summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2004-01-03And yet another constVolker Lendecke1-1/+1
Volker (This used to be commit dafa4d202b65382c365f10365208d9de4eef5586)
2004-01-02Under certain error conditions (a talloc() failure above) this would causeAndrew Bartlett1-2/+0
a double-free(), and the resultant malloc heap corruption. This may be one of our lurking winbind segfaults. Andrew Bartlett (This used to be commit 903263a1bdb755f86dac3a9a92a4af39c8b102c4)
2004-01-02Having no members of a group is a perfectly valid (if unusual) situation.Andrew Bartlett1-0/+7
Andrew Bartlett (This used to be commit 3f6d0cd3a83bc75922cb125ffe2b0127c8aa417b)
2004-01-01After talking with abartlet remove the fix for bug 707 again.Volker Lendecke1-48/+21
Volker (This used to be commit 0c8ee04c78543b1da3b675df4cf85ee5496c3fbf)
2004-01-01Fix for bug 707, getent group for huge ads groups (>1500 members)Volker Lendecke1-21/+48
This introduces range retrieval of ADS attributes. I've rewritten most of Günther's patch, partly to remove code duplication and partly to get the retrieval of members in one rush, not interrupted by the lookups for the DN. Andrew, you told me that you would like to see a check whether the AD sequence number is the same before and after the retrieval to achieve atomicity. This would be trivial to add, but I'm not sure that we want this, as this adds two roundtrips to every membership query. We can not know before the first query whether we get additional range values, and at that point it's too late to ask for the USN. Tested with a group of 4000 members along with lots of small groups. Volker (This used to be commit 9d8235bf413f931e40bca0c27a25ed62b4f3d226)
2003-12-31Changes to our PAM code to cope with the fact that we can't handle someAndrew Bartlett2-16/+36
domains (in particular, the domain of the current machine, if it is not a PDC) By changing the error codes, we now return values that PAM can correctly use for better stacking of PAM modules - in particular of the password change module. This allows pam_winbind to co-exist with other pam modules for password changes. Andrew Bartlett (This used to be commit 6a8cc7f0122ac4dd5b10ff1160735ef1a177d448)
2003-12-31Forgot to commit this for the 'get our primary domain' change.Andrew Bartlett1-0/+1
(This used to be commit 6f3cd9e2af7f1b4bdd7cb0e487987de159bb0dd8)
2003-12-31Jerry rightly complained that we can't assume that the first domain isAndrew Bartlett1-3/+21
our primary domain - new domains are added to the front of the list. :-( Use a much more reliable 'flag test' instead. (note: changes winbind structures, make clean). Andrew Bartlett (This used to be commit cc050e01370633a985c9878bdce297f9175fdbf7)
2003-12-31auth/auth_util.c:Andrew Bartlett1-14/+46
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-30Get the DOMAIN\username around the right way (I had username\domain...)Andrew Bartlett1-3/+3
Push the unix username into utf8 for it's trip across the socket. Andrew Bartlett (This used to be commit 3225f262b18bdcf326d3bfd031dac169bd9347c9)
2003-12-30Try to gain a bit more consistancy in the output of usernames from ntlm_auth:Andrew Bartlett2-0/+27
Instead of returning a name in DOMAIN\user format, we now return it in the same way that nsswtich does - following the rules of 'winbind use default domain', in the correct case and with the correct seperator. This should help sites who are using Squid or the new SASL code I'm working on, to match back to their unix usernames. Andrew Bartlett (This used to be commit 7a3a5a63612b2698a39f784859496c395505a79b)
2003-12-23Fix typo.John Terpstra1-1/+1
(This used to be commit 46b2fb4db5c7e273a9b43c59340a0a47ade5bd5e)
2003-12-11fixed bad formal parameter type in get_static(); patch Andy PolyakovGerald Carter1-1/+1
(This used to be commit 9c70e4b44e0dda8f2af4172b928437bd9d3e8b7c)
2003-12-04fix debug messageGerald Carter1-2/+2
(This used to be commit 550b309a65d138364502c720894e2099de6b5076)
2003-11-27Correct freebsd 5.1 support for winbind contributed by Aaron Collins.Tim Potter1-0/+81
Let the build farm chew on it for a bit. (This used to be commit 41e4b036dff0af7be69bf95ea3d64dfccd3a4b8e)
2003-11-27use samr_dispinfo(level == 1) for enumerating domain users so we can include ↵Gerald Carter1-17/+34
the full name in gecos field; bug 587 (This used to be commit 329065d7cddb52c52667c93e0a0218c0e89938be)
2003-11-25Add a comment, and a useful debug message.Andrew Bartlett2-0/+3
(This used to be commit df14b0af31863680218b06ae9de2f010a38fba6e)
2003-11-22Changes all over the shop, but all towards:Andrew Bartlett2-5/+10
