summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2004-03-04BUG 848: don't create winbind local users/groups that already exist in the tdbGerald Carter1-3/+16
(This used to be commit 00c998c5030560d096d7f3c0f9d89ce18e2d006b)
2004-03-02This adds winbind-generated groups showing up in 'getent group'. It is notVolker Lendecke3-0/+141
very efficient though, it only does one group at a time. Needs improving, but the structures are not particularly easy to set up, so check in the basically working part for others to review. I'm close to saying that I would like to remove aliases from general group mapping. These can not be reflected correctly in /etc/group, winbind could do a better job here. And having aliases only on machines with nss_winbind at least for me is not a too severe limitation. Comments? Volker (This used to be commit 6cad5bcc280c2964473346cc467423a44cc6a5c2)
2004-03-02Expand aliases for winbind-generated groups.Volker Lendecke1-0/+154
Do: wbinfo -C alias net groupmap set alias alias -L net rpc group addmem alias DOMAIN\\group -S localhost -Uroot%secret getent group alias And hopefully the members of domain\\group show up :-) Still have to get them to show up in 'getent group'. Volker (This used to be commit 18e48190838907a29347d471e81945257f540aa7)
2004-03-01Add aliases to winbindd_getgroups().Volker Lendecke1-29/+29
su - WINDOWS\\vl now includes the locally defined aliases I'm member of. Next will be getent group. Volker (This used to be commit 52dae45684317ac8ac529017607bb5787dda7c50)
2004-02-10fix more compiler warning after the latest static rampageGerald Carter1-28/+28
(This used to be commit 98d9278c81ede2a931a2c2c8371c0499601a1457)
2004-02-08(merge from 3.0)Andrew Bartlett1-2/+2
Add more static... Andrew Bartlett (This used to be commit 6391e2cc8e5b224c002b57ce615b9b8052eeb346)
2004-02-08(merge from 3.0)Andrew Bartlett1-1/+1
nsswitch/winbindd_util.c: add static smbd/uid.c: remove unused function Andrew Bartlett (This used to be commit 4822a3f73610f6e468c447f1282246f13a378cde)
2004-02-08(merge from 3.0)Andrew Bartlett1-1/+1
Make more functions static, and remove duplication in the use of functions in lib/smbpasswd.c that were exact duplicates of functions in passdb/passdb.c (These should perhaps be pulled back out to smbpasswd.c, but that can occour later). This also includes some >14 character password changes, and the start of a move away from using 'admin user' to determine if the user is root (as root can login without setting 'admin user'). Andrew Bartlett (This used to be commit be0704abb919152c359a735023283acbf9be3076)
2004-02-02Merge from 3.0.Jeremy Allison1-3/+3
Jeremy. (This used to be commit 5c5545bd44cdaf4a0b75b0c1c22dd74bb278a6a5)
2004-02-02(merge from 3.0)Andrew Bartlett1-2/+0
Remove duplicate comment. Andrew Bartlett (This used to be commit 841766bcbddbbe5e18d1b7989e54c85ab97715f5)
2004-02-02janitor duty (merges from 3.0) and cleanup compiler warning on SuSE 9 in the ↵Gerald Carter2-2/+140
end mapper code (This used to be commit 902d4a647a88d1def09d5b1eacb06ab1561f3dec)
2004-01-29updated the head branch as wellAndrew Tridgell1-148/+778
(This used to be commit 467a58af346b30291b69b5d8da7f1b21d518fc1d)
2004-01-29Remove an unused parameter in winbindd (reload_services_file)Richard Sharpe1-4/+3
(This used to be commit 9a81094a0f0ca5c209f640c48b77522e5f81d28e)
2004-01-26(merge from 3.0)Andrew Bartlett1-8/+2
This adds client-side support for the unicode/SAMR password change scheme. As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 8063b8b6c2eb30cb116988e265fb289109d7c348)
2004-01-23Fix typoVolker Lendecke1-2/+1
(This used to be commit f83606a058b934309bf1b2075747f504eb38575d)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-3/+3
to winbindd_cm about this (This used to be commit c1174cf57b1b6fad03de23f6a4ff952671dc87d7)
2004-01-14Fix initgroups() call nss_winbind on solaris; patch from John Klinger ↵Gerald Carter1-0/+16
