summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r14698: Make sure we expand our own local groups and notGerald Carter1-1/+13
just the BUILTIN group when calling winbindd_getgroups. $ id foo uid=502(foo) gid=100(users) groups=100(users),10007(RHEL4\staff), 10001(BUILTIN\users) (This used to be commit 603b4b501a759510d2ec66cbe5ab1e9f5dc5dbc1)
2007-10-10r14675: Protect against null sids and rids in the cached credentials functions.Günther Deschner1-2/+28
Guenther (This used to be commit e162253a32119a31dd652b00f942d4c1a16fab83)
2007-10-10r14674: Further cleanup for cached logins, only dump hashes with DEBUG_PASSWORD.Günther Deschner3-1/+9
Guenther (This used to be commit 24afdda2ae7626b8c0b378d158ede391924d1274)
2007-10-10r14618: add --no-process-group to all server programmsStefan Metzmacher1-2/+4
to make the following possible: timelimit 20000 bin/nmbd -F -S --no-process-group timelimit 20000 bin/smbd -F -S --no-process-group this is needed to 'make test' working without losing child processes metze (This used to be commit c3a9f30e2a12cc852c9fa3a7d161f5c6ee0694ce)
2007-10-10r14611: Fix init_creds_opts issue jerry discovered when using MIT krb5 1.3:Günther Deschner1-1/+1
We were using a far too short renewable_time in the request; newer MIT releases take care interally that the renewable time is never shorter then the default ticket lifetime. Guenther (This used to be commit bde4a4018e26bc9aab4b928ec9811c05b21574f3)
2007-10-10r14597: Merge DCERPC_FAULT constants from Samba 4.Günther Deschner1-1/+1
Guenther (This used to be commit 3f195f8248c88ec8bf8ceb195575ce6bb49d7fc4)
2007-10-10r14585: Tighten argument list of kerberos_kinit_password again,Günther Deschner2-16/+16
kerberos_kinit_password_ext provides access to more options. Guenther (This used to be commit afc519530f94b420b305fc28f83c16db671d0d7f)
2007-10-10r14514: Fixing last commit. Thanks Volker.Günther Deschner1-1/+1
Guenther (This used to be commit 345d2ab5d399a99f271148cf308271cb7fc2c0ca)
2007-10-10r14513: Fix winbindd_chauthtok: only fallback when the chgpasswd3 call is notGünther Deschner1-2/+5
supported. Is there a better way to check for the 0x1c010002 status code? Guenther (This used to be commit c7268dc9ac304e1b6dac80762087a57484906103)
2007-10-10r14509: Attempt to fix the build on "sun1"Volker Lendecke1-1/+3
(This used to be commit 6704859950eb93d86906d4916cf6842d9a970d2f)
2007-10-10r14508: Return PAM_SUCCESS in pam_sm_close_session when there is no KRB5CCNAMEGünther Deschner1-1/+1
environment. Guenther (This used to be commit 1f1402e45db8d80a7c19208fae934e1b0f3da134)
2007-10-10r14507: Re-disable accidentially re-enabled paranoia check. This should makeGünther Deschner1-1/+4
offline logons work again with NT4 and older Samba3 DCs. Guenther (This used to be commit 0892077fcec913ef76b017b5bfe058d20a322915)
2007-10-10r14505: Rename the timed_event to lockout_policy_event.Günther Deschner2-9/+9
Guenther (This used to be commit 3e607aa69ae2d43fb6ec170d03221a6b22d3f35d)
2007-10-10r14496: Add WBFLAG_PAM_GET_PWD_POLICY bit to only callout for domain passwordGünther Deschner3-5/+9
policies when requested. No panic, the flags is uint32 so we are not running out of WBFLAG bits. Guenther (This used to be commit 2155bb0535656f294bd054d6a0a7d16a9a71c31b)
2007-10-10r14493: There is no point in falling back to a samlogon when a krb5login hasGünther Deschner1-0/+17
failed with a clear error indication. This prevents the bad logon count beeing increased on the DC. Guenther (This used to be commit 5fdddffba5cf05ccac23a64fbe404a34e73fa73c)
2007-10-10r14480: Kill one boolean flag passed down :-)Volker Lendecke2-9/+7
(This used to be commit d9b85e3b287c24d2a3e2076da331fe06192b0eef)
