| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
|
|
(This used to be commit 509ae5ffa17be340c41fecaaace75816c18316c6)
|
|
dleonard@vintela.com for this fix !
Jeremy.
(This used to be commit 70b5db7d8c6aa324ad98436fe3fafe715c04c5a8)
|
|
from both idmap_ldap_{alloc,db}_init()
* Fix the backwards compat support in idmap_ldap.c
* Fix a spelling error in the idmap_fetch_secret() function name
(This used to be commit 615a10435618abb89852910a0d36c1d9ff35647f)
|
|
(This used to be commit 01af19cc9d8e282ffd6ff6b52699ed2d0369ff69)
|
|
the PAM_SUCCESS block.
Guenther
(This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)
|
|
* Consolidate all pam_winbind password expiry warnings in the one
_pam_send_password_expiry_message() call.
* Also convert some more NTSTATUS codes to error messages.
* Add paranoia check to only do all the post-processing after PAM_SUCCESS.
Guenther
(This used to be commit 02713f314b65a14e659e801f7eebea453756ac44)
|
|
Set info3 strings, krb5ccname and returned username after we changed a
password and sucessfully re-authenticated afterwards. In that case we
ended up without this information.
Guenther
(This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83)
|
|
pam_winbind.
Guenther
(This used to be commit 1feb961577475dceb97948cd2fdb987005890498)
|
|
Guenther
(This used to be commit 86b34cd5d6675c8f0a0becdcded36de4a815c898)
|
|
Guenther
(This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e)
|
|
calling application.
Guenther
(This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05)
|
|
(This used to be commit 1d46b2ae3447b3521987b2ab1064a6ea314cfa07)
|
|
lookup when we actually are. Although the Linux nss winbind backend
protects against num_mem != 0 && buf == NULL.
Guenther
(This used to be commit a9ac4630b46242f88bd7a4e92511b55cc82e9940)
|
|
Guenther
(This used to be commit cdef1d00b89abd632281d428f1e1a6b322559af4)
|
|
Guenther
(This used to be commit 1b82c5fa0e363942947453a8e1b74aa2b95d8733)
|
|
received NT_STATUS_PASSWORD_RESTRICTION.
Guenther
(This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
|
|
requests in pam_winbind (Bug #4094).
Inspired by fix from Lars Heete.
Guenther
(This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
|
|
(This used to be commit 5c36d67d272a52f58532daa3c3c09b8f8b6a34e0)
|
|
Guenther
(This used to be commit 08ca5ea6f1b09506055b2508aa79704f39b3bbd7)
|
|
(This used to be commit 6b754f7c96400d5d1f14e807aac0aa925c45eefb)
|
|
online handler for internal (local SAM, BUILTIN) childs. Jeremy, please
check.
Guenther
(This used to be commit 7d0e2e70684a7e3d377f56ed0244ed136b0b1a99)
|
|
have a build failure in 3.0.24 in event_add_timed ?
Jeremy
(This used to be commit ede30a8b4b705808d9c46ae848f5cbd89a808cdc)
|
|
we may not just assume that we look for our own realm's dcs next.
Guenther
(This used to be commit bf0c4ce7b1194e18cc16a044b042d0066463cf87)
|
|
on the samba-technical ml. The replacement character is hardcoded
as a '_' for now.
(This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
|
|
void message_register(int msg_type,
void (*fn)(int msg_type, struct process_id pid,
- void *buf, size_t len))
+ void *buf, size_t len,
+ void *private_data),
+ void *private_data)
{
struct dispatch_fns *dfn;
So this adds a (so far unused) private pointer that is passed from
message_register to the message handler. A prerequisite to implement a tiny
samba4-API compatible wrapper around our messaging system. That itself is
necessary for the Samba4 notify system.
Yes, I know, I could import the whole Samba4 messaging system, but I want to
do it step by step and I think getting notify in is more important in this
step.
Volker
(This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
|
|
lived in trustdom_recv().
Jeremy, this is the better place I think but please check.
