summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2004-01-29completely rewrote the AIX UESS backend (UESS is the AIX equivalent ofAndrew Tridgell1-148/+778
NSS). This time I think I've actually got it right. I wrote a fairly good test suite for UESS modules (similar to nsstest.c) that allowed me to explore how the modules supplied with AIX actually work. This new module also incorporates authentication features, so you don't need a PAM module at all. Just install this UESS module and authentication will "just work". It also handles password change, so /usr/bin/passwd can be used to change windows password. (This used to be commit d62cb9454e310d2baeea0077dad4ba9382ba06cd)
2004-01-29Remove an unused parameter from reload_services_file.Richard Sharpe1-4/+3
(This used to be commit 0032c3f46aaef065e95d987dc0506016aabbe644)
2004-01-26This adds client-side support for the unicode/SAMR password change scheme.Andrew Bartlett1-8/+2
As well as avoiding DOS charset issues, this scheme returns useful error codes, that we can map back via the pam interface. This patch also cleans up the interfaces used for password buffers, to avoid duplication of code. Andrew Bartlett (This used to be commit 2a2b1f0c872d154fbcce71a250e23dfad085ba1e)
2004-01-23Fix typoVolker Lendecke1-2/+1
(This used to be commit 09a30014233f111fe978effb12ecb2f88b710cb5)
2004-01-16Commit sid<->[ug]id extensions to libnss_winbind.so on Linux, as well as aVolker Lendecke1-0/+138
factored-out nss_winbind.[ch]. I took tridge's public domain license comment for the nss_winbind.[ch]. This is probably not the last word on that extension, but as it is quite non-intrusive to the main samba code, I would like to give it a start. Volker (This used to be commit da5944129fad39010544b82649dfe5531a504ecf)
2004-01-15And another memory corruption in winbind. Arg 3 of safe_strcpy does notVolker Lendecke1-1/+1
include the terminating 0. Volker (This used to be commit 945c7807641e82500c84e833f03f381497f0a2d0)
2004-01-15Fix a segfault in winbindd. Calling getusersids with a SID that results in 0Volker Lendecke1-1/+1
groups winbind ended up freeing an uninitialised pointer. Volker (This used to be commit cd89288e21ba13a9e97c548eccc15cef21a98d07)
2004-01-15BUG 936: fix bind credentials for schannel binds in smbd (and add a comment ↵Gerald Carter1-3/+3
to winbindd_cm about this (This used to be commit 5134c6bcbc5180431e95a30559c453f3744fd427)
2004-01-14Fix initgroups() call nss_winbind on solaris; patch from John Klinger ↵Gerald Carter1-0/+16
<john.klinger@lmco.com> (This used to be commit 40b7d863dc246ea23ff3d9cdc167f1fb96166e1d)
2004-01-14* Revert to using rpc for mixed mode AD domains.Gerald Carter1-3/+9
The reason for this are: (a) the set_dc_type_and_flags() cannot tell the different between connecting to an NT4 domain and an NT4 BDC of a mixed mode domain. (b) the connection management for the rpc backend only provides on named pipe per cli_state. So it is possible to connect to an NT4 BDC for netlogon and an AD mixed mode DC for lsarpc. RPC is the lowest common demonimator here. (c) Issue with the sequence number value between the highestCommittedUSN LDAP attribute and the seq_num returned via RPC. We will revisit this later, but the changes need to make this work right now are too broad and risky. (This used to be commit 1ed2e521536108229d153c2996f4757d89461166)
2004-01-14Remove duplicate comment.Andrew Bartlett1-2/+0
Andrew Bartlett (This used to be commit b0b2010461d8554334b033c4f07d78c308e73e7f)
2004-01-12fixing compile problems due to my recent ads.h changesGerald Carter1-1/+1
(This used to be commit d7b6298b9e4e7f83deaa2c6f3d711c390ff9cefd)
2004-01-11update copyright to -2004Stefan Metzmacher1-1/+1
metze (This used to be commit 12d6bc3bd0684646e990c2fc6485fe1a92ac98fb)
2004-01-08Use StrCaseCmp, not strcasecmp. Should fix winbind build on IRIXJelmer Vernooij1-2/+2
(This used to be commit 65b01f67d5725bc54e6bc19b6e84beef38e372f8)
2004-01-08fix segfault when sid_ptr == 0 in DsEnumDomainTrusts() replyGerald Carter1-3/+2
(This used to be commit ba9dc0d9fd3e30a7ddf97b6a4df753db7ba12cc1)
