summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett6-102/+127
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05Add const.Andrew Bartlett1-3/+3
(This used to be commit aacb817e89d17349003159e1b7c28546babc8559)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett3-77/+37
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett1-22/+72
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-05We can't possilby get 'ok' here, as the if statement above just checked for it.Andrew Bartlett1-2/+0
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)
2004-01-04Commit the translation of the realm to the netbios domain name in the kerberosVolker Lendecke4-0/+85
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
2004-01-02Under certain error conditions (a talloc() failure above) this would causeAndrew Bartlett1-2/+0
a double-free(), and the resultant malloc heap corruption. This may be one of our lurking winbind segfaults. Andrew Bartlett (This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
2004-01-02Having no members of a group is a perfectly valid (if unusual) situation.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 3f6d0cd3a83bc75922cb125ffe2b0127c8aa417b)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-21/+48
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett2-16/+36
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-31Forgot to commit this for the 'get our primary domain' change.Andrew Bartlett1-0/+1
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
2003-12-31Jerry rightly complained that we can't assume that the first domain isAndrew Bartlett1-3/+21
our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). Andrew Bartlett (This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
2003-12-31auth/auth_util.c:Andrew Bartlett1-14/+46
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-3/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett2-0/+27
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-23Fix typo.John Terpstra1-1/+1
(This used to be commit 46b2fb4db5c7e273a9b43c59340a0a47ade5bd5e)
2003-12-11fixed bad formal parameter type in get_static(); patch Andy PolyakovGerald Carter1-1/+1
(This used to be commit 9c70e4b44e0dda8f2af4172b928437bd9d3e8b7c)
2003-12-04fix debug messageGerald Carter1-2/+2
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)
2003-11-27Correct freebsd 5.1 support for winbind contributed by Aaron Collins.Tim Potter1-0/+81
Let the build farm chew on it for a bit. (This used to be commit 41e4b036dff0af7be69bf95ea3d64dfccd3a4b8e)
2003-11-27use samr_dispinfo(level == 1) for enumerating domain users so we can include ↵Gerald Carter1-17/+34
the full name in gecos field; bug 587 (This used to be commit 329065d7cddb52c52667c93e0a0218c0e89938be)
2003-11-25Add a comment, and a useful debug message.Andrew Bartlett2-0/+3
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett2-5/+10
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-19as discussed on irc, this is a small patch that allows a few moreAndrew Tridgell6-7/+292
winbind functions to be accessed via NSS. This provides a much cleaner way for applications that need (for example) to provide name->sid mappings to do this via NSS rather than having to know the winbindd pipe protocol (as this might change). This patch also adds a varient of the winbindd_getgroups() call called winbindd_getusersids() that provides direct SID->SIDs listing of a users supplementary groups. This is enough to allow non-Samba applications to do ACL checking. A test program for the new functionality will be committed shortly. I also added the 'wbinfo --user-sids' option to expose the new function in wbinfo. (This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell15-1/+14
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-11-07fix for bug 680 (heads up). This gist is to map theGerald Carter1-25/+215
UNIX entity foo to DOMAIN\foo instead of SERVER\foo on members of a Samba domain when all UNIX accounts are shared via NIS, et. al. * allow winbindd to match local accounts to domain SID when 'winbind trusted domains only = yes' * remove code in idmap_ldap that searches the user suffix and group suffix. It's not needed and provides inconsistent functionality from the tdb backend. This has been tested. I'm still waiting on some more feedback but This needs to be in 3.0.1pre2 for widespread use. (This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
