summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2003-03-23Convert to popt.Jelmer Vernooij1-58/+26
(This used to be commit 18d52ce914715d188966be95f9e4466666a04f74)
2003-03-23NTLM Authentication:Andrew Bartlett7-33/+131
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory under lockdir, that the admin can change the group access for. - This mode is now required to access with 'CRAP' authentication feature. - This *will* break the current SQUID helper, so I've fixed up our ntlm_auth replacement: - Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a challenge. - Use this to make our ntlm_auth utility suitable for use in current Squid 2.5 servers. - Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates are needed. - Now uses fgets(), not x_fgets() to cope with Squid environment (I think somthing to do with non-blocking stdin). - Add much more robust connection code to wb_common.c - it will not connect to a server of a different protocol version, and it will automatically try and reconnect to the 'privileged' pipe if possible. - This could help with 'privileged' idmap operations etc in future. - Add a generic HEX encode routine to util_str.c, - fix a small line of dodgy C in StrnCpy_fn() - Correctly pull our 'session key' out of the info3 from th the DC. This is used in both the auth code, and in for export over the winbind pipe to ntlm_auth. - Given the user's challenge/response and access to the privileged pipe, allow external access to the 'session key'. To be used for MSCHAPv2 integration. Andrew Bartlett (This used to be commit dcdc75ebd89f504a0f6e3a3bc5b43298858d276b)
2003-03-19Fix debug message not to use an uninitialized variable.Volker Lendecke1-2/+1
Volker (This used to be commit 80bfa7efd65af02108e3ef1e2b2952cda6dc5999)
2003-03-17Some cosmetic changes to make the popt --usage output look nicer.Tim Potter1-5/+5
(This used to be commit 39124b9a62e1ba0f8089c36b27d6c79352a27973)
2003-03-15If it's an fstring, use fstrcpy().Andrew Bartlett1-8/+8
Andrew Bartlett (This used to be commit bf5e0698eed72d7fc005be08feb36ef82ada716c)
2003-03-11This patch attemptes to clean up winbindd's mutex locking.Andrew Bartlett1-41/+37
The current locking scheme in winbind is a complete mess - indeed, the next step should be to push the locking into cli_full_connection(), but I'll leave it for now. This patch works on the noted behaviour that 2 parts of the connection process need protection - and independent protection. Tim Potter did some work on this a little while back, verifying the second case. The two cases are: - between connect() and first session setup - during the auth2 phase of the netlogon pipe setup. I've removed the counter on the lock, as I fail to see what it gains us. This patch also adds 'anonymous fallback' to our winbindd -> DC connection. If the authenticated connection fails (wbinfo -A specifed) - say that account isn't trusted by a trusted DC - then we try an anonymous. Both tpot and mbp like the patch. Andrew Bartlett (This used to be commit 0620320002082298a15cbba72bd79aecfc607947)
2003-03-11Remove obsolete file.Tim Potter1-13/+0
(This used to be commit c5c1a7979385778c08d6dd7796cfe8be1815992f)
2003-03-08Make sure that the 'remote' machine name can only be set once. For some weirdAndrew Bartlett1-9/+2
reason, during a Win2003 installation, when you select 'domain join' it sends one machine name in the name exchange, and litraly 'machinename' during the NTLMSSP login. Also fix up winbindd's logfile handling, so that it matches smbd and nmbd. (This helps me, by seperating the logs by pid). Andrew Bartlett (This used to be commit afe5a3832f79131fb74461577f1db0e5e8bf4b6d)
2003-03-03Fix "might be used uninitialised" warnings.Jeremy Allison1-2/+2
Jeremy. (This used to be commit a670b57c563b220c2ede1dac4ce1e9c71c866498)
2003-02-28fixed a crash bug in the new winbindd 'sids rule!' codeAndrew Tridgell1-1/+1
(This used to be commit 7dfd59963dba921907893b9d1bffe797e9d8b4ad)
2003-02-28*Excellent* patch from Michael Steffens <michael_steffens@hp.com> to limitJeremy Allison2-15/+59
the unix domain sockets used by winbindd (also solves FD_SETSIZE problem in winbindd to boot !). Adds a "last_access" field to winbindd connections, and will close the oldest idle connection once the number of open connections goes over WINBINDD_MAX_SIMULTANEOUS_CLIENTS (defined in local.h as 200 currently). Jeremy. (This used to be commit a82caefda49396641e8650db8a7ef51752ba6c41)
2003-02-27Fix possible memory leak on failure.Andrew Bartlett1-0/+1
(This used to be commit 052ebc44cde8d31571ed1edb602794349825be11)
