Age | Commit message (Collapse) | Author | Files | Lines |
|
struct so we can see when they match - only create
the ugly krb5 hack when they do.
Jeremy.
(This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
|
|
writing out a custom krb5.conf file containing
the KDC I need. This may suck.... Needs some
testing :-).
Jeremy.
(This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
|
|
Cause winbindd to set site support before doing the
generic AD server lookup.
Jeremy.
(This used to be commit a9833941715472ece747bce69ef53ba8ad98d7a5)
|
|
krb5 refresh creds when doing cached NTLM auth, request
the memory creds instead.
Jeremy.
(This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
|
|
get_sorted_dc_list
return NTSTATUS.
If we want to differentiate different name resolution problems we might want
to introduce yet another error class for Samba-internal errors. Things like no
route to host to the WINS server, a DNS server explicitly said host not found
etc might be worth passing up.
Because we can not stash everything into the existing NT_STATUS codes, what
about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP?
Volker
(This used to be commit 60a166f0347170dff38554bed46193ce1226c8c1)
|
|
from the krb5 ticket renewal code. This allows cached
credentials to be stored for single sign-on via ntlm_auth
for machines in a domain still using NTLM. Also (hopefully)
fixes the reference counting problem with pam_logon/logoff
so multiple logons/logoffs won't lose cached credentials.
This compiles, but I'm intending to test it over the weekend
so don't complain too much :-). I also want it in the tree
so Coverity can scan it for errors. Guenther, check this over
please - I ran through the architecture with Jerry and he's
ok with it, but this is modifying your code a lot.
Jeremy.
(This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b)
|
|
AD DC
* Merge patches from SLES10 to make sure we talk to the correct
winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00abb38eb23a1497a255d194fb1bbffffb)
|
|
FreeBSD. Change to sys_getpeerid(). Thanks to
vl for pointing this out.
Jeremy.
(This used to be commit dd0069cfcabb25dc7dc0d336696a5f2580abb5a1)
|
|
Jeremy
(This used to be commit b711587f6e33bc5781b15da7bc49b31db4653073)
|
|
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
|
|
stored - only store the password if we're going to
be doing a krb5 refresh. GD please review this change !
Now to add code to reference count the cached creds
(to allow multiple pam_logon/pam_logoffs to keep the
creds around), ensure that the cred cache is called
on all successful pam_logons (if we have winbindd cache
pam credentials = true, set this by default) and finally
ensure the creds cache is changed on successful password
change. GD - you *really* need to review this :-).
Jeremy.
(This used to be commit 017e7e14958d29246a1b221e33755bb91e96b08f)
|
|
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a113d8984557684bd6ad216cbb27cff3)
|
|
(This used to be commit 05268d7a731861b10ce8556fd32a004808383923)
|
|
(This used to be commit f6194cf4b263454bbdf180a7d014ffc3498df497)
|
|
Volker
(This used to be commit 94817a8ef53589011bc4ead4e17807a101acf5c9)
|
|
(This used to be commit c7d115a7d08ecebe2ba70b3f0efae39a1fd8e42a)
|
|
for storing offline hashes.
Jeremy.
(This used to be commit c8e6f7e41c9db436b34dd127d77940d7b43bf13b)
|
|
error conditions
(This used to be commit 954593bd41ff2475df5d37eae18be08ffa3002eb)
|
|
Found by Whitfield school.
Jeremy.
(This used to be commit f8584a475853bd8937fb0cf1b304c98f96fbd872)
|
|
This patch add some missing async functions to
solve UID/GID -> SID requests not just out of the cache,
but down the remote idmap if necessary.
This patch solves the problem of servers not showing users/groups names
for allocated UID/GIDs when joined to a group of servers that share a
prepopulated idmap backend.
Also correctly resolve UID/GIDs to SIDs when looking ACLs from the
windows security tab on teh same situation.
Simo.
(This used to be commit b8578bfab6a04fcd65a2e65f507067459e326077)
|
|
other PAM modules to pick it up from there.
Guenther
(This used to be commit b3ac5a586ba37b1122b0dc941dfee648fc4fa6d5)
|
|
Guenther
(This used to be commit 62a8e0b08919e71c6a575ce6d89d8a4a09acbd87)
|
|
(This used to be commit fd82f185a2e0f94bfb75f4eee072556ad94bf27d)
|
|
(This used to be commit 21c8fa2fc8bfd35d203b089ff61efc7c292b4dc0)
|
|
(This used to be commit 1a5874588686fb4ece9be70059ff75b975ed2bd5)
|
|
This break local users and 'winbind nested groups' on domain members.
