summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17837: Split out the storing of memory cached credentialsJeremy Allison4-201/+422
from the krb5 ticket renewal code. This allows cached credentials to be stored for single sign-on via ntlm_auth for machines in a domain still using NTLM. Also (hopefully) fixes the reference counting problem with pam_logon/logoff so multiple logons/logoffs won't lose cached credentials. This compiles, but I'm intending to test it over the weekend so don't complain too much :-). I also want it in the tree so Coverity can scan it for errors. Guenther, check this over please - I ran through the architecture with Jerry and he's ok with it, but this is modifying your code a lot. Jeremy. (This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
2007-10-10r17723: * BUG 3969: Fix unsigned time comparison with expiration policy from ↵Gerald Carter4-47/+27
AD DC * Merge patches from SLES10 to make sure we talk to the correct winbindd process when performing pam_auth (and pull the password policy info). (This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
2007-10-10r17630: Looks like getpeerid() is a system function onJeremy Allison1-1/+1
FreeBSD. Change to sys_getpeerid(). Thanks to vl for pointing this out. Jeremy. (This used to be commit dd0069cfcabb25dc7dc0d336696a5f2580abb5a1)
2007-10-10r17618: Not using a cache version number (yet). We really should...Jeremy Allison1-1/+0
Jeremy (This used to be commit b711587f6e33bc5781b15da7bc49b31db4653073)
2007-10-10r17617: Take Andrew Bartletts excellent advice and don't storeJeremy Allison3-10/+63
the nt hash directly in the winbindd cache, store a salted version (MD5 of salt + nt_hash). This is what we do in the LDAP password history code. We store this salted cache entry under the same name as an old entry (CRED/<sid>) but detect it on read by checking if there are 17 bytes of data after the first stored hash (1 byte len, 16 bytes hash). GD PLEASE CHECK. Jeremy. (This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
2007-10-10r17616: Add the lm and nt hashes to the cached credentialsJeremy Allison3-28/+52
stored - only store the password if we're going to be doing a krb5 refresh. GD please review this change ! Now to add code to reference count the cached creds (to allow multiple pam_logon/pam_logoffs to keep the creds around), ensure that the cred cache is called on all successful pam_logons (if we have winbindd cache pam credentials = true, set this by default) and finally ensure the creds cache is changed on successful password change. GD - you *really* need to review this :-). Jeremy. (This used to be commit 017e7e14958d29246a1b221e33755bb91e96b08f)
2007-10-10r17610: Added the ability for firefox to drive the winbinddJeremy Allison5-4/+310
ntlm_auth module to allow it to use winbindd cached credentials.The credentials are currently only stored in a krb5 MIT environment - we need to add an option to winbindd to allow passwords to be stored even in an NTLM-only environment. Patch from Robert O'Callahan, modified with some fixes by me. Jeremy. (This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
2007-10-10r17605: Some C++ warningsVolker Lendecke9-28/+48
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
2007-10-10r17584: Some C++ WarningsVolker Lendecke1-1/+1
(This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497)
2007-10-10r17571: Change the return code of cli_session_setup from BOOL to NTSTATUSVolker Lendecke1-8/+10
Volker (This used to be commit 94817a8ef53589011bc4ead4e17807a101acf5c9)
2007-10-10r17469: remove unused variableSimo Sorce1-1/+0
(This used to be commit c7d115a7d08ecebe2ba70b3f0efae39a1fd8e42a)
2007-10-10r17464: Ensure we use a hash16 data type, not a string,Jeremy Allison1-3/+45
for storing offline hashes. Jeremy. (This used to be commit c8e6f7e41c9db436b34dd127d77940d7b43bf13b)
2007-10-10r17462: Fix a cut&paste bug that caused us to return a null SID on some ↵Simo Sorce1-0/+6
error conditions (This used to be commit 954593bd41ff2475df5d37eae18be08ffa3002eb)
2007-10-10r17461: Ensure we never save a NULL SID mapping. || should be &&.Jeremy Allison1-1/+1
