Age | Commit message (Collapse) | Author | Files | Lines |
|
* autogenerate lsa ndr code
* rename 'enum SID_NAME_USE' to 'enum lsa_SidType'
* merge a log more security descriptor functions from
gen_ndr/ndr_security.c in SAMBA_4_0
The most embarassing thing is the "#define strlen_m strlen"
We need a real implementation in SAMBA_3_0 which I'll work on
after this code is in.
(This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
|
|
Guenther
(This used to be commit 576488933b8e04ddd6cb45a7992374efe174a404)
|
|
this at the moment as I'm working on this area. Thanks
a lot Guenther.
Add the capability to get krb5 tickets even if we
log on in the offline state and have to cache
the credentials. Once we go online we should
start getting krb5 tickets again. Currently
this code waits until lp_winbind_cache_time()
seconds (5 minutes by default) before getting
tickets. This is correct in the DC down case,
but not in the global offline -> online case.
I'll later add a trigger to force an immediate refresh
on the offline -> online state transition.
Jeremy.
(This used to be commit 04fe034f4a222c83a8d788040f7edc370afe9fa6)
|
|
removed immediately in the handler.
Extra debug info tracking down winbindd DC
selection.
Jeremy.
(This used to be commit 7ba9b6ce588f716589e9f88ed146fad36c4b3758)
|
|
it can't talk to it.
Jeremy.
(This used to be commit 7385a076f8fd351472d37d9363304948e88f9f99)
|
|
Jeremy.
(This used to be commit 9c943dfe2d23e2d01df53ac81625278d4f870aa3)
|
|
Jeremy.
(This used to be commit aa62bb6b4ccb46a58bbe8f46d552a062ca06c238)
|
|
Instead of trying to do this in the winbindd_cache
entries, add a timed even handler to probe every
5 mins when disconnected.
Fix events to run all pending events, rather than
only one.
Jeremy.
(This used to be commit 7bfbe1b4fb9a91c6678035f220bbf0b4f5afdcac)
|
|
with timeouts. Also, wait for 5 seconds not 10
on connecting to a DC.
Jeremy.
(This used to be commit 6792460ba6a198646404abae10979489ca03ca5c)
|
|
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
|
|
Guenther
(This used to be commit 8bf197ee1658616448dcb752f51743365070901a)
|
|
pam offline logons.
Guenther
(This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
|
|
counted struct. Doh !
Jeremy.
(This used to be commit 8c78386e8da72108551cff72a6cc9da89264ddee)
|
|
Jeremy.
(This used to be commit 131682461c87973ac9ce0e2d097ad4d7b7afb23c)
|
|
cache the SAF name under both the domain name
and the realm name, as we could be looking up
under both. Jerry please check.
Jeremy.
(This used to be commit 9d954d2deb46698b3834c7caf5ee0cfe628086b5)
|
|
name that will be returned by winbindd. This
(should) fix the bug where the user logs in
with DOMAIN\user but winbindd returns only
"user" for the username due to 'winbind use
default domain' being set.
Jeremy.
(This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
|
|
(This used to be commit 86f4ca84f2df2aa8977eb24828e3aa840dda7201)
|
|
(This used to be commit 30df6cb65f2dcc1829ea362ea0bc2a5e10f9819a)
|
|
Compiled it on systems with and without LDAP, I hope it does not break the
build farm too badly. If it does, I'll fix it tomorrow.
Volker
(This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
|
|
set_dc_type_and_flags().
Fix problem when DC is down in ads_connect, where
we fall back to NetBIOS and try exactly the same
IP addresses we just put in the negative connection
cache.... We can never succeed, so don't try lookups
a second time.
Jeremy.
(This used to be commit 2d28f3e94a1a87bc9e9ed6630ef48b1ce17022e8)
|
|
server in winbindd when it's down and listed
in the -ve connection cache. Fix memory leak,
reduce timeout for cldap calls - minimum 3 secs.
Jeremy.
(This used to be commit 10b32cb6de234fa17fdd691bb294864d4d40f782)
|
|
krb5.conf files under lockdir, not privatedir.