2003-11-06Final round of printf warnings fixes for the moment.Tim Potter1-3/+3
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
2003-11-04Use a static string instead of malloced one in winbind_{off,on}() utilityTim Potter1-29/+8
functions. (This used to be commit 7710232ba21305a1e3c9523ace82a5a419526b50)
2003-11-03Fix for winbindd on HPUX from albert chin (china@thewrittenword.com)Jeremy Allison1-4/+2
Jeremy. (This used to be commit 119a89246bf84cb98b76cf3777c039fa8eb644f2)
2003-11-02Use putenv() instead of setenv() in the winbind_{off,on}() functions. SomeTim Potter1-3/+30
platforms don't have setenv(). (This used to be commit a8b487c4cb5d181e59755f49063512b2729bccb5)
2003-10-31prompt for password when invoking --set-auth-user and no pwGerald Carter1-2/+7
is given (patch from Tom Dickson) (This used to be commit ca18ec0f901330c14a68c8a44d2a88a42bb7d92c)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-5/+5
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-21fixed a number of bugs and memory leaks in the AIX winbind shimAndrew Tridgell1-249/+231
(This used to be commit f0a0771c02404c91cd64961f85622022a4e56b2f)
2003-10-21Merge of spelling fix from HEAD.Tim Potter1-1/+1
(This used to be commit 1482933089bd1e6114ad29d77ce229482f2d161b)
2003-10-14Undo previous commit because it breaks the build.Tim Potter1-2/+0
DEBUG() should not be called in winbind client code as it's actually dynamically linked by glibc into programs that use the nsswitch database functions. (This used to be commit 90380a684af244175d216344101e734c85220a7b)
2003-10-13Add a better error message to wb_common.c when unable to connect to a pipeRichard Sharpe2-0/+9
socket and add a comment to winbindd.c to explain the fancy calculation of buffer offset. (This used to be commit 7c7ef9680b7378e12ffdd0bf95ee7ad673bea2f5)
2003-10-13make sure to use the escaped DN; patch from Guenther Deschner; bug 592Gerald Carter1-1/+1
(This used to be commit 5eca81c66096a01eda1731892d044c09d4c18556)
2003-10-03don't call ads_destroy() twice; fixes segfault in winbindd when DC goes ↵Gerald Carter1-4/+11
down; bug 437 (This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
2003-09-24fixing a bug in the retry loop for winbindd_pam_auth[_crap]()Gerald Carter1-15/+25
(This used to be commit a83266a927b81a9f7a62b211793faaf8d401767c)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter1-1/+0
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
2003-09-17Obviously correct typo bugfix from Lin Li <linl@xandros.com>.Jeremy Allison1-1/+1
Jeremy. (This used to be commit a43ca66290ac1df9b00e3e43e32d8117b3d1b873)
2003-09-08fix valgrind errors; don't access cli_state pointer after it has been shutdownGerald Carter1-17/+13
(This used to be commit 02ae82fb3f70dc37e815d8e88bfd31a8c3ff43db)
2003-09-08Fix for bug #299.Tim Potter1-30/+80
There was some confusion over dynamically allocated lists of pointers (i.e you have to make space for the list of pointers and what they are pointing too) in the memory buffer passed in from libc. Valgrind is much happer now and as a bonus there is no segfault. (This used to be commit 7907c44414acb841a9001e82285790eece73d032)
2003-09-06finish off bug 282. AAdd extra checks for pointers afterGerald Carter1-7/+7
ads_search_XXX() calls. (This used to be commit 74c02e5fbc411d6fd1b13a1e21599da030897efe)
2003-09-06fix bug 382: make sure to free and reset the cli_state pointer after ↵Gerald Carter1-0/+6
flushing connections in winbindd_pam_auth[_crap]() (This used to be commit 60c8796edd84249db5419329a0fea4bbc7f9bb98)
2003-09-06revert retry loops in winbindd_ads as abartket points out, weGerald Carter1-312/+151
already have ads_search_retry() for this. However, neither domain_sid() nor sequence_nunber() used this function. So modify them to us ads_do_search_retry() so we can specify the base search DN and scope. (This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter4-15/+54
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-09-05Fix for bug 282 that didn't get checked in.Tim Potter1-1/+1
(This used to be commit e3f5afb83142f44369dcd341d6e66ed2fe51248f)
2003-09-05should fix bug 364 & 311: Retry patch based on suggestion fromGerald Carter1-142/+316
Ken Cross. Sometimes ads conenction get stale but we don't know they are dead until we try them. This patch may need some optimization after people bang on it for a while. (This used to be commit 7021cf63a4501c90620cf6a5f117eef345bbd291)