summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21941: Attempt to fix bug 4460Volker Lendecke1-1/+1
(This used to be commit d1b8f00c122414e532cdb3da78f84d55698cbc10)
2007-10-10r21940: Sorry Volker, I have to revert your revert in r21935.Gerald Carter3-10/+46
We can talk about this later if you still feel that strongly but I need to fix the build for now. (This used to be commit c7df0cad8257333c6a8dfd98818269a783ba7a26)
2007-10-10r21935: Revert obviously not sufficiently tested code -- sorry for the pain. ↵Volker Lendecke3-46/+10
I am afraid I was basically off the net for the day (This used to be commit 08c29abc03267b0dfb41cec3734653a536027a10)
2007-10-10r21933: Change the write_sock() call in pam_winbind_request()Gerald Carter1-1/+1
to not request a privileged pipe operation for everything as this cannot be done from a process running under the context of a user (e.g. screensaver). Thanks to Danilo Almeida <dalmeida@centeris.com> for the help in pointing out the change to write_sock(). (This used to be commit 80790f935abc8905542338b08f54d61ebacf2ff1)
2007-10-10r21927: Removed unused variable.Jeremy Allison1-1/+0
Jeremy. (This used to be commit 2d951c91a5ac9779dcb124190e3e7f86cee9efdf)
2007-10-10r21919: now that the local passdb abd BUILTIN have been blacklisted and they ↵Simo Sorce1-15/+0
always point to the passdb module, remove this comment and move the explanation in the dimap_ad man page. Simo. (This used to be commit 58d2ec00d241f0ea8f9e165518b29bd35d2dc199)
2007-10-10r21918: Reverting this change as it is now causing aborts() inGerald Carter1-6/+1
find_builtin_domain(). This all needs more testing before anyone starts changing these lookup routines again. (This used to be commit add225e1c8fef1d3ddb7fd43c1744858df45ecfd)
2007-10-10r21913: fix one bug in build 717: correctly check the return from ↵Gerald Carter1-1/+1
sid_peek_check_rid() when trying to find a matching domain (This used to be commit c63bc300376e5be10585366013449a359b0778c1)
2007-10-10r21905: RenameGerald Carter1-3/+3
idmap expire time -> idmap cache time idmap negative time -> idmap negative cache time (This used to be commit aac2d0af5e870190e99317e8e88b22a9562485b4)
2007-10-10r21887: Fix annoying bug where in a pam_close_session (or a pam_setcred with theGünther Deschner1-1/+29
PAM_DELETE_CREDS flag set) any user could delete krb5 credential caches. Make sure that only root can do this. Jerry, Jeremy, please check. Guenther (This used to be commit 947a59a849e9132631ec56b7ade09137e508d5d6)
2007-10-10r21884: * Blacklist BUILTIN and MACHINE domains from theGerald Carter1-13/+26
idmap domains as these should only be handled by the winbindd_passdb.c backend * Allow the alloc init to fail for backwards compatible configurations like idmap backend = ad idmap uid = 1000-100000 .... * Remove the deprecated flags from idmap backend, et. al. These are mutually exclusive with the new configuration options (idmap domains). Logging annoying messages about deprecated parameters is confusing. So we'll try this apprpach for now. (This used to be commit 5e30807b4e9c0211c9e2c02deee94543e8f0d855)
2007-10-10r21881: Make sure we are very specific when testing whether a backand can ↵James Peach1-1/+7
handle a particular SID. Make sure that the passdb backend will accept the same set range of local SIDs that the idmap system sends it. Simo, Jerry - this is a 3_0_25 candidate. Can you please review? (This used to be commit 86a70adb6a2d277f235857451bbee7d530d15310)
2007-10-10r21878: Fix a bug with smbd serving a windows terminal server: If winbind ↵Volker Lendecke4-11/+47
decides smbd to be idle it might happen that smbd needs to do a winbind operation (for example sid2name) as non-root. This then fails to get the privileged pipe. When later on on the same connection another authentication request comes in, we try to do the CRAP auth via the non-privileged pipe. This adds a winbindd_priv_request_response() request that kills the existing winbind pipe connection if it's not privileged. Volker (This used to be commit e5741e27c4c22702c9f8b07877641fecc7eef39c)