2004-01-08fix a seg fault caused by abartlet's last checkin; there's no way this could ↵Gerald Carter1-1/+1
have been tested against an NT4 DC (This used to be commit 8e8a351cabb502f1a93b219fec064fb4eb094856)
2004-01-08use SAFE_FREE(), not free().Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 595dee660742f8bd5770a5f7aaf3a5d1987dbcfa)
2004-01-08This merges in my 'always use ADS' patch. Tested on a mix of NT and ADSAndrew Bartlett9-36/+146
domains, this patch ensures that we always use the ADS backend when security=ADS, and the remote server is capable. The routines used for this behaviour have been upgraded to modern Samba codeing standards. This is a change in behaviour for mixed mode domains, and if the trusted domain cannot be reached with our current krb5.conf file, we will show that domain as disconnected. This is in line with existing behaviour for native mode domains, and for our primary domain. As a consequence of testing this patch, I found that our kerberos error handling was well below par - we would often throw away useful error values. These changes move more routines to ADS_STATUS to return kerberos errors. Also found when valgrinding the setup, fix a few memory leaks. While sniffing the resultant connections, I noticed we would query our list of trusted domains twice - so I have reworked some of the code to avoid that. Andrew Bartlett (This used to be commit 7c34de8096b86d2869e7177420fe129bd0c7541d)
2004-01-08Move more of winbind to use 'find_our_domain()' rather than the dangerousAndrew Bartlett5-48/+38
find_domain_from_name(lp_workgroup()). (as find_domain_from_name() can change the data in lp_workgroup()) Andrew Bartlett (This used to be commit 2e6eaad9ce6a0ad6923b5952ef6cf1c3688b7cfa)
2004-01-08The correct test for 'is our primary domain' is domain->primaryAndrew Bartlett1-1/+1
(This used to be commit 703f101136b8e9bbc16f57a37cd9d9d739606a84)
2004-01-07Machines are people too!Andrew Bartlett4-34/+23
While machine accounts cannot use an NTLM login (NT4 style), they are otherwise full and valid members of the domain, and expect to be able to use kerberos to connect to CIFS servers. This means that the LocalSystem account, used by various services, can perform things like backups, without the admin needing to enter further passwords. This particular issue (bug 722) has started to come up a lot on the lists. I have only enabled it for winbindd-based systems, as the macros use use to call the 'add user script' will strip the $ from the username for security reasons. Andrew Bartlett (This used to be commit 6a9bbd1da3bb961d24e74348fa0b68574022855f)
2004-01-07Don't duplicate pulling the 'IPC' username from secrets.tdb, insteadAndrew Bartlett1-6/+6
just use one function for both places. Andrew Bartlett (This used to be commit 85da181e8a0ade839f6d595fabdf4cea606f82e1)
2004-01-06remove unused seek_file(); don't hardcode '\' when printing the auth-userGerald Carter1-1/+1
(This used to be commit fac5e05ca1b56cb6e3ab6537d0848fa373c00831)
2004-01-06Ensure that for wbinfo --set-auth-user, we actually use the domain.Andrew Bartlett1-2/+2
Andrew Bartlett (This used to be commit 93a5d8079a0291be14517e437f8f0c964c21e91d)
2004-01-05Fix warningVolker Lendecke1-1/+1
Volker (This used to be commit 541e6998a06ac523ad794b10f4e7a46951a06726)
2004-01-05shorten some more lines.Andrew Bartlett1-7/+14
(This used to be commit 7e5855dfd27ed9ec1fa924986f1ba02632a0d5a0)
2004-01-05Grumble... grumble... fix the build...Andrew Bartlett1-5/+7
(This used to be commit 687aececa66c2c1ba8e5bc3127d8ca79a97436d1)
2004-01-05Show the sid type in name->sid translatons in a way that can be easilyAndrew Bartlett1-1/+1
understood by humans. Andrew Bartlett (This used to be commit 3d91b0a0060f18d49b2fdd9f93ef310e2ea7779d)
2004-01-05Change our Domain controller lookup routines to more carefully seperateAndrew Bartlett6-102/+127
DNS names (realms) from NetBIOS domain names. Until now, we would experience delays as we broadcast lookups for DNS names onto the local network segments. Now if DNS comes back negative, we fall straight back to looking up the short name. Andrew Bartlett (This used to be commit 32397c8b01f1dec7b05140d210bb32f836a80ca6)
