summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r16196: A bit of defensive programming:Volker Lendecke1-1/+1
Klocwork ID 1773 complained about oldest being dereferenced in line 2275 where it could be NULL. I think you can construct extreme racy conditions where this actually could happen. Volker (This used to be commit b5602cc4f1d77ed48ddca0f7f42b28706160c923)
2007-10-10r16192: Fix timeformats in the winbind response struct.Günther Deschner1-8/+8
(pam_winbind users were forced to change a password inappropriately) Guenther (This used to be commit 65643d31725a4e3fe157d66e9ecad03a65a484e2)
2007-10-10r16187: Fix memleak.Günther Deschner1-9/+12
Guenther (This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
2007-10-10r16154: Fix winbind function table typo.Günther Deschner1-1/+1
Guenther (This used to be commit aeff1f0c47992ce3941e27e63f9b1516c4918963)
2007-10-10r16114: Make winbindd's group enumeration (set|get|endgrent) work again (whenGünther Deschner1-1/+1
enabled). Do not bail out when a group just has 0 members. Jeremy, please check, this has been removed with r13915. Guenther (This used to be commit 3a738a855d335e44e167351e6396bf3fe81a03af)
2007-10-10r16080: Re-add accidentially excluded in-forest domain trusts (fixes bug #3823).Günther Deschner1-1/+1
Guenther (This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
2007-10-10r15985: Adding "own-domain" switch to wbinfo which is handy from time to time.Günther Deschner1-1/+17
Guenther (This used to be commit 3c9416c2bedeec7f075e94d45d08f37ae6dd41d1)
2007-10-10r15984: Correctly handle the case when there is no configuration file forGünther Deschner1-1/+1
pam_winbind. Guenther (This used to be commit 29758ea1c4e1b9b57d27765d539306058299fcd1)
2007-10-10r15983: Honour the krb5 principal name change (of the new ads join code) in theGünther Deschner1-1/+1
kerberized winbind pam_auth. Guenther (This used to be commit 216125fe132fa6b886b99139e38988725beb88f0)
2007-10-10r15982: Fix confusing order of DEBUG statements in winbindds pam_auth.Günther Deschner1-3/+3
Guenther (This used to be commit 3f5a2e49c108bfe8f8b875af9e69d5ad3b0567ee)
2007-10-10r15977: Fillup the password_policy method in winbindd for winbindd_passdb. ThisGünther Deschner1-2/+41
should make pam_winbind work again on a Samba PDC (and fix Bug #3800). Guenther (This used to be commit 4addabd054a2627133d3fff71234db18cf2c822c)
2007-10-10r15976: Set our internal domains to "online" by default in winbindd.Günther Deschner1-1/+1
Guenther (This used to be commit 2678582c6cc7fb100cb3bfd867816878461ae7b4)
2007-10-10r15904: This does two things:Volker Lendecke1-25/+37
Fix more potential segfaults when something on our way to a DC connection fails. We can not continue if dcip_to_name() fails. With 192.168.234.100 nt4pdc 192.168.234.100 windows#1c 192.168.234.100 windows#1b in the lmhosts file when nt4pdc is rebooted, we do find the DC's IP address, we can connect to TCP 139 while it is booting but anything else fails. So we fall back to put the IP address into domain->dcname. When the DC is fully up later on we try to do the auth2 against \\192.168.234.100 which gives INVALID_COMPUTER_NAME. And we never get out of this loop again. Fix this. Jerry, maybe you can take a look. Thanks, Volker (This used to be commit b1244e79068af9e287252b2dfbb8d612e717674a)
2007-10-10r15845: Ok. This was a tough one. If for some reason the tconX fails towards ↵Volker Lendecke1-0/+1
a domain controller the next time we connect this child ran into a segfault because it tried to reference a half-baked connection. Volker (This used to be commit c8a8204c744cf7aa1a1a6992a3433d99b6bb73a1)