2007-10-10r21873: This is winbindd_pam.c, not pam_winbind.c :-)Volker Lendecke1-1/+1
(This used to be commit e1fbfbe1c49d3ff1ca71a33e66fae1f2d48fb7a7)
2007-10-10r21872: Fix a debug messageVolker Lendecke1-1/+1
(This used to be commit fcec3d1c46affbf802fb411913c8cc59c02102fa)
2007-10-10r21860: Fixes for "winbind normalize names" functionality:Gerald Carter5-5/+15
* Fix getgroups() call called using a normalized name * Fix some more name mappings that could cause for example a user to be unable to unlock the screen as the username would not match in the PAM authenticate call. (This used to be commit 505fc669a1b2c36e1639924b9639c97988056d8d)
2007-10-10r21784: Replace smb_register_idle_event() with event_add_timed(). This fixes ↵Volker Lendecke1-3/+6
winbind who did not run the idle events to drop ldap connections. Volker (This used to be commit af3308ce5a21220ff4c510de356dbaa6cf9ff997)
2007-10-10r21775: make messages more understandable - don't leave part dangling after ↵Herb Lewis1-2/+2
newline (This used to be commit f57e4f8adaa3b8cfc300ee6625fdbca968bb81d3)
2007-10-10r21704: open sockets immediately in process_loopHerb Lewis1-8/+9
(This used to be commit 51b96ba79c9e7ca7a4cdf777fe160152ab35236e)
2007-10-10r21636: Was almost right before. We have to specify the short domain name ↵Gerald Carter1-1/+1
to get the Krb5 config stuff to work in the server affinity settings. (This used to be commit 518052be38385ad089c0cb092d07ccd210a27ef3)
2007-10-10r21633: First real fix from me found during the bug hunt.Gerald Carter1-0/+8
ads_cached_connection() does not call get_dc_name() before ads_connect() and therefore does not setup the environment to look at krb5.conf.DOMAIN file before sending the TGT request. The failure I'm seeing occurs ni a multi-DC domain where we get back preuath failed after we just joined the domain. (This used to be commit 256f36dce3e3a39798b2ad38fa3123669d670597)
2007-10-10r21632: Remove ununsed variableGerald Carter1-1/+0
(This used to be commit 82dc19f844af65a8815c629e4ec1f354d208a53f)
2007-10-10r21626: Fix memory leak on error path noticed byGerald Carter1-0/+1
SATOH Fumiyasu <fumiya@samba.gr.jp> (This used to be commit d68b2910c8ba97a42b8bccc0af1341fc301a76d0)
2007-10-10r21623: Fix copy/paste errorSimo Sorce1-2/+2
(This used to be commit 0de74724289f2b78719f6675664d7376446650d0)
2007-10-10r21622: Fix bad merge caught by James.Gerald Carter1-7/+0
(This used to be commit 05886edb3559355e8cd3e3eb8999f24b64ddb3eb)
2007-10-10r21616: Delay initialization of idmap and nss_info backends until necessaryGerald Carter6-33/+193
so they can honor the offline logon state. (This used to be commit 15b13dfe81e861b94077c94b80117a85a5ffb999)
2007-10-10r21615: don't wait until the last second to try to renew a Krb5 ticket as it ↵Gerald Carter1-2/+4
is took late (This used to be commit 5575845952171aaeae81cf65fe32be33cc1b45ba)
2007-10-10r21614: The memset() called on aligned memory was causing crashesGerald Carter1-0/+11
on x86_64 Linux boxes. Since it is not needed, just use malloc() on Linux. (This used to be commit 3644bd999621e04b3fae262f172e93ea8fdcd47e)
2007-10-10r21613: perform variable subsitution on home directories and shells provided ↵Gerald Carter1-12/+13
by the nss_info backend (This used to be commit a9028612a3f614579b28f9560cc67aef90b31cf8)
2007-10-10r21612: Make pam_winbind do the same username fixup on AIX as the WINBINDDGerald Carter1-2/+32
LAM module does to work around a system that does not support >8 character usernames. Without the change, pam_winbind tries to authenticate _#uid in the domain. (This used to be commit 7f0ba72e05acbd958fbf768a04d16c29189dc8f7)
2007-10-10r21611: I'm not entirely sure about this patch but it is working.Gerald Carter1-13/+66
su - DOM\user was unable to set the process crendentials without listing the "id" and other attributes in the attrlist[]. More fixes to come, but I didn't want this to get lost. (This used to be commit 4c53d300fa3516a4c5113bc94dfd07413c46b038)
2007-10-10r21609: Fix memory leaks in error code paths (and one in winbindd_group.c).Jeremy Allison2-2/+7