2007-10-10r14474: Also flush the nscd caches before entering the main winbindd loop.Günther Deschner3-16/+25
Guenther (This used to be commit c81eb71834dc827db63c8adb3f816bbbe916473c)
2007-10-10r14468: Better fix to avoid winbind panic when we have an inproper configurationGünther Deschner2-4/+13
and want to just shutdown and exit. Guenther (This used to be commit 0aa6328ed6ba6d0d24169ffdff0099405c9bfb00)
2007-10-10r14467: Reverting 13660. This needs to be fixed differently.Günther Deschner2-12/+5
Guenther (This used to be commit 4157bfe9cfe79ff78e7e527a50058cf9103cab61)
2007-10-10r14421: This does two thingsGerald Carter3-9/+37
* Automatically creates the BUILTIN\Users group similar to how BUILTIN\Administrators is done. This code does need to be cleaned up considerably. I'll continue to work on this. * The important fix is for getusergroups() when dealing with a local user and nested groups. Now I can run the following successfully: $ su - jerry -c groups users BUILTIN\users (This used to be commit f54d911e686ffd68ddc6dbc073987b9d8eb2fa5b)
2007-10-10r14405: Fix the build when nscd_flush_cache is detectedJeremy Allison1-10/+12
(variable definition was missing). Jeremy. (This used to be commit 48594f0270502149069fc883096181a9730d76bf)
2007-10-10r14403: * modifies create_local_nt_token() to create a BUILTIN\AdministratorsGerald Carter6-18/+29
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes' * Add a SID domain to the group mapping enumeration passdb call to fix the checks for local and builtin groups. The SID can be NULL if you want the old semantics for internal maintenance. I only updated the tdb group mapping code. * remove any group mapping from the tdb that have a gid of -1 for better consistency with pdb_ldap.c. The fixes the problem with calling add_group_map() in the tdb code for unmapped groups which might have had a record present. * Ensure that we distinguish between groups in the BUILTIN and local machine domains via getgrnam() Other wise BUILTIN\Administrators & SERVER\Administrators would resolve to the same gid. * Doesn't strip the global_sam_name() from groups in the local machine's domain (this is required to work with 'winbind default domain' code) Still todo. * Fix fallback Administrators membership for root and domain Admins if nested groups = no or winbindd is not running * issues with "su - user -c 'groups'" command * There are a few outstanding issues with BUILTIN\Users that Windows apparently tends to assume. I worked around this presently with a manual group mapping but I do not think this is a good solution. So I'll probably add some similar as I did for Administrators. (This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)
2007-10-10r14393: Fix a couple of AIX warnings.Jeremy Allison1-0/+2
Jeremy. (This used to be commit 8444c997bd3e18b1d04ebe85f06c8c6e34d7373f)
2007-10-10r14392: Use KRB5_TGS_NAME.Günther Deschner1-1/+1
Guenther (This used to be commit 4cfd737cc1d8840888f80e360119eeb627acb381)
2007-10-10r14365: As solaris nss includes includes.h, make sure we useJeremy Allison1-3/+3
the correct malloc-macros. Jeremy. (This used to be commit 412dc6f5dbc796126b94f3809fe660afac5d3c2a)
2007-10-10r14329: Fix the build on systems without libcom_err.Günther Deschner1-2/+2
Guenther (This used to be commit 44fcd3113be970edd01f7f076c4b6cad2d03ebcd)
2007-10-10r14321: When we have libnscd and winbindd comes (back) online, try to flush theGünther Deschner2-0/+20
nscd caches so that NSS-calls can deliver accurate information. Guenther (This used to be commit a32a423a0e9e0d4dd21282fd528bcd3247fddbd1)
2007-10-10r14282: Change centry_string to only use talloc. ShouldJeremy Allison1-16/+12