2007-10-10r15842: patch from volker to instruct winbindd to find a trusted DC on its ↵Gerald Carter1-1/+1
own when runing on a Samba DC (since we don't implement the getdcname() call that well (This used to be commit 39f7ff75a7a21b85b54cba954f1c5552e562be5c)
2007-10-10r15705: Fix bug number 3788. Thanks to Jeff Wright.Volker Lendecke1-0/+3
Volker (This used to be commit e4a2cb4b9143394a54ae1de91e59722c11a0b2e4)
2007-10-10r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner2-17/+116
more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
2007-10-10r15697: I take no comments as no objections :)Günther Deschner2-13/+37
Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
2007-10-10r15675: Man pages say never look at the fd_set after a selectJeremy Allison1-2/+8
if it returned -1 (treat as undefined). Ensure we obey this. Jeremy. (This used to be commit 256ae3a16bcafe70cc1a00496681c709380e4fc3)
2007-10-10r15634: Prevent passwords of winbindd's list of credential caches from beeingGünther Deschner3-1/+51
swapped to disc using mlock(). (patch was reviewed by Jeremy). Guenther (This used to be commit 206cdbb8e9a4a0900060d56510e58b85a2b8aec5)
2007-10-10r15632: Remove length limitation from the winbind cache cleanup traversal.Günther Deschner1-7/+2
Guenther (This used to be commit 181fa02497e353a36e311f94f5bec2e9cfd1b56e)
2007-10-10r15562: Attempt to fix Coverity bug # 283Volker Lendecke1-0/+8
(This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)
2007-10-10r15546: When debugging is enabled be just a little more verbose in logging inGünther Deschner1-6/+6
pam_winbind. Guenther (This used to be commit bf077fb2268b79faffd1fdda04847c37ffead32d)
2007-10-10r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter1-8/+1
The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
2007-10-10r15541: Only ever store a user's password in a WINBINDD_CCACHE_ENTRY struct whenGünther Deschner1-1/+1
we have a reason to do so. Guenther (This used to be commit 4da79bd10c17277171aad26ee0278f8e5b64abdb)
2007-10-10r15539: Use portable wrapper functions instead of seteuidJeremy Allison2-7/+7
directly in winbindd. Jeremy. (This used to be commit 2e65fcc9def5f1386a33ca4a76e494838e3a0632)
2007-10-10r15528: Make the existance of the /etc/security/pam_winbind.conf fileGünther Deschner1-3/+5
non-critical and fallback to only parse the argv options in that case. Guenther (This used to be commit 9dac3ab328e9c7ba374e0efc3fe16d940ecc9d3b)
2007-10-10r15526: Avoid double \n.Günther Deschner1-1/+1
Guenther (This used to be commit 3546187bb4a74b14071e2c23561e70e57ad13e86)
2007-10-10r15523: Honour the time_offset also when verifying kerberos tickets. ThisGünther Deschner1-0/+1
prevents a nasty failure condition in winbindd's pam_auth where a tgt and a service ticket could have been succefully retrieved, but just not validated. Guenther (This used to be commit a75dd80c6210d01aff104a86b0a9d39d65f2c348)
2007-10-10r15479: Check in patch from bug # 3746 -- Thanks TimurVolker Lendecke1-0/+1
(This used to be commit ac79bba1a118635ed18d23cf84bdf15923b354c0)
2007-10-10r15478: Likewise for bug # 3763Volker Lendecke1-4/+4
(This used to be commit 7188ec6bd81715c4df17528bca2b2e658173043f)
2007-10-10r15460: Prefer to use the indexed objectCategory attribute (instead ofGünther Deschner1-2/+2
objectClass which is not indexed on AD) in LDAP queries. Guenther (This used to be commit 847882a98328b91a2157959c5dad0a2023223846)
2007-10-10r15428: Add "smbcontrol winbind onlinestatus" for debugging purpose.Günther Deschner3-0/+82