2003-02-26Kill RID-only and domain+RID madness from winbind.Andrew Bartlett9-440/+377
Now we deal with SIDs in almost all of winbind (a couple of limited exceptions remain, but I'm looking into them - they use non-winbind structs ATM). This has particular benifits in returning out-of-domain SIDs for group membership (Need to look into this a bit more) as well as general code quality. This also removes much of the complexity from the idmap interface, which now only deals with mapping IDs, not with SID->domain translations. Breifly tested, but needs more. Fixes some valgrind-found bugs from my previous commit. Winbind cache chagned to using SID strings in some places, as I could not follow exactly how to save and restore multiple packed sids properly. Andrew Bartlett (This used to be commit 9247cf08c40f016a924d600ac906cfc6a7016777)
2003-02-26Merge from appliance:Tim Potter1-34/+23
>Another hopeful fix for CR#1168. Change the RPC used in querying >domain users from QueryDispInfo to EnumDomainUsers. Hopefully this >will fix the random dropouts that keep occuring when listing large >domains. > >My thought is that since QueryDispInfo is only used in the NT user >manager it may have a bug with large domains. A more commonly used >RPC may not have such problems. (This used to be commit 0501b7d0b12fa8063ffe6a9d4ecc3391d0c2f45d)
2003-02-25After some comments from tridge, clean the new usergroups code into a helperAndrew Bartlett1-71/+94
function. Andrew Bartlett (This used to be commit 212a52b3d2ca39fcea2990f9293754b08e9b68e4)
2003-02-25Fix a really nasty bug where some users in AD domains (particularly childAndrew Bartlett1-14/+90
domains) would not have the tokenGroups or memberOf attributes filled in. This would cause a user to have no supplementary group membership. Detect this by the fact that the primaryGid must be present in the tokenGroups, and if it isn't (ie, if there is no tokenGroups at all), do a server-side search on all groups using the 'member' attribute and the user's DN. Andrew Bartlett (This used to be commit a074f74e627e1d947a76bcf3a39e3c5df4d4ffe5)
2003-02-22Fix a DEBUG() formatting, add some more debug to our SID pulling code andAndrew Bartlett1-1/+1
inline the call to prs_copy_all_data_out() so that we can know we are not overrunning our buffer. Also check more return values. Andrew Bartlett (This used to be commit e3b73d5d658584428c81c9ef3ccf024687a56e2f)
2003-02-21rename 'winbind backend' to 'idmap backend'. Put paramter in security ↵Jim McDonough1-23/+23
section...does this make sense? (This used to be commit 822083f73e8ba4e096c53ff0f7578f47bc21b7b5)
2003-02-21Fix another compiler warning.Tim Potter1-1/+0
(This used to be commit 1ea27d7987d2c0f67977371a99efec3ded13c872)
2003-02-20From aliguori@us.ibm.com:Jim McDonough3-438/+731
This patch adds the architecture for an IDMAP backend system including a new smb.conf parameter "winbind backend". Right now, the only valid value is "tdb" but I'm currently working on an LDAP backend. (This used to be commit 35e4448dcb2deb0d5d34d9e974a49f2fb31f1356)
2003-02-20for some (very weird) reason, the domain I was testing aginst would notAndrew Bartlett1-0/+4
return a DN for the user. Make sure we don't segfault. Andrew Bartlett (This used to be commit 9fdedeff6a3a9f8e8d048e6afd7001ad676c4e91)
2003-02-19Missed one use of SETENV. (Compat macro no longer needed, as we have aAndrew Bartlett1-1/+1
replace.c function). (This used to be commit adad4c66fcfe756277de8c325ac9f8010f9d6f9c)
2003-02-19Move to a in-memory ccache for winbind, and replace setenv() properly.Andrew Bartlett2-17/+1
(According to the manpages, you cannot put a stack variable into putenv()). Yes, this leaks memory. Andrew Bartlett (This used to be commit 50bced1e26434ecc7474964062746e2831e5f433)
2003-02-18Add -V option (to print out version) to utilities where possibleJelmer Vernooij1-0/+1
(pdbedit already has a -V option..) (This used to be commit 5de622968d95c1436dbd34edc8d0a9bbff68916b)
2003-02-18Check return code from string_to_sid.Martin Pool1-3/+6
(This used to be commit fe449328b226a33ad1c64e087fe63e79f90ab4ac)
2003-02-15Patch based on work by Michael Steffens <michael_steffens@hp.com> to wrapJeremy Allison1-65/+107
all cm_get_XX calls and their subsequent requests in a retry loop in case we've temporarily lost connection to the DC. Makes winbindd more reliable. Jeremy. (This used to be commit 81f358b632dbf7043d2a716359b0fcf7c647af0a)
2003-02-14Ensure that only parse_prs.c access internal members of the prs_struct.Jeremy Allison1-1/+2
Needed to move to disk based i/o later. Jeremy. (This used to be commit 4c3ee228fcdb089eaeead95e79532a9cf6cb0de6)