- NTLM2 support in the server - KEY_EXCH support in the server - variable length session keys. In detail: - NTLM2 is an extension of NTLMv1, that is compatible with existing domain controllers (unlike NTLMv2, which requires a DC upgrade). * This is known as 'NTLMv2 session security' * (This is not yet implemented on the RPC pipes however, so there may well still be issues for PDC setups, particuarly around password changes. We do not fully understand the sign/seal implications of NTLM2 on RPC pipes.) This requires modifications to our authentication subsystem, as we must handle the 'challege' input into the challenge-response algorithm being changed. This also needs to be turned off for 'security=server', which does not support this. - KEY_EXCH is another 'security' mechanism, whereby the session key actually used by the server is sent by the client, rather than being the shared-secret directly or indirectly. - As both these methods change the session key, the auth subsystem needed to be changed, to 'override' session keys provided by the backend. - There has also been a major overhaul of the NTLMSSP subsystem, to merge the 'client' and 'server' functions, so they both operate on a single structure. This should help the SPNEGO implementation. - The 'names blob' in NTLMSSP is always in unicode - never in ascii. Don't make an ascii version ever. - The other big change is to allow variable length session keys. We have always assumed that session keys are 16 bytes long - and padded to this length if shorter. However, Kerberos session keys are 8 bytes long, when the krb5 login uses DES. * This fix allows SMB signging on machines not yet running MIT KRB5 1.3.1. * - Add better DEBUG() messages to ntlm_auth, warning administrators of misconfigurations that prevent access to the privileged pipe. This should help reduce some of the 'it just doesn't work' issues. - Fix data_blob_talloc() to behave the same way data_blob() does when passed a NULL data pointer. (just allocate) REMEMBER to make clean after this commit - I have changed plenty of data structures... (This used to be commit f3bbc87b0dac63426cda6fac7a295d3aad810ecc)
2003-11-19as discussed on irc, this is a small patch that allows a few moreAndrew Tridgell6-7/+292
winbind functions to be accessed via NSS. This provides a much cleaner way for applications that need (for example) to provide name->sid mappings to do this via NSS rather than having to know the winbindd pipe protocol (as this might change). This patch also adds a varient of the winbindd_getgroups() call called winbindd_getusersids() that provides direct SID->SIDs listing of a users supplementary groups. This is enough to allow non-Samba applications to do ACL checking. A test program for the new functionality will be committed shortly. I also added the 'wbinfo --user-sids' option to expose the new function in wbinfo. (This used to be commit 702b35da0ac7c73aa5a6603f871d865565bbe278)
2003-11-12a small include file rearrangement that doesn't affect normalAndrew Tridgell15-1/+14
compilation, but that allows Samba3 to take advantage of pre-compiled headers in gcc if available. (This used to be commit b3e024ce1da7c7e24fcacd8a2964dd2e4562ba39)
2003-11-07fix for bug 680 (heads up). This gist is to map theGerald Carter1-25/+215
UNIX entity foo to DOMAIN\foo instead of SERVER\foo on members of a Samba domain when all UNIX accounts are shared via NIS, et. al. * allow winbindd to match local accounts to domain SID when 'winbind trusted domains only = yes' * remove code in idmap_ldap that searches the user suffix and group suffix. It's not needed and provides inconsistent functionality from the tdb backend. This has been tested. I'm still waiting on some more feedback but This needs to be in 3.0.1pre2 for widespread use. (This used to be commit ee272414e9965d7d550ba91d4e83997134dd51e6)
2003-11-06Final round of printf warnings fixes for the moment.Tim Potter1-3/+3
(This used to be commit 0519a7022b4979c0e8ddd4907f4b858a59299c06)
2003-11-04Use a static string instead of malloced one in winbind_{off,on}() utilityTim Potter1-29/+8
functions. (This used to be commit 7710232ba21305a1e3c9523ace82a5a419526b50)
2003-11-03Fix for winbindd on HPUX from albert chin (china@thewrittenword.com)Jeremy Allison1-4/+2
Jeremy. (This used to be commit 119a89246bf84cb98b76cf3777c039fa8eb644f2)
2003-11-02Use putenv() instead of setenv() in the winbind_{off,on}() functions. SomeTim Potter1-3/+30
platforms don't have setenv(). (This used to be commit a8b487c4cb5d181e59755f49063512b2729bccb5)
2003-10-31prompt for password when invoking --set-auth-user and no pwGerald Carter1-2/+7
is given (patch from Tom Dickson) (This used to be commit ca18ec0f901330c14a68c8a44d2a88a42bb7d92c)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison2-5/+5
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-21fixed a number of bugs and memory leaks in the AIX winbind shimAndrew Tridgell1-249/+231
