summaryrefslogtreecommitdiff
path: root/source3/nsswitch/winbindd_util.c
AgeCommit message (Collapse)AuthorFilesLines
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+2
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett1-10/+29
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-07Machines are people too!Andrew Bartlett1-5/+1
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2004-01-05Fix warningVolker Lendecke1-1/+1
Volker (This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett1-6/+4
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett1-3/+1
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-31Jerry rightly complained that we can't assume that the first domain isAndrew Bartlett1-3/+21
our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). Andrew Bartlett (This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
2003-12-31auth/auth_util.c:Andrew Bartlett1-14/+46
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell1-0/+1
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-4/+4
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter1-1/+0
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter1-11/+24
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-08-27Typo fix.Rafal Szczesniak1-1/+1
(This used to be commit 934fb418a3a3628ee4cde699df872bc1035fc769)
2003-08-27Update last scan time in rescan_trusted_domains().Tim Potter1-0/+2
Fix from Ken Cross. (This used to be commit 45775b48a0d91390aa698b750d59cda0150cfbd0)
2003-08-25make sure we keep the trusted domain cache up to dateGerald Carter1-2/+31
(This used to be commit 3324adcaceb9191b5d4d671ac9b51c85c6714598)
2003-08-15get rid of more compiler warningsHerb Lewis1-1/+1
(This used to be commit 398bd14fc6e2f8ab2f34211270e179b8928a6669)
2003-08-08fix 2 bugs:Gerald Carter1-32/+29
1) don't ask trusted DC's for a list of trusted domains. This causes us to treat non-transitive ones as if they were transitive. Not needed anyways 2) Fix dc lookup bug where we would always try to use DNS to resolve the DC's for a domain (even if it was a trusted NT4 domain). (This used to be commit 4d3acce5066d3adf53ee8fbaa627c42523b3cbc3)
2003-08-01fix cut-n-paste error found by abartletGerald Carter1-8/+10
(This used to be commit 042492b862c4f2389086275dd8a0e044d7432537)
2003-07-31make sure the domain sid is set when enumerating trusted domainsGerald Carter1-1/+24
(we don't always get it back) (This used to be commit 6e8f23d1b1dd5122691cd9363a5c572fcab182af)
2003-07-31working on transtive trusts issue:Gerald Carter1-4/+54
* use DsEnumerateDomainTrusts() instead of LDAP search. wbinfo -m now lists all trusted downlevel domains and all domains in the forest. Thnigs to do: o Look at Krb5 connection trusted domains o make sure to initial the trusted domain cache as soon as possible (This used to be commit 0ab00ccaedf204b39c86a9e1c2fcac5f15d0e033)
2003-07-10Just a few formatting fixed caught while testing.Rafal Szczesniak1-4/+0
rafal (This used to be commit 156554738cf4e4ffa5a811d9979acd19418e7908)
2003-07-09Large set of changes to add UNIX account/group managementGerald Carter1-6/+10
to winbindd. See README.idmap-and-winbind-changes for details. (This used to be commit 1111bc7b0c7165e1cdf8d90eb49f4c368d2eded6)
2003-07-03Removed strupper/strlower macros that automatically map to ↵Jeremy Allison1-1/+1
strupper_m/strlower_m. I really want people to think about when they're using multibyte strings. Jeremy. (This used to be commit ff222716a08af65d26ad842ce4c2841cc6540959)
2003-06-24Explain why winbindd is exiting.Jeremy Allison1-2/+4
Jeremy. (This used to be commit a411923aa2eba9dac49efb68ed31650c11b5c33d)
2003-06-24add tdb backup function separation and winbind idmap upgrade code formSimo Sorce1-0/+206
pre-2.2.4 tdb database format. tx volker for your work on this (This used to be commit 2bdbeb9e97a59ecd16f74fbb04ab5ca57b28a757)
2003-06-10- fixed the bug that forced us not to use the winbindd cache when weAndrew Tridgell1-2/+3
have a primary ADS domain and a secondary (trusted) NT4 domain. This caused winbindd to be *really* slow for that setup. - fixed winbindd_getgrgid(), which was calling uid_to_sid instead of gid_to_sid(). When you make changes to winbind *PLEASE* test using nsstest. (This used to be commit cdd9b60a078b63e22f543d4c8d0956ff536f4d89)
2003-06-03* set winbind cache time to 5 minutesGerald Carter1-6/+4
* quit obsessing over the sequence number so much * share the updated sequence number between parent and child winbindd processes in dual mode (This used to be commit 6f99cafa95b2a9dc98d8272fe6a54e9d37098340)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-5/+4
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-04-29remove convert_smbpasswd and addtosmbpass from tree; people can get them ↵Gerald Carter1-2/+3
from 2.2. if they still need them (This used to be commit 237857a760974bb02000e5d3a776240ec73ca6b6)
2003-04-23Merge HEAD's winbind into 3.0.Andrew Bartlett1-7/+33