Guenther (This used to be commit 9e15b1659c105b0be846e8f71c27b20eab961bd2)
2007-10-10r15425: Use dynamic buffers in the IRIX nsswithch module to prevent truncationJames Peach1-78/+182
of long group lists. (This used to be commit d348d796c16679297e1f0304b8b2ba0f42010733)
2007-10-10r15417: Don't use cached credentials when changing passwords.Günther Deschner1-1/+5
Guenther (This used to be commit 34b29c30b2f4b5a3c40a65ca8338c87a4c16f3ff)
2007-10-10r15411: Small debug fixes for the PAM module.Günther Deschner1-2/+2
Guenther (This used to be commit 1856dc0f52b2a2ba2e59f1a7a77ccd32c27928c0)
2007-10-10r15399: Fix the build, sorry, Jerry :)Günther Deschner1-2/+2
Guenther (This used to be commit cc800ced60e5e6bbd923a3a0b7d58650c6e14121)
2007-10-10r15398: Attempt to send the correct warning when a password change was attemptedGünther Deschner3-13/+38
too early. Guenther (This used to be commit 7f64a66d25f2a4aa48c2639da8e783c1759c5dd4)
2007-10-10r15396: Cleanup credential caches from winbind's linked list.Günther Deschner2-1/+18
Guenther (This used to be commit 7420b095077689fee4b5c9fb76cdb6533be1d465)
2007-10-10r15307: Ignore builtin groups we're a member of on the DC as those membershipsGünther Deschner1-1/+6
are not valid locally. Guenther (This used to be commit 177da7754b53348d8754d46098dbd11300234bb5)
2007-10-10r15306: Be consistent between rpc and ads winbind backend: let the ads backendGünther Deschner3-20/+60
query the samlogon cache first as well. Guenther (This used to be commit aa52b11dd450ca3ec1f156e17822b1c4971ef915)
2007-10-10r15305: Let winbind search by sid directly (or in windows terms: "bind to aGünther Deschner1-6/+16
sid"); works in all AD versions I tested. Also add "net ads sid" search tool. Guenther (This used to be commit 5557ada6943b817d28a5471c613c7291febe2ad5)
2007-10-10r15244: Fix debug typo.Günther Deschner1-1/+1
Guenther (This used to be commit 01787bd45b4186d3e997f750b08c50df9d3cbbe1)
2007-10-10r15240: Correctly disallow unauthorized access when logging on with theGünther Deschner2-0/+2
kerberized pam_winbind and workstation restrictions are in effect. The krb5 AS-REQ needs to add the host netbios-name in the address-list. We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from the edata of the KRB_ERROR but the login at least fails when the local machine is not in the workstation list on the DC. Guenther (This used to be commit 8b2ba11508e2730aba074d7c095291fac2a62176)
2007-10-10r15229: Save useless roundtrips in pam_auth (fallback to samlogon) when we knowGünther Deschner1-1/+3
that the DC is not available. Guenther (This used to be commit 77407c021997db1b2a86ca26a5d125fa6b782949)
2007-10-10r15228: Fix -n winbind option which has become meaningless with the persistentGünther Deschner1-0/+6
cache. Guenther (This used to be commit e85558f4a457609f3661446dad8134e80f10bbe6)
2007-10-10r15175: Try to get Stratus VOS back to build. Thanks, Paul.Volker Lendecke1-0/+1
Volker (This used to be commit 74511aed221d7f9856fed7532f24c789c49c8175)
2007-10-10r15174: Check in Ronan Waide's wbinfo -i. Thanks :-)Volker Lendecke1-0/+40
Volker (This used to be commit c4cdb8086a3aa8a2e1f724e70616143adfea6e87)
2007-10-10r15160: Fix from William Jojo I thought had already been added (butJeremy Allison1-8/+6
hadn't). Jeremy. (This used to be commit dcbece8254e5de861d04b691d733616fc25cd585)
2007-10-10r15150: Adding winbind debug class to the main daemon.Günther Deschner1-0/+3
Guenther (This used to be commit 37d03695c6fb4aa02522c1739b9783c5dc7bf735)