summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r18271: Big change:Gerald Carter14-77/+77
* autogenerate lsa ndr code * rename 'enum SID_NAME_USE' to 'enum lsa_SidType' * merge a log more security descriptor functions from gen_ndr/ndr_security.c in SAMBA_4_0 The most embarassing thing is the "#define strlen_m strlen" We need a real implementation in SAMBA_3_0 which I'll work on after this code is in. (This used to be commit 3da9f80c28b1e75ef6d46d38fbb81ade6b9fa951)
2007-10-10r18259: Fix the non-krb5 builds.Günther Deschner1-1/+2
Guenther (This used to be commit 576488933b8e04ddd6cb45a7992374efe174a404)
2007-10-10r18239: THIS IS GUENTHER'S WORK !!! He's allowing me to mergeJeremy Allison3-51/+219
this at the moment as I'm working on this area. Thanks a lot Guenther. Add the capability to get krb5 tickets even if we log on in the offline state and have to cache the credentials. Once we go online we should start getting krb5 tickets again. Currently this code waits until lp_winbind_cache_time() seconds (5 minutes by default) before getting tickets. This is correct in the DC down case, but not in the global offline -> online case. I'll later add a trigger to force an immediate refresh on the offline -> online state transition. Jeremy. (This used to be commit 04fe034f4a222c83a8d788040f7edc370afe9fa6)
2007-10-10r18224: Paranoia - ensure the oplock event handler isJeremy Allison1-1/+10
removed immediately in the handler. Extra debug info tracking down winbindd DC selection. Jeremy. (This used to be commit 7ba9b6ce588f716589e9f88ed146fad36c4b3758)
2007-10-10r18199: Allow winbindd to delete a saf_ entry if it knowsJeremy Allison1-0/+4
it can't talk to it. Jeremy. (This used to be commit 7385a076f8fd351472d37d9363304948e88f9f99)
2007-10-10r18196: Fix debug message (this should be online not offline).Jeremy Allison1-1/+1
Jeremy. (This used to be commit 9c943dfe2d23e2d01df53ac81625278d4f870aa3)
2007-10-10r18192: Fix the build.Jeremy Allison1-1/+1
Jeremy. (This used to be commit aa62bb6b4ccb46a58bbe8f46d552a062ca06c238)
2007-10-10r18191: Fix the online/offline state handling of winbindd.Jeremy Allison5-24/+145
Instead of trying to do this in the winbindd_cache entries, add a timed even handler to probe every 5 mins when disconnected. Fix events to run all pending events, rather than only one. Jeremy. (This used to be commit 7bfbe1b4fb9a91c6678035f220bbf0b4f5afdcac)
2007-10-10r18189: When tearing down a connection we can be harsherJeremy Allison1-5/+29
with timeouts. Also, wait for 5 seconds not 10 on connecting to a DC. Jeremy. (This used to be commit 6792460ba6a198646404abae10979489ca03ca5c)
2007-10-10r18188: merge 3.0-libndr branchJelmer Vernooij3-14/+14
(This used to be commit 1115745caed3093c25d6be01ffee21819fb0a675)
2007-10-10r18167: Adding DEBUG() to winbinds refresh seqnum to track down a failure.Günther Deschner1-0/+1
Guenther (This used to be commit 8bf197ee1658616448dcb752f51743365070901a)
2007-10-10r18158: Stop winbindd from accumulating memory creds infinitely when doingGünther Deschner2-16/+25
pam offline logons. Guenther (This used to be commit 95788cb291b89b431972e29e148b412992cc32a5)
2007-10-10r18128: Don't forget to set the ref count to 1 on a referenceJeremy Allison1-0/+1
counted struct. Doh ! Jeremy. (This used to be commit 8c78386e8da72108551cff72a6cc9da89264ddee)
2007-10-10r18107: Only do a SAF realm store if the logon was krb5.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 131682461c87973ac9ce0e2d097ad4d7b7afb23c)
2007-10-10r18063: When we get a successful connection using ADS,Jeremy Allison1-0/+3
cache the SAF name under both the domain name and the realm name, as we could be looking up under both. Jerry please check. Jeremy. (This used to be commit 9d954d2deb46698b3834c7caf5ee0cfe628086b5)
2007-10-10r18062: Fix to ensure the name used by pam matches theJeremy Allison2-8/+60
name that will be returned by winbindd. This (should) fix the bug where the user logs in with DOMAIN\user but winbindd returns only "user" for the username due to 'winbind use default domain' being set. Jeremy. (This used to be commit 1b2aa17354d50740902010f4a1e0217c8b1f7bdd)
2007-10-10r18047: More C++ stuffVolker Lendecke1-4/+7
(This used to be commit 86f4ca84f2df2aa8977eb24828e3aa840dda7201)
2007-10-10r18028: Fix warnings on non-krb5 systemsVolker Lendecke2-13/+21