2004-01-05Add const.Andrew Bartlett1-3/+3
(This used to be commit aacb817e89d17349003159e1b7c28546babc8559)
2004-01-05rpc_client/cli_lsarpc.c:Andrew Bartlett3-77/+37
rpc_parse/parse_lsa.c: nsswitch/winbindd_rpc.c: nsswitch/winbindd.h: - Add const libads/ads_ldap.c: - Cleanup function for use nsswitch/winbindd_ads.c: - Use new utility function ads_sid_to_dn - Don't search for 'dn=', rather call the ads_search_retry_dn() nsswitch/winbindd_ads.c: include/rpc_ds.h: rpc_client/cli_ds.c: - Fixup braindamage in cli_ds_enum_domain_trusts(): - This function was returning a UNISTR2 up to the caller, and was doing nasty (invalid, per valgrind) things with memcpy() - Create a new structure that represents this informaiton in a useful way and use talloc. Andrew Bartlett (This used to be commit 06c3f15aa166bb567d8be0a8bc4b095b167ab371)
2004-01-05Fix for bug 707, getent group for huge ads groups (>1500 members)Andrew Bartlett1-22/+72
This introduces range retrieval of ADS attributes. VL rewrote most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. I rewrote that patch, to ensure that we can keep an eye on the USN (sequence number) of the entry - this allows us to ensure the read was atomic. In particular, the range retrieval is now generic, for strings. It could easily be made generic for any attribute type, if need be. Andrew Bartlett (This used to be commit 131bb928f19c7b1f582c4ad9ac42e5f3d9dfb622)
2004-01-05We can't possilby get 'ok' here, as the if statement above just checked for it.Andrew Bartlett1-2/+0
(This used to be commit cf4454969434d3026c57ac11c0528dc4cea9c77a)
2004-01-04Commit the translation of the realm to the netbios domain name in the kerberosVolker Lendecke4-0/+85
session setup. After talking to jht and abartlet I made this unconditional, no additional parameter. Jerry: This is a change in behaviour, but I think it is necessary. Volker (This used to be commit 3ce6c9f27368cfb278007fe660a0e44a84d67f8f)
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
2004-01-02Under certain error conditions (a talloc() failure above) this would causeAndrew Bartlett1-2/+0
a double-free(), and the resultant malloc heap corruption. This may be one of our lurking winbind segfaults. Andrew Bartlett (This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
2004-01-02Having no members of a group is a perfectly valid (if unusual) situation.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 3f6d0cd3a83bc75922cb125ffe2b0127c8aa417b)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-21/+48
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett2-16/+36
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-31Forgot to commit this for the 'get our primary domain' change.Andrew Bartlett1-0/+1
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
2003-12-31Jerry rightly complained that we can't assume that the first domain isAndrew Bartlett1-3/+21
our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). Andrew Bartlett (This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
2003-12-31auth/auth_util.c:Andrew Bartlett1-14/+46
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-3/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett2-0/+27
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-23Fix typo.John Terpstra1-1/+1
(This used to be commit 46b2fb4db5c7e273a9b43c59340a0a47ade5bd5e)
2003-12-11fixed bad formal parameter type in get_static(); patch Andy PolyakovGerald Carter1-1/+1
(This used to be commit 9c70e4b44e0dda8f2af4172b928437bd9d3e8b7c)
2003-12-04fix debug messageGerald Carter1-2/+2
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)
2003-11-27Correct freebsd 5.1 support for winbind contributed by Aaron Collins.Tim Potter1-0/+81
Let the build farm chew on it for a bit. (This used to be commit 41e4b036dff0af7be69bf95ea3d64dfccd3a4b8e)
2003-11-27use samr_dispinfo(level == 1) for enumerating domain users so we can include ↵Gerald Carter1-17/+34
the full name in gecos field; bug 587 (This used to be commit 329065d7cddb52c52667c93e0a0218c0e89938be)