quieten coverity bug #194 (which I think is a false positive). Jeremy. (This used to be commit 07d8b02d3dddf7322e096f3f0a7cc1c8fa709fa3)
2007-10-10r14275: Shut-up coverity false positive (bug #199) by making an assertionJeremy Allison1-0/+7
explicit. Jeremy. (This used to be commit aeae20a8d9f3658acb8edd373eb601bdf7eab98b)
2007-10-10r14270: Fix coverity #203. Ensure we free on error exit.Jeremy Allison1-2/+2
Jeremy. (This used to be commit 9fa2e1bdedb61557b43f86c2898b7bf8762bbb63)
2007-10-10r14259: Fix coverity #42. Ensure contact_domain can't be null derefedJeremy Allison1-4/+6
in error code path. Jeremy. (This used to be commit 9f5fcdd8fb437882568e38e174e2df27bd077ba3)
2007-10-10r14148: Removing the not very well tested krb5 ticket refresh handling activatedGünther Deschner3-15/+1
over --with-kcm. No time to look after it for the moment. Guenther (This used to be commit 7ec2b31a8790db1466ffafeab533c11ab7ea801a)
2007-10-10r14145: Add missing WITH_KCM hunks from my local tree.Günther Deschner1-0/+4
Guenther (This used to be commit 977079a0583497255fbd4a48de52ebd404710b62)
2007-10-10r14076: When the backends trusted_domains call comes back with no trusts theGünther Deschner1-1/+9
NTSTATUS code will be NT_STATUS_NO_MORE_ENTRIES. In that case store NT_STATUS_OK in the centry so that the entry does not automatically deleted upon startup or invalidated upon next query. Guenther (This used to be commit 200d4566619c58951e22d9543420407b3baf878f)
2007-10-10r13984: Fix Coverity bug # 98Volker Lendecke1-1/+3
(This used to be commit 0a2aa3a48bd5fd7e5a9aa06068ddd621b19c1dbe)
2007-10-10r13915: Fixed a very interesting class of realloc() bugs found by Coverity.Jeremy Allison4-46/+24
realloc can return NULL in one of two cases - (1) the realloc failed, (2) realloc succeeded but the new size requested was zero, in which case this is identical to a free() call. The error paths dealing with these two cases should be different, but mostly weren't. Secondly the standard idiom for dealing with realloc when you know the new size is non-zero is the following : tmp = realloc(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } However, there were *many* *many* places in Samba where we were using the old (broken) idiom of : p = realloc(p, size) if (!p) { return error; } which will leak the memory pointed to by p on realloc fail. This commit (hopefully) fixes all these cases by moving to a standard idiom of : p = SMB_REALLOC(p, size) if (!p) { return error; } Where if the realloc returns null due to the realloc failing or size == 0 we *guarentee* that the storage pointed to by p has been freed. This allows me to remove a lot of code that was dealing with the standard (more verbose) method that required a tmp pointer. This is almost always what you want. When a realloc fails you never usually want the old memory, you want to free it and get into your error processing asap. For the 11 remaining cases where we really do need to keep the old pointer I have invented the new macro SMB_REALLOC_KEEP_OLD_ON_ERROR, which can be used as follows : tmp = SMB_REALLOC_KEEP_OLD_ON_ERROR(p, size); if (!tmp) { SAFE_FREE(p); return error; } else { p = tmp; } SMB_REALLOC_KEEP_OLD_ON_ERROR guarentees never to free the pointer p, even on size == 0 or realloc fail. All this is done by a hidden extra argument to Realloc(), BOOL free_old_on_error which is set appropriately by the SMB_REALLOC and SMB_REALLOC_KEEP_OLD_ON_ERROR macros (and their array counterparts). It remains to be seen what this will do to our Coverity bug count :-). Jeremy. (This used to be commit 1d710d06a214f3f1740e80e0bffd6aab44aac2b0)
2007-10-10r13914: Fix Coverity bug #151.Volker Lendecke1-1/+1