Found by Whitfield school. Jeremy. (This used to be commit f8584a475853bd8937fb0cf1b304c98f96fbd872)
2007-10-10r17459: As by Jerry's word commit this without his review.Simo Sorce6-50/+246
This patch add some missing async functions to solve UID/GID -> SID requests not just out of the cache, but down the remote idmap if necessary. This patch solves the problem of servers not showing users/groups names for allocated UID/GIDs when joined to a group of servers that share a prepopulated idmap backend. Also correctly resolve UID/GIDs to SIDs when looking ACLs from the windows security tab on teh same situation. Simo. (This used to be commit b8578bfab6a04fcd65a2e65f507067459e326077)
2007-10-10r17366: Save the logon script path from the info3 in the PAM session allowingGünther Deschner2-4/+19
other PAM modules to pick it up from there. Guenther (This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5)
2007-10-10r17365: Fix memleak.Günther Deschner1-1/+4
Guenther (This used to be commit 62a8e0b08919e71c6a575ce6d89d8a4a09acbd87)
2007-10-10r17363: Some C++ warningsVolker Lendecke1-7/+13
(This used to be commit fd82f185a2e0f94bfb75f4eee072556ad94bf27d)
2007-10-10r17345: Some C++ warningsVolker Lendecke2-2/+2
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
2007-10-10r17162: Fix typo small typos noticed by Paul Green.Gerald Carter1-1/+1
(This used to be commit 1a5874588686fb4ece9be70059ff75b975ed2bd5)
2007-10-10r17159: Bug 3920: Restore wnibind use default domain behavior for domain groups.Gerald Carter2-18/+25
This break local users and 'winbind nested groups' on domain members. Cannot be helped. My plans is to move the default domain crud to the client code (pam and nss libraries) in 3.0.24. (This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)
2007-10-10r17123: Fix 32bit/64bit portability issues again.Gerald Carter1-22/+54
NO NOT change the winbindd response or request structures *unless* you test a 32bit wbinfo against a 64bit winbindd. The structure sizes MUST be the same on 32bit and 64 bit platforms. The way to test is to build a 64bit version of Winbind as normal. Then build a 32bit version using gcc -m32. Now install the 64bit and 32bit versions of libnss_winbindd.so and launch the 64bit winbindd. Make sure that the responses from both 32bit and 64bit versions of wbinfo match. If you don't understand the previous paragraph you don't need to be changing nsswitch/winbindd_nss.h (This used to be commit bc03141429273703c540d6120b0c5ca4d0949266)
2007-10-10r17102: Fix segfault in libnss_wins [bugzilla #3937].Günther Deschner1-0/+1
Guenther (This used to be commit d73d0ec3d074f1acc4fe1c78d218aabd0fe4118a)
2007-10-10r17021: remove unsupported smbwrapper codeGerald Carter2-2/+9
(This used to be commit 07c67fbfc0790169ee748c0e62da14c89d3add23)
2007-10-10r17017: BUG 3916: fix pam config file parsing in pam_winbind.Gerald Carter1-15/+17
Patch from Dietrich Streifert <dietrich.streifert@visionet.de> (This used to be commit 8d6218825827a54ca69e462c00a3dc9e25ef3ddf)
2007-10-10r17007: Increment winbind protocol version number.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit ed51b6293b7577cb2d9e661a8491606abf349406)
2007-10-10r17005: Add a new helper mode to ntlm_auth: ntlm-change-password-1Andrew Bartlett4-0/+163
This mode proxies pre-calculated blobs from a remote (probably VPN) client into the domain. This allows clients to change their password over a PPTP connection (where they would not be able to connect to SAMR directly). The precalculated blobs do not reveal the plaintext password. Original patch by Alexey Kobozev <cobedump@gmail.com> (This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison17-107/+670
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16941: Fix crash bug when the pam conversation receives an empty token.Günther Deschner1-2/+2
Thanks to Bjoern Jacke for the report and test-case. Guenther (This used to be commit f2ebc0e3de396f44f49dabbfe42cb3ad1c1a7ec1)
2007-10-10r16940: libnscd sets errno, use that to display error message.Günther Deschner1-2/+2
Guenther (This used to be commit df10448e2c6166d1c129c2d9a9a74c5b4a42555f)