(This used to be commit 30df6cb65f2dcc1829ea362ea0bc2a5e10f9819a)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-11/+11
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r18015: Try and detect network failures immediately inJeremy Allison1-5/+12
set_dc_type_and_flags(). Fix problem when DC is down in ads_connect, where we fall back to NetBIOS and try exactly the same IP addresses we just put in the negative connection cache.... We can never succeed, so don't try lookups a second time. Jeremy. (This used to be commit 2d28f3e94a1a87bc9e9ed6630ef48b1ce17022e8)
2007-10-10r18010: Ensure we don't timeout twice to the sameJeremy Allison1-8/+11
server in winbindd when it's down and listed in the -ve connection cache. Fix memory leak, reduce timeout for cldap calls - minimum 3 secs. Jeremy. (This used to be commit 10b32cb6de234fa17fdd691bb294864d4d40f782)
2007-10-10r17997: Ensure lockdir exists for winbindd. Store tmpJeremy Allison1-0/+4
krb5.conf files under lockdir, not privatedir. Jeremy. (This used to be commit c59eff3e53f5bfae3a9fb136e8566628339863ad)
2007-10-10r17994: Add debugs that showed me why my site code wasn'tJeremy Allison1-0/+1
working right. Don't update the server site when we have a client one... Jeremy. (This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
2007-10-10r17947: Remove extra const.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 86bfac33e35ee636581b88eb2ff55800c48b9a7b)
2007-10-10r17945: Store the server and client sitenames in the ADSJeremy Allison1-1/+1
struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy. (This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
2007-10-10r17943: The horror, the horror. Add KDC site support byJeremy Allison1-26/+37
writing out a custom krb5.conf file containing the KDC I need. This may suck.... Needs some testing :-). Jeremy. (This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
2007-10-10r17937: Move the saf_ cache into the tcp ad connection code.Jeremy Allison1-2/+16
Cause winbindd to set site support before doing the generic AD server lookup. Jeremy. (This used to be commit a9833941715472ece747bce69ef53ba8ad98d7a5)
2007-10-10r17897: Store the uid in the memory creds. Don't request theJeremy Allison4-11/+27
krb5 refresh creds when doing cached NTLM auth, request the memory creds instead. Jeremy. (This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
2007-10-10r17881: Another microstep towards better error reporting: Make ↵Volker Lendecke1-1/+2
get_sorted_dc_list return NTSTATUS. If we want to differentiate different name resolution problems we might want to introduce yet another error class for Samba-internal errors. Things like no route to host to the WINS server, a DNS server explicitly said host not found etc might be worth passing up. Because we can not stash everything into the existing NT_STATUS codes, what about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP? Volker (This used to be commit 60a166f0347170dff38554bed46193ce1226c8c1)
2007-10-10r17837: Split out the storing of memory cached credentialsJeremy Allison4-201/+422
from the krb5 ticket renewal code. This allows cached credentials to be stored for single sign-on via ntlm_auth for machines in a domain still using NTLM. Also (hopefully) fixes the reference counting problem with pam_logon/logoff so multiple logons/logoffs won't lose cached credentials. This compiles, but I'm intending to test it over the weekend so don't complain too much :-). I also want it in the tree so Coverity can scan it for errors. Guenther, check this over please - I ran through the architecture with Jerry and he's ok with it, but this is modifying your code a lot. Jeremy. (This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
2007-10-10r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from ↵Gerald Carter4-47/+27
AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
2007-10-10r17630: Looks like getpeerid() is a system function onJeremy Allison1-1/+1
FreeBSD. Change to sys_getpeerid(). Thanks to vl for pointing this out. Jeremy. (This used to be commit dd0069cfcabb25dc7dc0d336696a5f2580abb5a1)
2007-10-10r17618: Not using a cache version number (yet). We really should...Jeremy Allison1-1/+0
Jeremy (This used to be commit b711587f6e33bc5781b15da7bc49b31db4653073)
2007-10-10r17617: Take Andrew Bartletts excellent advice and don't storeJeremy Allison3-10/+63
