts excellent advice and don't storeJeremy Allison1-2/+22
the nt hash directly in the winbindd cache, store a salted version (MD5 of salt + nt_hash). This is what we do in the LDAP password history code. We store this salted cache entry under the same name as an old entry (CRED/<sid>) but detect it on read by checking if there are 17 bytes of data after the first stored hash (1 byte len, 16 bytes hash). GD PLEASE CHECK. Jeremy. (This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
2007-10-10r17610: Added the ability for firefox to drive the winbinddJeremy Allison1-2/+2
ntlm_auth module to allow it to use winbindd cached credentials.The credentials are currently only stored in a krb5 MIT environment - we need to add an option to winbindd to allow passwords to be stored even in an NTLM-only environment. Patch from Robert O'Callahan, modified with some fixes by me. Jeremy. (This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
2007-10-10r17605: Some C++ warningsVolker Lendecke1-4/+6
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17005: Add a new helper mode to ntlm_auth: ntlm-change-password-1Andrew Bartlett1-0/+148
This mode proxies pre-calculated blobs from a remote (probably VPN) client into the domain. This allows clients to change their password over a PPTP connection (where they would not be able to connect to SAMR directly). The precalculated blobs do not reveal the plaintext password. Original patch by Alexey Kobozev <cobedump@gmail.com> (This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
2007-10-10r16610: Subtle one from Klocwork #2076. If multiple flagsJeremy Allison1-0/+3
are set in a winbindd request it might overwrite existing state->response.extra_data.data values without freeing. Jeremy. (This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
2007-10-10r16480: (Ugly) workaround before the set_dc_type_flags & friends cleanup:Günther Deschner1-1/+39
When trying to login using krb5 with a trusted domain account, we need to make sure that our and the remote domain are AD. Guenther (This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
2007-10-10r16473: There is no point in calling set_dc_type_and_flags() before eachGünther Deschner1-2/+9
pam_auth login (when using kerberos). Guenther (This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
2007-10-10r15983: Honour the krb5 principal name change (of the new ads join code) in theGünther Deschner1-1/+1
kerberized winbind pam_auth. Guenther (This used to be commit 216125fe132fa6b886b99139e38988725beb88f0)
2007-10-10r15982: Fix confusing order of DEBUG statements in winbindds pam_auth.Günther Deschner1-3/+3
Guenther (This used to be commit 3f5a2e49c108bfe8f8b875af9e69d5ad3b0567ee)
2007-10-10r15539: Use portable wrapper functions instead of seteuidJeremy Allison1-3/+3
directly in winbindd. Jeremy. (This used to be commit 2e65fcc9def5f1386a33ca4a76e494838e3a0632)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-0/+1
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15398: Attempt to send the correct warning when a password change was attemptedGünther Deschner1-2/+3
too early. Guenther (This used to be commit 7f64a66d25f2a4aa48c2639da8e783c1759c5dd4)
2007-10-10r15396: Cleanup credential caches from winbind's linked list.Günther Deschner1-1/+6
Guenther (This used to be commit 7420b095077689fee4b5c9fb76cdb6533be1d465)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner1-0/+1
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15229: Save useless roundtrips in pam_auth (fallback to samlogon) when we knowGünther Deschner1-1/+3
that the DC is not available. Guenther (This used to be commit 77407c021997db1b2a86ca26a5d125fa6b782949)
2007-10-10r15053: fix portabilities issues between 32-bit winbind clients and a 64-bit ↵Gerald Carter1-10/+10
winbindd server (This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
2007-10-10r14753: Fix the kerberized pam_auth: As we could have created a new credentialGünther Deschner1-14/+26
cache with a valid TGT in it but we werent able to get or verify the service ticket for this local host afterwards and therefor didn't get the PAC, we need to remove that ccache entirely. Also remove an ugly pair of (not needed) seteuid calls around the ticket destroy wrapper. Guenther (This used to be commit 25a2fb3896596380d9eecac80defbf247a35e6bb)
2007-10-10r14674: Further cleanup for cached logins, only dump hashes with DEBUG_PASSWORD.Günther Deschner1-0/+2
Guenther (This used to be commit 24afdda2ae7626b8c0b378d158ede391924d1274)
2007-10-10r14597: Merge DCERPC_FAULT constants from Samba 4.Günther Deschner1-1/+1
Guenther (This used to be commit 3f195f8248c88ec8bf8ceb195575ce6bb49d7fc4)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner1-8/+8
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14514: Fixing last commit. Thanks Volker.Günther Deschner1-1/+1
Guenther (This used to be commit 345d2ab5d399a99f271148cf308271cb7fc2c0ca)
2007-10-10r14513: Fix winbindd_chauthtok: only fallback when the chgpasswd3 call is notGünther Deschner1-2/+5
supported. Is there a better way to check for the 0x1c010002 status code? Guenther (This used to be commit c7268dc9ac304e1b6dac80762087a57484906103)
2007-10-10r14507: Re-disable accidentially re-enabled paranoia check. This should makeGünther Deschner1-1/+4
offline logons work again with NT4 and older Samba3 DCs. Guenther (This used to be commit 0892077fcec913ef76b017b5bfe058d20a322915)
2007-10-10r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain passwordGünther Deschner1-4/+7
policies when requested. No panic, the flags is uint32 so we are not running out of WBFLAG bits. Guenther (This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)