I think this is actually a false warning, but as I've seen it with high gcc warning levels, lets fix it :-) Volker (This used to be commit 3f671033bca7a025f9639728a0a0a0adede6ed35)
2007-10-10r13895: As agreed upon with gd on the phone, remove ↵Volker Lendecke2-15/+3
WBFLAG_PAM_CONTACT_TRUSTDOM. This can not work for NTLM auth, where we only have a workstation account for our own domain. For the PAM Kerberos login we need to find a better way to do this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf. Volker (This used to be commit bf7c608147bcbbedd89b3dcd24a929ea3e601bc8)
2007-10-10r13720: Only lockout Administrator after x bad password attempts in offline-modeGünther Deschner1-8/+37
when we are told to do so by the password_properties. Guenther (This used to be commit 30f2fdef79f89a4bee544bd209cfb86975b33f94)
2007-10-10r13679: Commiting the rm_primary_group.patch posted on samba-technicalGerald Carter2-1/+4
* ignore the primary group SID attribute from struct samu* * generate the primary group SID strictlky from the Unix primary group when dealing with passdb users * Fix memory leak in original patch caused by failing to free a talloc * * add wrapper around samu_set_unix() to prevent exposing the create BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix() (This used to be commit bcf269e2ec6630b78d909010fabd3b69dd6dda84)
2007-10-10r13660: Attempt to better handle the failure that we cannot find our sid uponGünther Deschner2-6/+13
startup; don't panic, shutdown instead. Guenther (This used to be commit f209192e26c12fd48feb6195b724715fbada8b85)
2007-10-10r13657: Let winbindd try to obtain the gecos field from the msSFU30GecosGünther Deschner1-11/+24
attribute when "winbind nss info = sfu" is set. Fixes #3539. Guenther (This used to be commit ffce0461de130828345c44293e564ca03227607d)
2007-10-10r13639: Never overwrite the acct_flags in rpccli_netlogon_sam_network_logon().Günther Deschner1-6/+2
Guenther (This used to be commit c201e51de387d3d49880ed519eb9d825df92f5af)
2007-10-10r13571: Replace all calls to talloc_free() with thye TALLOC_FREE()Gerald Carter5-13/+14
macro which sets the freed pointer to NULL. (This used to be commit b65be8874a2efe5a4b167448960a4fcf6bd995e2)
2007-10-10r13515: Make sure to store the correct domain name in the server affinity cache.Gerald Carter1-1/+1
(This used to be commit a918e4ac2426d4cb3cd526c4fad7480b832e6a12)
2007-10-10r13492: As noone objected on the mailing-list:Günther Deschner5-12/+61
Fix parse_domain_user to fail when splitting a full name like "DOM\user" when "winbind use default domain" and "winbind trusted domains only" are not enabled. This allows pam_winbind to behave correctly when more modules are stacked in the "account" or "password" PAM facility. pam_winbindd calls WINBINDD_GETPWNAM which can decide whether or not a user is a winbind user and return correct PAM error codes. Guenther (This used to be commit e6d52c1e9d8cec7be6d552c2a67a392df21c3ec9)
2007-10-10r13442: Implement samr_chgpasswd_user3 server-side.Günther Deschner1-8/+8
Guenther (This used to be commit f60eddc0a4dfe623e5f115533a62c03810fd5f38)
2007-10-10r13409: No functional changes, just some DEBUG cleanup.Günther Deschner4-7/+5
Guenther (This used to be commit 286f6fc2339cf4ef232c16466b8dffdcddbe343f)
2007-10-10r13391: Only fall into password change when ACB_PWNOEXP is not setGünther Deschner1-2/+2
(got it wrong the first time as administrator has this flag set by default). Guenther (This used to be commit e9ccebf45a5db8964793084950fbb2c23b2469a3)
2007-10-10r13377: Fix from Volker: Make offline authentication work with NT4 as wellGünther Deschner2-2/+20
(handle no ACB_NORMAL flag and save name2sid as early as possible). Guenther (This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)