Patch from Zack Kirsch <zack.kirsch@isilon.com>. Jeremy. (This used to be commit df07a662e32367a52c1e8473475423db2ff5bc51)
2007-10-10r21606: Implement escaping function for ldap RDN valuesSimo Sorce1-9/+1
Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-10-10r21566: If we're going to be broken, at least be *consistently*Jeremy Allison1-1/+9
broken :-). This will do until Simo fixes the escape calls properly. Jeremy. (This used to be commit b7d91ec1b20f8d58903a3283f7789a30041461be)
2007-10-10r21548: prevent segv (reference to -1 element of array)Herb Lewis1-1/+2
(This used to be commit b5fd72282da85f50a040fd949752bc71023ff055)
2007-10-10r21537: Avoid to trigger the confusing "cached entry differs." warning whenGünther Deschner2-2/+20
there is just no cache around for a user. Guenther (This used to be commit a6c249b59228c6891cde624f72fff23879dbd19f)
2007-10-10r21530: Don't code with jet-lag and Volker looking over yourJeremy Allison1-1/+1
shoulder.... Correct fix for warning :-) Jeremy. (This used to be commit 773001870d22ef4ff7ec00f73661b59a63cade42)
2007-10-10r21529: Fix warning from bad cast.Jeremy Allison1-1/+1
Jeremy. (This used to be commit 34675624e2be886188337a883a6c4a57ef7e3fe3)
2007-10-10r21525: Go ahead and checkin the mlock() & memalign() fixes soGerald Carter2-22/+10
others don't get stuck with the winbindd hang. Still waiting on additional confirmation from Guenther that this fixes thes issues he was observing as well. But it's been running in my local tree for a day without problems. (This used to be commit 0d2b80c6c4a744b05a0efdec352cddccc430e0c4)
2007-10-10r21508: Fix memleak in new idmap_tdb, thanks Herb.Simo Sorce1-12/+4
Jerry please check. Simo. (This used to be commit a5354aa9a0bd860500356f45d09fce3d01649c60)
2007-10-10r21505: make sure mlock()'d memory is aligned on a page boundaryGerald Carter2-7/+26
(This used to be commit 52e6a2ceab794875781575ed17ec86808f6e26da)
2007-10-10r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a userGünther Deschner3-6/+68
changed a password via pam_chauthtok. Only do this if a) a user logs on using an expired password (or a password that needs to be changed immediately) or b) the user itself changes his password. Also make sure to delete the in-memory krb5 credential cache (when a user did not request a FILE based cred cache). Finally honor the krb5 settings in the first pam authentication in the chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when NTLM samlogon authentication is still possible with the old password after the password has been already changed (on w2k3 sp1 dcs). Guenther (This used to be commit c3005c48cd86bc1dd17fab80da05c2d34071b872)
2007-10-10r21474: Ensure trustdom_cache_shutdown() gets calledJeremy Allison1-4/+4
on terminate. Pointed out by Herb. Jeremy. (This used to be commit 08998b74a51acd55eb6cbe095e682e2a79334736)
2007-10-10r21454: Fix debug typo.Günther Deschner1-1/+1
Guenther (This used to be commit 5c4a58ff3ab261e32789f39f2cf478367b727318)
2007-10-10r21450: No need to TALLOC_FREE twice here.Günther Deschner1-2/+0
Guenther (This used to be commit ad063d9a944e923777e538c2cb050d47f9f8bea0)
2007-10-10r21399: need to zero the request and response structuresHerb Lewis1-0/+3
(This used to be commit aa8f306fa545af653d8288919fa5a3b80f447bec)
2007-10-10r21397: revert accidential commitHerb Lewis1-1/+1
(This used to be commit 9fe5f7885771e68b11c7794653d0e4771eeac403)
2007-10-10r21396: fix wbinfo --lookup-rids commandHerb Lewis2-4/+19
allow detection of libbiconv if all others fail - need for FreeBSD (This used to be commit 7acc9421b0643cb04bff1f1d98ecb899f9b09601)
2007-10-10r21394: Prevent nscd crash due to potential NULL pointer dereference inGünther Deschner1-0/+4
_nss_winbind_initgroups_dyn() on an empty group list. Guenther (This used to be commit 155b9e7c74d1a623e018fc2f8ca2e32e4aa3f213)
2007-10-10r21387: Another important fix for non-AD domains:Günther Deschner2-7/+3
Avoid assigning 0 as primary group id for users in NSS calls. Jerry, please check. Guenther (This used to be commit 03f5f7d0140c99411c137e7e2eac7e2d0c08202e)