Age | Commit message (Collapse) | Author | Files | Lines |
|
* make debug_state also configurable from the config file
* minor code cleanup
Guenther
(This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
|
|
Guenther
(This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
|
|
Jeremy, we really can't do that. There are setups with hundred and more
trusted domains out there, I have one customer who tells me it takes
more then half an hour for him after winbind is up and running. That
request registers the check_domain_online_handler which in turn forks
off the child immediately. Also discussed with Volker.
Guenther
(This used to be commit ccd4812c0b436a12b809668d09c5681111125f3d)
|
|
Jerry, the switch statement must ignore the PAM_SILENT flag.
Guenther
(This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
|
|
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
|
|
(This used to be commit af5a2fa9eccf753106cd944be31f38845363ace6)
|
|
* Remove anpther check for PAM_SILENT that prevents logging to syslog
* Add missing check for TRY_FIRST_PASS when using authtok (missed
from previous merge)
(This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
|
|
Details: Improve PAM logging
- The improved logging is far tracking down PAM-related bugs
- PAM_SILENT was being mis-used to suppress syslog output instead of
suppressing user output. This lets PAM_SILENT still log to syslog.
- Allow logging of item & data state via debug_state config file option.
- Logging tracks the pam handle used.
(This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
|
|
Details: Reset the "new password prompt required" state whenever
we do a new auth. In more detail, in pam_sm_authenticate, if not
settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially
present PAM_WINBIND_NEW_AUTHTOK_REQD.
(This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
|
|
Patch details:
Support most options in pam_winbind.conf; support comma-separated names in
require-membership-of. Details below:
1) Provides support for almost all config options in pam_winbind.conf
(all except for use_first_pass, use_authtok, and unknown_ok).
- That allows us to work well when invoked via call_modules from
pam_unix2.conf as well as allowing use of spaces in names used
w/require_membership_of.
2) Support for comma-separated list of names or SID strings in
require_membership_of/require-membership-of.
- Increased require_membership_of field in winbind request from fstring
(256) to pstring (1024).
- In PAM side, parse out multiple names or SID strings and convert
all of them to SID strings.
- In Winbind side, support membership check against multiple SID strings.
(This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)
|
|
problems in the nss_info interface when HAVE_LDAP is undefined.
* Revert previous ifdef HAVE_ADS brakets
* Remove an unused init function wrapper.
(This used to be commit 2ba353848b6d8d36520e7fd82576653a39c602cd)
|
|
(This used to be commit 8052a18f29d32f37c52868b17143af8d76bf5e6e)
|
|
(This used to be commit 8c23158f053b181421cb6206db7c8030ddcc2cea)
|
|
(This used to be commit 7011a1b5abc7d56da5beba904e3328014f315f0d)
|
|
This allows a provider to supply the homedirectory, etc...
attributes for a user without requiring support in core
winbindd code. The idmap_ad.c module has been modified
to provide the idmap 'ad' library as well as the rfc2307 and sfu
"winbind nss info" support.
The SID/id mapping is working in idmap_ad but the nss_info
still has a few quirks that I'm in the process of resolving.
(This used to be commit aaec0115e2c96935499052d9a637a20c6445986e)
|
|
domain SID lookups through the struct winbindd_domain *domain_list
by searching by name.
Refactor the order lookup when searching for the correct idmap_domain
to a single function and remove the requirement that the default
domain be listed first in the config file.
I would still like to make the idmap_domain array a linked list and
remove the existing code which makes use of indexes into the list.
Basic testing with tdb pans out ok.
(This used to be commit e6c300829ff08dd354f6e9460d396261681e4809)
|
|
Jeremy.
(This used to be commit 018d7805b5ecb17e21e1a55b6cc65efaab4b3f63)
|
|
Jeremy.
(This used to be commit a2222a565c658fe5154d9321edab69a95ddeed15)
|
|
(This used to be commit e635bad00ecf083c34da339e3616c945a140e478)
|
|
chnage fails due to policy settings where as 2003 (the chgpasswd3()
request) fails with NT_STATUS_PASSWORD_RESTRICTION. Thunk down
to the same return code so we correctly retreive the password policy
in both cases.
(This used to be commit 262bb80e9cf7fb6dbf93144ae0b939c84ec0ea04)
|
|
the stored client sitename with the sitename from each sucessfull CLDAP
connection.
Guenther
(This used to be commit 6a13e878b5d299cb3b3d7cb33ee0d51089d9228d)
|
|
ask for the list of DCs twice.
Guenther
(This used to be commit a9baf27e1348dd6dadd7a2fafdf9c269087b80ac)
|
|
site support in a network where many DC's are down.
I heard via Volker there is still a bug w.r.t the
wrong site being chosen with trusted domains but
we'll have to layer that fix on top of this.
Gd - complain if this doesn't work for you.
Jeremy.
(This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
|
|
Guenther
(This used to be commit fb730e1e7bb83d7dcf8a78302268e384fb9676ee)
|
|
This add a struct event_context and infrastructure for fd events to smbd. This
is step zero to import lib/events.
Jeremy, I rely on you to watch the change in receive_message_or_smb()
closely. For the normal code path this should be the only relevant change. The
rest is either not yet used or is cosmetic.
Volker
(This used to be commit cd07f93a8aecb24c056e33b1ad3447a41959810f)
|
|
so that
in the next step we can store them in LDAP to be replicated across DCs.