This includes the 'SIDs Rule' patch, mimir's trusted domains cacheing code, the winbind_idmap abstraction (not idmap proper, but the stuff that held up the winbind LDAP backend in HEAD). Andrew Bartlett (This used to be commit d4d5e6c2ee6383c6cceb5d449aa2ba6c83eb0666)
2003-03-24(merge from HEAD)Andrew Bartlett1-0/+24
NTLM Authentication: - Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit ec071ca3dcbd3881dc08e6a8d7ac2ff0bcd57664)
2003-02-14Mop and bucket for trusted domain enumeration fix.Tim Potter1-6/+7
(This used to be commit 5cfb30551a713caa3d69406450c1eac4541a30fa)
2003-01-15Merge of holding pattern stuff from HEAD.Tim Potter1-21/+5
(This used to be commit bf8bb62023bcd38e5bc53ef1ac2183360d6ff734)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-2/+2
named. Ensure we can query them. Jeremy. (This used to be commit 09a218a9f6fb0bd922940467bf8500eb4f1bcf84)
2002-12-20Formatting syncup.Tim Potter1-2/+4
(This used to be commit 4277262c74ef16971658f53edd403b335542d9f2)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-5/+4
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit f755711df8f74f9b8e8c1a2b0d07d02a931eeb89)
2002-11-07Perform my janitorial duties.Tim Potter1-6/+0
(This used to be commit 3810f13682617d043d3cffaafe8a7cb7125c4ecd)
2002-11-07Keep branches in sync.....Jeremy Allison1-1/+7
Jeremy. (This used to be commit faf92207e71980aaaad8b5487f5c2d6a60f7ddd1)
2002-11-06Merge things that bloody tpot should be doing :-).Jeremy Allison1-2/+14
Jeremy. (This used to be commit 77d534f7fd9ad74ca6d5e74860b29bb8ad54268f)
2002-11-02Some winbindd cleanups I made trying to fix cr1020:Tim Potter1-0/+86
- move winbindd client handling into accessor functions in winbindd_util.c - move some winbindd socket routines into accessor functions in winbindd_utils.c (The deadlock situation mentioned in the appliance branch is probably not applicable since we don't clear the connection cache on SIGHUP. Perhaps we should?) (This used to be commit ee0e3d31a1d1bef70810aadcdafdf9678d21ea8f)
2002-10-08merge from APP_HEAD of winbindd's domain local group fixGerald Carter1-1/+1
(This used to be commit 09c6f6329d6ae9327b7ef06de0ea78d24d805456)
2002-10-04* merge native_mode flag in winbindd_domain struct from app-headGerald Carter1-1/+10
* add some files missing from a previous commit (This used to be commit 29159c97371c75327e377f9d13406dad46095568)
2002-09-25sync'ing up for 3.0alpha20 releaseGerald Carter1-2/+8
(This used to be commit 65e7b5273bb58802bf0c389b77f7fcae0a1f6139)
2002-08-17sync 3.0 branch with headJelmer Vernooij1-41/+77
(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)
2002-07-15updated the 3.0 branch from the head branch - ready for alpha18Andrew Tridgell1-4/+3
(This used to be commit 03ac082dcb375b6f3ca3d810a6a6367542bc23ce)
2002-03-09prevent a segv when a trusted domain is unavailable at startupAndrew Tridgell1-3/+2
(This used to be commit d5b5d3f8400a80c943809db9578a2d7317aa6d2d)
2002-02-27this allows us to support foreign SIDs in winbindd and smbdAndrew Tridgell1-1/+1
this means "xcopy /o" has a chance of working with ACLs that contain ACEs that use SIDs that the Samba server has no knowledge of. It's a bit hackish, Tim, can you look at my uid.c changes? (This used to be commit fe2db3148587937aa7b674c1c99036d42a3776b3)
2002-01-30Removed version number from file header.Tim Potter1-1/+1
Changed "SMB/Netbios" to "SMB/CIFS" in file header. (This used to be commit 6a58c9bd06d0d7502a24bf5ce5a2faf0a146edfa)
2002-01-26Change the winbind interface to use seperate 'domain' and 'username' feilds forAndrew Bartlett1-1/+0
the sid->uid and uid->sid conversions. Remove some duplicate arguments from these funcitons, and update the request/response structures for this and the 'winbind domain name' feature. As such 'winbindd_lookup_name' now takes both a domain and username. (This used to be commit ce1b4d4c309e4a60bec5a53224585bd504264672)
2002-01-20This patch makes the 'winbind use default domain' code interact better withAndrew Bartlett1-22/+5
smbd, and also makes it much cleaner inside winbindd. It is mostly my code, with a few changes and testing performed by Alexander Bokovoy <a.bokovoy@sam-solutions.net>. ab has tested it in security=domain and security=ads, but more testing is always appricatiated. The idea is that we no longer cart around a 'domain\user' string, we keep them seperate until the last moment - when we push that string into a pwent on onto the socket. This removes the need to be constantly parsing that string - the domain prefix is almost always already provided, (only a couple of functions actually changed arguments in all this). Some consequential changes to the RPC client code, to stop it concatonating the two strings (it now passes them both back as params). I havn't changed the cache code, however the usernames will no longer have a double domain prefix in the key string. The actual structures are unchanged - but the meaning of 'username' in the 'rid' will have changed. (The cache is invalidated at startup, so on-disk formats are not an issue here). Andrew Bartlett (This used to be commit e870f0e727952aeb8599cf93ad2650ae56eca033)