the nt hash directly in the winbindd cache, store a salted version (MD5 of salt + nt_hash). This is what we do in the LDAP password history code. We store this salted cache entry under the same name as an old entry (CRED/<sid>) but detect it on read by checking if there are 17 bytes of data after the first stored hash (1 byte len, 16 bytes hash). GD PLEASE CHECK. Jeremy. (This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
2007-10-10r17616: Add the lm and nt hashes to the cached credentialsJeremy Allison3-28/+52
stored - only store the password if we're going to be doing a krb5 refresh. GD please review this change ! Now to add code to reference count the cached creds (to allow multiple pam_logon/pam_logoffs to keep the creds around), ensure that the cred cache is called on all successful pam_logons (if we have winbindd cache pam credentials = true, set this by default) and finally ensure the creds cache is changed on successful password change. GD - you *really* need to review this :-). Jeremy. (This used to be commit 017e7e14958d29246a1b221e33755bb91e96b08f)
2007-10-10r17610: Added the ability for firefox to drive the winbinddJeremy Allison5-4/+310
ntlm_auth module to allow it to use winbindd cached credentials.The credentials are currently only stored in a krb5 MIT environment - we need to add an option to winbindd to allow passwords to be stored even in an NTLM-only environment. Patch from Robert O'Callahan, modified with some fixes by me. Jeremy. (This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
2007-10-10r17605: Some C++ warningsVolker Lendecke9-28/+48
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17584: Some C++ WarningsVolker Lendecke1-1/+1
(This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497)
2007-10-10r17571: Change the return code of cli_session_setup from BOOL to NTSTATUSVolker Lendecke1-8/+10
Volker (This used to be commit 94817a8ef53589011bc4ead4e17807a101acf5c9)
2007-10-10r17469: remove unused variableSimo Sorce1-1/+0
(This used to be commit c7d115a7d08ecebe2ba70b3f0efae39a1fd8e42a)
2007-10-10r17464: Ensure we use a hash16 data type, not a string,Jeremy Allison1-3/+45
for storing offline hashes. Jeremy. (This used to be commit c8e6f7e41c9db436b34dd127d77940d7b43bf13b)
2007-10-10r17462: Fix a cut&paste bug that caused us to return a null SID on some ↵Simo Sorce1-0/+6
error conditions (This used to be commit 954593bd41ff2475df5d37eae18be08ffa3002eb)
2007-10-10r17461: Ensure we never save a NULL SID mapping. || should be &&.Jeremy Allison1-1/+1
Found by Whitfield school. Jeremy. (This used to be commit f8584a475853bd8937fb0cf1b304c98f96fbd872)
2007-10-10r17459: As by Jerry's word commit this without his review.Simo Sorce6-50/+246
This patch add some missing async functions to solve UID/GID -> SID requests not just out of the cache, but down the remote idmap if necessary. This patch solves the problem of servers not showing users/groups names for allocated UID/GIDs when joined to a group of servers that share a prepopulated idmap backend. Also correctly resolve UID/GIDs to SIDs when looking ACLs from the windows security tab on teh same situation. Simo. (This used to be commit b8578bfab6a04fcd65a2e65f507067459e326077)
2007-10-10r17366: Save the logon script path from the info3 in the PAM session allowingGünther Deschner2-4/+19
other PAM modules to pick it up from there. Guenther (This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5)
2007-10-10r17365: Fix memleak.Günther Deschner1-1/+4
Guenther (This used to be commit 62a8e0b08919e71c6a575ce6d89d8a4a09acbd87)
2007-10-10r17363: Some C++ warningsVolker Lendecke1-7/+13
(This used to be commit fd82f185a2e0f94bfb75f4eee072556ad94bf27d)
2007-10-10r17345: Some C++ warningsVolker Lendecke2-2/+2
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
2007-10-10r17162: Fix typo small typos noticed by Paul Green.Gerald Carter1-1/+1
(This used to be commit 1a5874588686fb4ece9be70059ff75b975ed2bd5)
2007-10-10r17159: Bug 3920: Restore wnibind use default domain behavior for domain groups.Gerald Carter2-18/+25
This break local users and 'winbind nested groups' on domain members. Cannot be helped. My plans is to move the default domain crud to the client code (pam and nss libraries) in 3.0.24. (This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)