Thanks to Michael Adam <ma@sernet.de>
Volker
(This used to be commit 3c879745cfc39be6128b63a88ecdbfa3d9ce6c2d)
|
|
This change is needed to make it possible to not expire
caches in disconnected mode.
Jerry, please can you look at this and confirm it is ok?
Simo.
(This used to be commit 9e8715e4e15d9cede8f4aa9652642995392617e6)
|
|
(This used to be commit c16ce9ebaab0175e7f1dc13798d5599388fa35d6)
|
|
(This used to be commit 1ef910f423a9ec69af6abf5a4e2137e8a4e81755)
|
|
In case a user authenticated sucessfully and his password just expired
while beeing disconnected, we should allow a user to logon (given a
clear warning). We currently forced the user into a password change
dialogue in that scenario; this did not make much sense while offline.
Guenther
(This used to be commit 668b278653acfc4de7807834988f7af557e608a5)
|
|
We were incorrectly calculating the days until the password expires and
we also need to look at the info3 pass_must_change_time for expiry
calculation.
Guenther
(This used to be commit 22d79237127a064a934928d175182adecc6300de)
|
|
non-existing krb5 credential cache should not generate an error.
Guenther
(This used to be commit 11c6f573af5c1d3387e60f3fc44b00e28cd87813)
|
|
Jeremy.
(This used to be commit 68c4fbcf3397d6c43a3e5809b20a23116b1f8a31)
|
|
(This used to be commit 25c4ebb55f425816e033491138f1216125de6edb)
|
|
the child domain cannot always resolve SIDs in sibling domains.
Windows tries to contact a DC in its own domain and then the root
domain in the forest. This async changes makes winbindd's name2sid()
call do the same.
(This used to be commit 7b2bf0e5a6b8d4119657c7a34aa53c9a0c1d5723)
|
|
(This used to be commit f103c301b18f2eeb5203634cb6b50fa79f57a93b)
|
|
after it's child died unexpectedly whilst the parent
was waiting for a reply. We need to clean up the request
we're not going to service, plus we still need to call
the continuation function with a "False" flag so it
can clean things up. Still testing this, but I think
I'm right.
Jeremy
(This used to be commit 9b04ac0c8104d626697978697d4d8bae791a7edd)
|
|
the network cable out of the machine *exactly*
after the init_dc_connect() call in cm_connect_sam()
or cm_connect_lsa() call succeeded but before any
of the other calls fail, and they have debug level
10 set in the log, then we'd crash due to dereferencing
a now NULL pointer (conn->cli gets set to NULL when
the init_dc_connect() call called from cm_get_schannel_dcinfo()
fails). Yes, before you ask this *did* happen on a
customer site :-).
Jeremy.
(This used to be commit a0278a0cb062500ba97e237d02f55855b68719ec)
|
|
* fail on invalid credential flags in pam_sm_setcred
* parse config file for pam_sm_acct_mgmt and pam_sm_open_session
Guenther
(This used to be commit 2a428ac814d03880de63656ea97827126ccfec5c)
|
|
only do it for our primary domain.
Jeremy.
(This used to be commit 61d31ce0089fe906d052c971321ce99fede0e240)
|
|
(This used to be commit 4920265c31e073cbc0fdbfbe42dc8e47dbadca54)
|
|
Make sure we route all request to remote DCs via the main process
so that IDMAP can correctly reuse DC connections and use the
async interface.
This fixes also idmap_nss so that it is able to resolve local
group names (requires patch on the samba dc earlier committed
to SAMBA_3_0 to make it resolve both the mapped and the unmapped
name).
Simo.
(This used to be commit 4297510f22c3fd60afd062e3c5eb142be2122b16)
|
|
(This used to be commit ccea7155bc8c22816f2622e604e0ef76109487f1)
|
|
Jeremy: sidstr formerly could be NULL (when num_aliases was 0), since we
strdup here it needs to exist.
Guenther
(This used to be commit 29396a1bd8ebd6d951f35941b13c9c61593ae6d3)
|
|
still needs to contact the DC's for non async requests
like enumerate users/groups etc. Now that online
DC detection is tied to async events we must enable
the processing of events in the main loop of winbindd.
Finally got rid of the last hard coded domain->initialized = 1
code in init_child_recv() - now all domain->initialized = True
gets done only in the connection manager code when either
we're online and have spoken to the DC or are offline and
we know we can't talk to the DC.
Jeremy.
(This used to be commit b3c98057fbad182f6c05c5daec6cd258dd491064)
|
|
more no previous prototype warnings
(This used to be commit 41be182f78762372ae13759ede5d2bd40a71d7f5)
|
|
clean up a bunch of no previous prototype warnings
(This used to be commit c60687db112405262adf26dbf267804b04074e67)
|
|
This fixes pam password changes in the online case.
Guenther
(This used to be commit 2d2de1ac27180756df095c586211fe2e7694b94e)
|
|
ther way.
(This used to be commit 2048d491507cef1ac87da4fd2fedc458aae5a97d)
|
|
don't have a check online event handler set.
We need to add one once we're been asked to
go back online as this is the only way to actually
go into the online state. Doh ! :-).
Jeremy.
(This used to be commit 5d36c4e0313c2d735242dfdd57343372be59c6e1)
|