<john.klinger@lmco.com> (This used to be commit c4d58ec5d5c2b8947824d78639a7e9e615e2a400)
2004-01-14* Revert to using rpc for mixed mode AD domains.Gerald Carter1-3/+9
The reason for this are: (a) the set_dc_type_and_flags() cannot tell the different between connecting to an NT4 domain and an NT4 BDC of a mixed mode domain. (b) the connection management for the rpc backend only provides on named pipe per cli_state. So it is possible to connect to an NT4 BDC for netlogon and an AD mixed mode DC for lsarpc. RPC is the lowest common demonimator here. (c) Issue with the sequence number value between the highestCommittedUSN LDAP attribute and the seq_num returned via RPC. We will revisit this later, but the changes need to make this work right now are too broad and risky. (This used to be commit 86f24908c395cc832ae87b04c9da3d32449acad3)
2004-01-13sync HEAD with recent changes in 3.0Gerald Carter15-128/+298
(This used to be commit c98399e3c9d74e19b7c9d806ca8028b48866931e)
2004-01-11update copyright to -2004Stefan Metzmacher1-1/+1
metze (This used to be commit fcb3c9c61ecd787b8d3e5a53ee8f9e04daae76fe)
2004-01-09fix some warnings from the Sun compiler; also merge some of abartlet's error ↵Gerald Carter1-1/+1
code changes form 3.0 (This used to be commit 2279e98cb81faaf8a4e971fec339955f14c23858)
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+2
(This used to be commit 36d985a75faa5ebda1c8c7de1e3ab5d7a51a9c10)
2004-01-06remove unused seek_file(); don't hardcode '\' when printing the auth-userGerald Carter1-1/+1
(This used to be commit 175c5c9faa8c1cb3577eb96598434e6097d408c7)
2004-01-06Merge winbind from Samba 3.0 onto HEAD.Andrew Bartlett18-14/+309
Changes include: - header changes for better pre-compiled headers (tridge) - get a list of sids for a given user (tridge) - fix function prototype and a few other minor things Andrew Bartlett (This used to be commit 60107efdc61247034424d008c6f1eb4d46a19881)
2004-01-06(merge from 3.0)Andrew Bartlett1-2/+2
Ensure that for wbinfo --set-auth-user, we actually use the domain. Andrew Bartlett (This used to be commit 8a63bed29315acb3fe9cc2973426ef8392987c8c)
2004-01-06(merge from 3.0)Andrew Bartlett3-13/+22
Try to keep vl happy - shorten some of these lines. -- Grumble... grumble... fix the build... -- Show the sid type in name->sid translatons in a way that can be easily understood by humans. Andrew Bartlett (This used to be commit c5d1e2112baa7d87cd6b9f0855c2fd8b006af01d)
2004-01-06(merge from 3.0)Andrew Bartlett6-102/+127
Change our Domain controller lookup routines to more carefully seperate DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 4c3bd0a99e464198d243da302ff1868189b4dcff)
2004-01-06(merge from 3.0)Andrew Bartlett1-3/+3
Add const. Andrew Bartlett (This used to be commit b08502a8fb1083cc49fd2976880b7bef3f14a72a)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett3-77/+37
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Add ads_sid_to_dn utility function nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 627d33d1667f0d4b1070f988494885b74c4c04dd)
2004-01-05(merge from 3.0)Andrew Bartlett1-22/+72
Fix for bug 707, getent group for huge ads groups (>1500 members) This introduces range retrieval of ADS attributes. VL rewrote most of Güther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 08e851c7417d52a86e31982fcfce695c8a6360b7)
2004-01-05(merge from 3.0)Andrew Bartlett1-0/+7
Having no members of a group is a perfectly valid (if unusual) situation. Andrew Bartlett (This used to be commit bc77b586be6992a662422304dbefbd4b833818fb)
2004-01-05(merge from 3.0)Andrew Bartlett2-16/+36
Changes to our PAM code to cope with the fact that we can't handle some domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 06b4eb4b9f867998c8faf9a91830ba3181cdf605)
2004-01-05(merge from 3.0)Andrew Bartlett2-15/+66