2003-02-14Fix for trusted domains scan not working inspired by Ken Cross.Tim Potter2-7/+8
(Sorry - I should have checked this in yesterday but forgot) (This used to be commit 7420ddcda8e7189cedacb2c60f5ea265b8c35bda)
2003-02-12setup the %U substitution in winbindd for the homedir templateAndrew Tridgell1-0/+1
(This used to be commit 6186c10ceb2e61cd684968b56d3f32d9916538f8)
2003-02-01Always escape ldap filter strings. Escaping code was from pam_ldap, but I'm toAndrew Bartlett1-1/+8
blame for the realloc() stuff. Plus a couple of minor updates to libads. Andrew Bartlett (This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
2003-01-31Ensure Luke Howard's (C) is added.Jeremy Allison1-1/+21
Jeremy. (This used to be commit 6624fa59d749b0c0d6aacc35b9b6ba2b567d6eb4)
2003-01-29Use new interface for cli_samr_query_dispinfo().Tim Potter1-5/+10
(This used to be commit d3962da61a5717dda7e99996bbeb4735d4373041)
2003-01-16Fixed up mutex protection around winbindd logon code. Sync with APP-HEAD.Jeremy Allison1-28/+41
Jeremy. (This used to be commit 3d04872499332ef2d8e7479b924afc8fc1ac29d7)
2003-01-16Updates to the NTLMSSP code again - moving the base64 decode fuctionality outAndrew Bartlett3-1/+16
of the SWAT code, and adding a base64 encoder. The main purpose of this patch is to add NTLMSSP support to 'ntlm_auth', for use with Squid. Unfortunetly the squid side doesn't quite support what we need yet. Changes to winbind to get us the info we need, and a couple of consequential changes/cleanups in the rest of the code. Andrew Bartlett (This used to be commit fe50ca8f54ded2e119bde08831785fbe0db2ee99)
2003-01-16Add mutex protection around auth calls.Jeremy Allison1-41/+37
Jeremy. (This used to be commit af8a5d79682410482646eea075dff2d344d60e31)
2003-01-15small merges from SAMBA_3_0; mostly typos, renames, etc...Gerald Carter1-3/+3
(This used to be commit 9ac196dad4893b0ceef13281a140be5d85391e6c)
2003-01-14Remove wrapper function _get_trust_account_password() as it doesn'tTim Potter1-15/+2
seem to do anything useful anymore other than call secrets_fetch_trust_account_password(). (This used to be commit 7b0c03cbf1376f82b0bb5f4cf86e2db3b0bc1dec)
2003-01-14Added a comment in case anyone is thinking of doing a SMB_ASSERT in winbindd.Tim Potter1-0/+2
(This used to be commit c64e2308bae31d48171685b3b67b8cace1b003b5)
2003-01-13Merge of remove "winbindd holding pattern" from appliance. It's a bitTim Potter3-28/+10
simpler as the rescanning of trusted domains helps us out a bit. (This used to be commit 089729c02cb2088e85f0e7f8ec79afb58fe98be7)
2003-01-11Return the 'freindly' NT error message if at all possible.Andrew Bartlett2-2/+3
Andrew Bartlett (This used to be commit 90d05176534cfd97ed3827bddfeb3a0cb7f22683)
2003-01-09Correct misleading comment: winbindd_lookupname gets the SID for aMartin Pool1-1/+3
name, not vice versa. (This used to be commit be835d01e10a75aecfb1b166bc6e0ea796c60cce)
2003-01-07cannot make assignments to const values.Herb Lewis1-1/+1
(This used to be commit e3b1e64d9f23347a5ecefeb15329b6ec8971a55e)
2003-01-06Fix from "Ken Cross" <kcross@nssolutions.com> for enumeratingJeremy Allison1-1/+3
groups. Jeremy. (This used to be commit cde517cedf3521b815faf2bdaf7940a611a28650)
2003-01-03patch to include support for daemontools from Michael HandlerGerald Carter1-3/+21
(This used to be commit 4c48c475a28450ad4fd8dcc8263e841c0c39a80e)
2003-01-02Becouse these functions return a size_t, they can't return negitive numbers.Andrew Bartlett1-3/+3
So a < 0 check is pointless, instead check against -1, which will be cast to unsigned. Andrew Bartlett (This used to be commit c7e5797a95804d5779cdfc93795adcdf2fe82a59)
2003-01-02BIG patch...Andrew Bartlett2-2/+2
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison7-18/+38
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-12-12merge of get_dc_name()-like code from APP_HEAD; better support password ↵Gerald Carter1-49/+1
server = DC1 * (This used to be commit 6b18ca9511ddcf1718f222af3f61491d1e5f3b60)
2002-12-01Remove extra headers, and ensure that we correctly bail out of winbindd if weAndrew Bartlett2-2/+7
can't create the socket. Andrew Bartlett (This used to be commit 13b9af53bff8e42126a38f93c3bdd5b4d9b20aba)
2002-11-26After consultation with tpot, remove the 'winbind_domain' environmentAndrew Bartlett5-47/+3
variable hack, the feild on the pipe, and the server-side. It only controlled some enum operations in any case. This is to try and have less 'magic' environment variables. Andrew Bartlett (This used to be commit e4be82e4e2c7cdf15f3e20f73fe9f281f6384423)