Guenther
(This used to be commit beed8b8b320ae9bd8aef669564a5403e4bb35bfd)
|
|
outside the idmap daemon
(This used to be commit 57160e3dd96a7a776389da604393c20a738202ea)
|
|
write to a separate logfile.
Guenther
(This used to be commit 0313edc0d66c26b5acb6250e0f146218a02b42cd)
|
|
* make debug_state also configurable from the config file
* minor code cleanup
Guenther
(This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
|
|
Guenther
(This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
|
|
Jeremy, we really can't do that. There are setups with hundred and more
trusted domains out there, I have one customer who tells me it takes
more then half an hour for him after winbind is up and running. That
request registers the check_domain_online_handler which in turn forks
off the child immediately. Also discussed with Volker.
Guenther
(This used to be commit ccd4812c0b436a12b809668d09c5681111125f3d)
|
|
Jerry, the switch statement must ignore the PAM_SILENT flag.
Guenther
(This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
|
|
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
|
|
(This used to be commit af5a2fa9eccf753106cd944be31f38845363ace6)
|
|
* Remove anpther check for PAM_SILENT that prevents logging to syslog
* Add missing check for TRY_FIRST_PASS when using authtok (missed
from previous merge)
(This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
|
|
Details: Improve PAM logging
- The improved logging is far tracking down PAM-related bugs
- PAM_SILENT was being mis-used to suppress syslog output instead of
suppressing user output. This lets PAM_SILENT still log to syslog.
- Allow logging of item & data state via debug_state config file option.
- Logging tracks the pam handle used.
(This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
|
|
Details: Reset the "new password prompt required" state whenever
we do a new auth. In more detail, in pam_sm_authenticate, if not
settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially
present PAM_WINBIND_NEW_AUTHTOK_REQD.
(This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
|
|
Patch details:
Support most options in pam_winbind.conf; support comma-separated names in
require-membership-of. Details below:
1) Provides support for almost all config options in pam_winbind.conf
(all except for use_first_pass, use_authtok, and unknown_ok).
- That allows us to work well when invoked via call_modules from
pam_unix2.conf as well as allowing use of spaces in names used
w/require_membership_of.
2) Support for comma-separated list of names or SID strings in
require_membership_of/require-membership-of.
- Increased require_membership_of field in winbind request from fstring
(256) to pstring (1024).
- In PAM side, parse out multiple names or SID strings and convert
all of them to SID strings.
- In Winbind side, support membership check against multiple SID strings.
(This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
|
|
problems in the nss_info interface when HAVE_LDAP is undefined.
* Revert previous ifdef HAVE_ADS brakets
* Remove an unused init function wrapper.
(This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
|
|
(This used to be commit 8052a18f29d32f37c52868b17143af8d76bf5e6e)
|
|
(This used to be commit 8c23158f053b181421cb6206db7c8030ddcc2cea)
|
|
(This used to be commit 7011a1b5abc7d56da5beba904e3328014f315f0d)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
domain SID lookups through the struct winbindd_domain *domain_list
by searching by name.
Refactor the order lookup when searching for the correct idmap_domain
to a single function and remove the requirement that the default
domain be listed first in the config file.
I would still like to make the idmap_domain array a linked list and
remove the existing code which makes use of indexes into the list.
Basic testing with tdb pans out ok.
(This used to be commit e6c300829ff08dd354f6e9460d396261681e4809)
|
|
Jeremy.
(This used to be commit 018d7805b5ecb17e21e1a55b6cc65efaab4b3f63)
|
|
Jeremy.
(This used to be commit a2222a565c658fe5154d9321edab69a95ddeed15)
|
|
(This used to be commit e635bad00ecf083c34da339e3616c945a140e478)
|
|
chnage fails due to policy settings where as 2003 (the chgpasswd3()
request) fails with NT_STATUS_PASSWORD_RESTRICTION. Thunk down
to the same return code so we correctly retreive the password policy
in both cases.
(This used to be commit 262bb80e9cf7fb6dbf93144ae0b939c84ec0ea04)
|
|
the stored client sitename with the sitename from each sucessfull CLDAP
connection.
Guenther
(This used to be commit 6a13e878b5d299cb3b3d7cb33ee0d51089d9228d)
|