(This used to be commit f0a0771c02404c91cd64961f85622022a4e56b2f)
2003-10-21Merge of spelling fix from HEAD.Tim Potter1-1/+1
(This used to be commit 1482933089bd1e6114ad29d77ce229482f2d161b)
2003-10-14Undo previous commit because it breaks the build.Tim Potter1-2/+0
DEBUG() should not be called in winbind client code as it's actually dynamically linked by glibc into programs that use the nsswitch database functions. (This used to be commit 90380a684af244175d216344101e734c85220a7b)
2003-10-13Add a better error message to wb_common.c when unable to connect to a pipeRichard Sharpe2-0/+9
socket and add a comment to winbindd.c to explain the fancy calculation of buffer offset. (This used to be commit 7c7ef9680b7378e12ffdd0bf95ee7ad673bea2f5)
2003-10-13make sure to use the escaped DN; patch from Guenther Deschner; bug 592Gerald Carter1-1/+1
(This used to be commit 5eca81c66096a01eda1731892d044c09d4c18556)
2003-10-03don't call ads_destroy() twice; fixes segfault in winbindd when DC goes ↵Gerald Carter1-4/+11
down; bug 437 (This used to be commit 1cfbd92404270e0c67a3b295fc9cf461b29d3503)
2003-09-24fixing a bug in the retry loop for winbindd_pam_auth[_crap]()Gerald Carter1-15/+25
(This used to be commit a83266a927b81a9f7a62b211793faaf8d401767c)
2003-09-22fix some warnings found by the Sun C compilerGerald Carter1-1/+0
(This used to be commit e1fac713e25692a5790c3261ba323732930f5249)
2003-09-17Obviously correct typo bugfix from Lin Li <linl@xandros.com>.Jeremy Allison1-1/+1
Jeremy. (This used to be commit a43ca66290ac1df9b00e3e43e32d8117b3d1b873)
2003-09-08fix valgrind errors; don't access cli_state pointer after it has been shutdownGerald Carter1-17/+13
(This used to be commit 02ae82fb3f70dc37e815d8e88bfd31a8c3ff43db)
2003-09-08Fix for bug #299.Tim Potter1-30/+80
There was some confusion over dynamically allocated lists of pointers (i.e you have to make space for the list of pointers and what they are pointing too) in the memory buffer passed in from libc. Valgrind is much happer now and as a bonus there is no segfault. (This used to be commit 7907c44414acb841a9001e82285790eece73d032)
2003-09-06finish off bug 282. AAdd extra checks for pointers afterGerald Carter1-7/+7
ads_search_XXX() calls. (This used to be commit 74c02e5fbc411d6fd1b13a1e21599da030897efe)
2003-09-06fix bug 382: make sure to free and reset the cli_state pointer after ↵Gerald Carter1-0/+6
flushing connections in winbindd_pam_auth[_crap]() (This used to be commit 60c8796edd84249db5419329a0fea4bbc7f9bb98)
2003-09-06revert retry loops in winbindd_ads as abartket points out, weGerald Carter1-312/+151
already have ads_search_retry() for this. However, neither domain_sid() nor sequence_nunber() used this function. So modify them to us ads_do_search_retry() so we can specify the base search DN and scope. (This used to be commit 89f6adf830187d020bf4b35d1a4b2b48c7a075d0)
2003-09-05fixes for ads domain membership when only the realm is defined inGerald Carter4-15/+54
smb.conf Fixes to ensure we work with disable netbios = yes (This used to be commit 3913e43724870c62a0d77ec3e73cbe9480cb6247)
2003-09-05Fix for bug 282 that didn't get checked in.Tim Potter1-1/+1
(This used to be commit e3f5afb83142f44369dcd341d6e66ed2fe51248f)
2003-09-05should fix bug 364 & 311: Retry patch based on suggestion fromGerald Carter1-142/+316
Ken Cross. Sometimes ads conenction get stale but we don't know they are dead until we try them. This patch may need some optimization after people bang on it for a while. (This used to be commit 7021cf63a4501c90620cf6a5f117eef345bbd291)
2003-09-04Check in Andrew's fix for bug #305 (always use lp_realm() )Gerald Carter1-13/+2
Also make sure thet ads_startup uses lp_realm instead of just relying on the workgroup name. Fixes bug in net ads join when the workgroup defaults to "WORKGROUP" and we ignore the realm name. (This used to be commit b1763ace4e85f41574894e3807cabb5196fec661)
2003-09-04More FreeBSD PAM compile fixes. Don't redefine PAM_AUTHTOK_RECOVER_ERRTim Potter1-0/+3
if it already exists. FreeBSD 4.8 doesn't need the redefinition, 5.0 does. (This used to be commit 4a3727b03b0488fa82687014cb476b1971a78be8)
2003-09-02Fix for bug 261. Create a configure #define for FreeBSD and a check inTim Potter1-1/+1
nsswitch/pam_winbind.h so we can compile properly on this platform. (This used to be commit 75411005fcab7ecf31940c5f7b87fd407166f98a)
2003-08-27Typo fix.Rafal Szczesniak1-1/+1
(This used to be commit 934fb418a3a3628ee4cde699df872bc1035fc769)
2003-08-27Update last scan time in rescan_trusted_domains().Tim Potter1-0/+2
Fix from Ken Cross. (This used to be commit 45775b48a0d91390aa698b750d59cda0150cfbd0)
2003-08-25make sure we keep the trusted domain cache up to dateGerald Carter2-10/+33
(This used to be commit 3324adcaceb9191b5d4d671ac9b51c85c6714598)