auth/auth_util.c: - Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. -- Jerry rightly complained that we can't assume that the first domain is our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). -- Forgot to commit this for the 'get our primary domain' change. Andrew Bartlett (This used to be commit acacd27ba25f7ebfec40bfa66d34ece543569e23)
2004-01-05(merge from 3.0)Andrew Bartlett2-0/+27
Try to gain a bit more consistancy in the output of usernames from ntlm_auth: Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. -- Get the DOMAIN\username around the right way (I had username\domain...) Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 4c2e1189ff84d254f19b604999d011fdb17e538d)
2004-01-04Commit the translation of the realm to the netbios domain name in the kerberosVolker Lendecke4-0/+85
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit d32f47fedcff3fdf46f42926d1cd84433e7ab487)
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit 6121a866659c3b81e790a79432b6d89d7865fbd3)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit a2e384262d0203772a6237b566c294f15bfd8948)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-21/+48
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit a2aa6e41e552abfb6d1056ab3a7c75e8fd0a150c)
2003-12-11fixed bad formal parameter type in get_static(); patch Andy PolyakovGerald Carter1-1/+1
(This used to be commit 67d893701f09f29e8af56cd98f04131658b39713)
2003-12-09working on packaging; also fixed some path issues in configure.in & Makefile.inGerald Carter1-2/+2
(This used to be commit c16e51bfaf59b2d5b1b800ee272ac45b13b9a9fc)
2003-11-27use samr_dispinfo(level == 1) for enumerating domain users so we can include ↵Gerald Carter1-17/+34
the full name in gecos field; bug 587 (This used to be commit 5482ff71729b623c4561e42b82467bf2d5d64082)
2003-11-26Merge from 3.0:Andrew Bartlett2-3/+5
- NTLM2 fixes, don't force NTLM2 - Don't use NTLM2 for RPC, it doesn't work yet - Add comments to winbindd_pam.c - Merge 64 bit fixes and better debug messages in winbindd.c Andrew Bartlett (This used to be commit ba94e4a1ab6dc3335bbb29686ca6795d0ffad5b0)
2003-11-22(merge from 3.0)Andrew Bartlett2-5/+10
Changes all over the shop, but all towards: - NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... Andrew Bartlett (This used to be commit 57a895aaabacc0c9147344d097d333793b77c947)
2003-11-07fix for bug 680 (heads up). This gist is to map theGerald Carter1-25/+215
UNIX entity foo to DOMAIN\foo instead of SERVER\foo on members of a Samba domain when all UNIX accounts are shared via NIS, et. al. * allow winbindd to match local accounts to domain SID when 'winbind trusted domains only = yes' * remove code in idmap_ldap that searches the user suffix and group suffix. It's not needed and provides inconsistent functionality from the tdb backend. This has been tested. I'm still waiting on some more feedback but This needs to be in 3.0.1pre2 for widespread use. (This used to be commit cac4723e206bd001882011c9e12327064d032268)
2003-11-05Merge of setenv->putenv for winbind client.Tim Potter1-4/+10
(This used to be commit a26d425f93e43641195d0aaf0f9ce5ef0e69f5e1)
2003-11-03Fix for winbindd on HPUX from albert chin (china@thewrittenword.com)Jeremy Allison1-4/+2
Jeremy. (This used to be commit c2f38eb66578affb50cb15c73b297fb866be140b)
2003-10-31set- set-assword when invoking --set-auth-user and no pwGerald Carter1-2/+7
is given (patch from Tom Dickson) (This used to be commit aa2abd5800856120ddec6937955e961ff0c77c96)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-5/+5
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit 5c050a735f86927c7ef2a98b6f3a56abe39e4674)
2003-10-21Merge tridge's AIX fixes.Jeremy Allison1-249/+231
Jeremy. (This used to be commit 96cefb4542debd8902d9bc0cd09bb01c7a41cc69)
2003-10-16Remove DEBUG statement from wb_common.c as it should not be there.Richard Sharpe1-2/+0
(This used to be commit 51f12170affd87cdff23118ed16f85dd97914f0c)