Cannot be helped.
My plans is to move the default domain crud to the client code (pam and
nss libraries) in 3.0.24.
(This used to be commit 8ee22eeab5d06008b363f8bb250dc767ddfbb86a)
|
|
NO NOT change the winbindd response or request structures
*unless* you test a 32bit wbinfo against a 64bit winbindd.
The structure sizes MUST be the same on 32bit and 64 bit
platforms.
The way to test is to build a 64bit version of Winbind as normal.
Then build a 32bit version using gcc -m32. Now install the 64bit and
32bit versions of libnss_winbindd.so and launch the 64bit winbindd.
Make sure that the responses from both 32bit and 64bit versions
of wbinfo match.
If you don't understand the previous paragraph you don't need to
be changing nsswitch/winbindd_nss.h
(This used to be commit bc03141429273703c540d6120b0c5ca4d0949266)
|
|
Guenther
(This used to be commit d73d0ec3d074f1acc4fe1c78d218aabd0fe4118a)
|
|
(This used to be commit 07c67fbfc0790169ee748c0e62da14c89d3add23)
|
|
Patch from Dietrich Streifert <dietrich.streifert@visionet.de>
(This used to be commit 8d6218825827a54ca69e462c00a3dc9e25ef3ddf)
|
|
Andrew Bartlett
(This used to be commit ed51b6293b7577cb2d9e661a8491606abf349406)
|
|
This mode proxies pre-calculated blobs from a remote (probably VPN)
client into the domain. This allows clients to change their password
over a PPTP connection (where they would not be able to connect to
SAMR directly).
The precalculated blobs do not reveal the plaintext password.
Original patch by Alexey Kobozev <cobedump@gmail.com>
(This used to be commit 967292b7136c5100c0b9a2783c34b1948b16dad4)
|
|
to do the upper layer directories but this is what
everyone is waiting for....
Jeremy.
(This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
|
|
Thanks to Bjoern Jacke for the report and test-case.
Guenther
(This used to be commit f2ebc0e3de396f44f49dabbfe42cb3ad1c1a7ec1)
|
|
Guenther
(This used to be commit df10448e2c6166d1c129c2d9a9a74c5b4a42555f)
|
|
Guenther
(This used to be commit 4121ccfc3e39001d5b7b8288e3bc27d919f79167)
|
|
info for our own domain.
Guenther
(This used to be commit ebd3c547e508e191d5e1b5bb001797666db7b269)
|
|
(This used to be commit c139a2293bfb66554e1be09c6824d04381de58e1)
|
|
Guenther
(This used to be commit 48ab7f46814dfbd777f142cdd8f59e6c1962eb15)
|
|
Solaris found this one that needs to go into 3.0.23, actually munlock the
password memory.
Volker
(This used to be commit 6fa928f96a70b7b063dd1bdbb08c6a3f5d942229)
|
|
Jeremy
(This used to be commit c4896b17faa6802f18cc1cec7fcc6168bde2eef0)
|
|
Jeremy.
(This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
|
|
by converting the lookup_XX functions to correctly
return SID_NAME_TYPE enums.
Jeremy.
(This used to be commit ee2b2d96b60c668e37592c79e86c2fd851e15f69)
|
|
are set in a winbindd request it might overwrite existing
state->response.extra_data.data values without freeing.
Jeremy.
(This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
|
|
When trying to login using krb5 with a trusted domain account, we
need to make sure that our and the remote domain are AD.
Guenther
(This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
|
|
cannot put saf_name in the failed conn cache as it's uninitialized.
Store saf_servername (the ip) in that case.
Volker, please check.
Guenther
(This used to be commit 098a87f492f69caeb523478a7ebcd0e3f636497d)
|
|
messages.
Guenther
(This used to be commit d6b52e818109e6eb5a3df1bbc127c333e819141d)
|
|
offline logons at all.
Guenther
(This used to be commit dfbe555c69b3272bcff1d76a699aae2bdb85bdaf)
|
|
pam_auth login (when using kerberos).
Guenther
(This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
|
|
a Klocwork issue (#1844). Remove it
Jeremy.
(This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
|