2007-10-10r16939: Still clear the winbind_cache.tdb when offline logons are not enabled.Günther Deschner1-2/+4
Guenther (This used to be commit 4121ccfc3e39001d5b7b8288e3bc27d919f79167)
2007-10-10r16823: Allow to call wbinfo --domain-info="" or --domain-info="." to get domainGünther Deschner1-4/+7
info for our own domain. Guenther (This used to be commit ebd3c547e508e191d5e1b5bb001797666db7b269)
2007-10-10r16800: correct a probable cut&paste errorSimo Sorce1-1/+1
(This used to be commit c139a2293bfb66554e1be09c6824d04381de58e1)
2007-10-10r16790: Fix memleak.Günther Deschner1-0/+1
Guenther (This used to be commit 48ab7f46814dfbd777f142cdd8f59e6c1962eb15)
2007-10-10r16755: Hunting warning has some benefits....Volker Lendecke1-2/+2
Solaris found this one that needs to go into 3.0.23, actually munlock the password memory. Volker (This used to be commit 6fa928f96a70b7b063dd1bdbb08c6a3f5d942229)
2007-10-10r16687: Fix bugs #3901, #3902, #3903 reported by jason@ncac.gwu.edu.Jeremy Allison2-7/+18
Jeremy (This used to be commit c4896b17faa6802f18cc1cec7fcc6168bde2eef0)
2007-10-10r16678: Fix bug #3898 reported by jason@ncac.gwu.edu.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
2007-10-10r16644: Fix bug #3887 reported by jason@ncac.gwu.eduJeremy Allison1-2/+2
by converting the lookup_XX functions to correctly return SID_NAME_TYPE enums. Jeremy. (This used to be commit ee2b2d96b60c668e37592c79e86c2fd851e15f69)
2007-10-10r16610: Subtle one from Klocwork #2076. If multiple flagsJeremy Allison1-0/+3
are set in a winbindd request it might overwrite existing state->response.extra_data.data values without freeing. Jeremy. (This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
2007-10-10r16480: (Ugly) workaround before the set_dc_type_flags & friends cleanup:Günther Deschner1-1/+39
When trying to login using krb5 with a trusted domain account, we need to make sure that our and the remote domain are AD. Guenther (This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
2007-10-10r16479: When dcip_to_name failed to get the name of the ip in saf_servername weGünther Deschner1-1/+1
cannot put saf_name in the failed conn cache as it's uninitialized. Store saf_servername (the ip) in that case. Volker, please check. Guenther (This used to be commit 098a87f492f69caeb523478a7ebcd0e3f636497d)
2007-10-10r16475: destroy talloc ctx when we weren't able to collect onlinestatusGünther Deschner1-0/+4
messages. Guenther (This used to be commit d6b52e818109e6eb5a3df1bbc127c333e819141d)
2007-10-10r16474: There is no point in figuring out lockout policies if we do not allowGünther Deschner1-1/+1
offline logons at all. Guenther (This used to be commit dfbe555c69b3272bcff1d76a699aae2bdb85bdaf)
2007-10-10r16473: There is no point in calling set_dc_type_and_flags() before eachGünther Deschner1-2/+9
pam_auth login (when using kerberos). Guenther (This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
2007-10-10r16422: winbindd_demote_client isn't used and generatesJeremy Allison1-8/+0
a Klocwork issue (#1844). Remove it Jeremy. (This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
2007-10-10r16361: Fix Klocwork ID 1731 1770 1771 1775 1796Volker Lendecke4-3/+14
Volker (This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
2007-10-10r16358: ALWAYS compile this stuff on a 64-bit box beforeJeremy Allison1-1/+3
checking in. size_t != uint32 on a 64-bit machine. Jeremy. (This used to be commit 09c89732869eae0d8c8971ac78235d34e4dcecb9)
2007-10-10r16349: Another fix to make winbind more robust in large domains:Günther Deschner1-11/+52
We may only feed rpc_useraliases with chunks of 1024 entries. This is important as the token generation otherwise fails when a user is member of more then 1024 groups. Volker, please check. Guenther (This used to be commit d8fd94648f965eb043f957b154ce63b245a90328)
2007-10-10r16285: On a 64-bit box, size_t != uint32. Ensure we useJeremy Allison1-2/+4
the right parameter type. Jeremy. (This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
2007-10-10r16284: Start fixing up gcc4 -O6 warnings on an x86_64 box. size_t != unsignedJeremy Allison2-6/+6
int in a format string. Jeremy. (This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)