Jeremy.
(This used to be commit c59eff3e53f5bfae3a9fb136e8566628339863ad)
|
|
working right. Don't update the server site when we
have a client one...
Jeremy.
(This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
|
|
Jeremy.
(This used to be commit 86bfac33e35ee636581b88eb2ff55800c48b9a7b)
|
|
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
|
|
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
|
|
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a9833941715472ece747bce69ef53ba8ad98d7a5)
|
|
krb5 refresh creds when doing cached NTLM auth, request
the memory creds instead.
Jeremy.
(This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
|
|
get_sorted_dc_list
return NTSTATUS.
If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.
Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?
Volker
(This used to be commit 60a166f0347170dff38554bed46193ce1226c8c1)
|
|
from the krb5 ticket renewal code. This allows cached
credentials to be stored for single sign-on via ntlm_auth
for machines in a domain still using NTLM. Also (hopefully)
fixes the reference counting problem with pam_logon/logoff
so multiple logons/logoffs won't lose cached credentials.
This compiles, but I'm intending to test it over the weekend
so don't complain too much :-). I also want it in the tree
so Coverity can scan it for errors. Guenther, check this over
please - I ran through the architecture with Jerry and he's
ok with it, but this is modifying your code a lot.
Jeremy.
(This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
|
|
AD DC
* Merge patches from SLES10 to make sure we talk to the correct
winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
|
|
FreeBSD. Change to sys_getpeerid(). Thanks to
vl for pointing this out.
Jeremy.
(This used to be commit dd0069cfcabb25dc7dc0d336696a5f2580abb5a1)
|
|
Jeremy
(This used to be commit b711587f6e33bc5781b15da7bc49b31db4653073)
|
|
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
|
|
stored - only store the password if we're going to
be doing a krb5 refresh. GD please review this change !
Now to add code to reference count the cached creds
(to allow multiple pam_logon/pam_logoffs to keep the
creds around), ensure that the cred cache is called
on all successful pam_logons (if we have winbindd cache
pam credentials = true, set this by default) and finally
ensure the creds cache is changed on successful password
change. GD - you *really* need to review this :-).
Jeremy.
(This used to be commit 017e7e14958d29246a1b221e33755bb91e96b08f)
|
|
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
|
|
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
|
|
(This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497)
|
|
Volker
(This used to be commit 94817a8ef53589011bc4ead4e17807a101acf5c9)
|
|
(This used to be commit c7d115a7d08ecebe2ba70b3f0efae39a1fd8e42a)
|
|
for storing offline hashes.
Jeremy.
(This used to be commit c8e6f7e41c9db436b34dd127d77940d7b43bf13b)
|
|
error conditions
(This used to be commit 954593bd41ff2475df5d37eae18be08ffa3002eb)
|
|
Found by Whitfield school.
Jeremy.
(This used to be commit f8584a475853bd8937fb0cf1b304c98f96fbd872)
|
|
This patch add some missing async functions to
solve UID/GID -> SID requests not just out of the cache,
but down the remote idmap if necessary.
This patch solves the problem of servers not showing users/groups names
for allocated UID/GIDs when joined to a group of servers that share a
prepopulated idmap backend.
Also correctly resolve UID/GIDs to SIDs when looking ACLs from the
windows security tab on teh same situation.
Simo.
(This used to be commit b8578bfab6a04fcd65a2e65f507067459e326077)
|
|
other PAM modules to pick it up from there.
Guenther
(This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5)
|
|
Guenther
(This used to be commit 62a8e0b08919e71c6a575ce6d89d8a4a09acbd87)
|
|
(This used to be commit fd82f185a2e0f94bfb75f4eee072556ad94bf27d)
|
|
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
|
|
(This used to be commit 1a5874588686fb4ece9be70059ff75b975ed2bd5)
|
|
This break local users and 'winbind nested groups' on domain members.
Cannot be helped.
My plans is to move the default domain crud to the client code (pam and
nss libraries) in 3.0.24.
(This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)
|