| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
|
|
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
|
|
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
|
|
This mode proxies pre-calculated blobs from a remote (probably VPN)
client into the domain. This allows clients to change their password
over a PPTP connection (where they would not be able to connect to
SAMR directly).
The precalculated blobs do not reveal the plaintext password.
Original patch by Alexey Kobozev <cobedump@gmail.com>
(This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
|
|
are set in a winbindd request it might overwrite existing
state->response.extra_data.data values without freeing.
Jeremy.
(This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
|
|
When trying to login using krb5 with a trusted domain account, we
need to make sure that our and the remote domain are AD.
Guenther
(This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
|
|
pam_auth login (when using kerberos).
Guenther
(This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
|
|
kerberized winbind pam_auth.
Guenther
(This used to be commit 216125fe132fa6b886b99139e38988725beb88f0)
|
|
Guenther
(This used to be commit 3f5a2e49c108bfe8f8b875af9e69d5ad3b0567ee)
|
|
directly in winbindd.
Jeremy.
(This used to be commit 2e65fcc9def5f1386a33ca4a76e494838e3a0632)
|
|
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.
Guenther
(This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
|
|
too early.
Guenther
(This used to be commit 7f64a66d25f2a4aa48c2639da8e783c1759c5dd4)
|
|
Guenther
(This used to be commit 7420b095077689fee4b5c9fb76cdb6533be1d465)
|
|
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
(This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
|
|
that the DC is not available.
Guenther
(This used to be commit 77407c021997db1b2a86ca26a5d125fa6b782949)
|
|
winbindd server
(This used to be commit a95d11345e76948b147bbc1f29a05c978d99a47a)
|
|
cache with a valid TGT in it but we werent able to get or verify the
service ticket for this local host afterwards and therefor didn't get
the PAC, we need to remove that ccache entirely.
Also remove an ugly pair of (not needed) seteuid calls around the ticket
destroy wrapper.
Guenther
(This used to be commit 25a2fb3896596380d9eecac80defbf247a35e6bb)
|
|
Guenther
(This used to be commit 24afdda2ae7626b8c0b378d158ede391924d1274)
|
|
Guenther
(This used to be commit 3f195f8248c88ec8bf8ceb195575ce6bb49d7fc4)
|
|
kerberos_kinit_password_ext provides access to more options.
Guenther
(This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
|
|
Guenther
(This used to be commit 345d2ab5d399a99f271148cf308271cb7fc2c0ca)
|
|
supported.
Is there a better way to check for the 0x1c010002 status code?
Guenther
(This used to be commit c7268dc9ac304e1b6dac80762087a57484906103)
|
|
offline logons work again with NT4 and older Samba3 DCs.
Guenther
(This used to be commit 0892077fcec913ef76b017b5bfe058d20a322915)
|
|
policies when requested.
No panic, the flags is uint32 so we are not running out of WBFLAG bits.
Guenther
(This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)
|
|
failed with a clear error indication. This prevents the bad logon count
beeing increased on the DC.
Guenther
(This used to be commit 5fdddffba5cf05ccac23a64fbe404a34e73fa73c)
|
|
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'
* Add a SID domain to the group mapping enumeration passdb call
to fix the checks for local and builtin groups. The SID can be
NULL if you want the old semantics for internal maintenance.
I only updated the tdb group mapping code.
* remove any group mapping from the tdb that have a
gid of -1 for better consistency with pdb_ldap.c.
The fixes the problem with calling add_group_map() in
the tdb code for unmapped groups which might have had
a record present.
* Ensure that we distinguish between groups in the
BUILTIN and local machine domains via getgrnam()
Other wise BUILTIN\Administrators & SERVER\Administrators
would resolve to the same gid.
* Doesn't strip the global_sam_name() from groups in the
local machine's domain (this is required to work with
'winbind default domain' code)
Still todo.
* Fix fallback Administrators membership for root and domain Admins
if nested groups = no or winbindd is not running
* issues with "su - user -c 'groups'" command
* There are a few outstanding issues with BUILTIN\Users that
Windows apparently tends to assume. I worked around this
presently with a manual group mapping but I do not think
this is a good solution. So I'll probably add some similar
as I did for Administrators.
(This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
|
|
Guenther
(This used to be commit 4cfd737cc1d8840888f80e360119eeb627acb381)
|
|
explicit.
Jeremy.
(This used to be commit aeae20a8d9f3658acb8edd373eb601bdf7eab98b)
|
|
in error code path.
Jeremy.
(This used to be commit 9f5fcdd8fb437882568e38e174e2df27bd077ba3)
|
|
over --with-kcm. No time to look after it for the moment.
Guenther
(This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
|
|
I think this is actually a false warning, but as I've seen it with high gcc
warning levels, lets fix it :-)
Volker
(This used to be commit 3f671033bca7a025f9639728a0a0a0adede6ed35)
|
|
WBFLAG_PAM_CONTACT_TRUSTDOM. This
can not work for NTLM auth, where we only have a workstation account for our
own domain. For the PAM Kerberos login we need to find a better way to do
this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf.
Volker
(This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8)
|
|
when we are told to do so by the password_properties.
Guenther
(This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
|
|
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
|
|
Guenther
(This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af)
|
|
macro which sets the freed pointer to NULL.
(This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
|
|
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.
This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.
Guenther
(This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
|
|
Guenther
(This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
|
|
Guenther
(This used to be commit 286f6fc2339cf4ef232c16466b8dffdcddbe343f)
|
|
(handle no ACB_NORMAL flag and save name2sid as early as possible).
Guenther
(This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)
|
|
password on logon. (this might be true for all domain admins as well).
Guenther
(This used to be commit 24c6b9fecb521380008cb44e6d987a6f495027dc)
|
|
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
|
|
When doing auth_crap authentication use the client
given workstation name not our own.
Jeremy.
(This used to be commit a2bb2e3e819c56b710885fc8206632e22a6ec0ce)
|
|
talloc_string_sub. Someone with time on his hands could convert all the
callers of all_string_sub to this.
realloc_string_sub is *only* called from within substitute.c, it could be
moved there I think.
Volker
(This used to be commit be6c9012da174d5d5116e5172a53bbe6486d6c38)
|
|
Guenther
(This used to be commit 4d681f560e59dd483f580c5fe5299af6242ae7c2)
|
|
(This used to be commit d1f506fa1353cd1b9ddba923dc17a884f7560be6)
|
|
Also remove the mem_ctx from the netsamlogon_cache_store() API.
Guenther, what should we be doing with the other fields in
the PAC_LOGON_INFO?
(This used to be commit 8bead2d2825015fe41ba7d7401a12c06c29ea7f7)
|
|
around failed query_user calls. This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.
As per comments on samba-technical, I still need to add
(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away
Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)
|
|
logons work if the client gives the MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT
or MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flags. This changes
the auth module interface to 2 (from 1). The effect of this is
that clients can access resources as a machine account if they
set these flags. This is the same as Windows (think of a VPN
where the vpn client authenticates itself to a VPN server
using machine account credentials - the vpn server checks
that the machine password was valid by performing a machine
account check with the PDC in the same was as it would a
user account check. I may add in a restriction (parameter)
to allow this behaviour to be turned off (as it was previously).
That may be on by default.
Andrew Bartlett please review this change carefully.
Jeremy.
(This used to be commit d1caef866326346fb191f8129d13d98379f18cd8)
|
|
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d78e3a2236209b296aa8aba8bdce32d3)
|
