summaryrefslogtreecommitdiff
path: root/source3/nsswitch
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21387: Another important fix for non-AD domains:Günther Deschner2-7/+3
Avoid assigning 0 as primary group id for users in NSS calls. Jerry, please check. Guenther (This used to be commit 03f5f7d0140c99411c137e7e2eac7e2d0c08202e)
2007-10-10r21382: Important fix for winbind when using non-AD domains.Günther Deschner1-1/+7
Jeremy, I'm afraid you removed the "domain->initialized" from the set_dc_types_and_flags() call when the connect to PI_LSARPC_DS failed (with rev. 19148). This causes now that init_dc_connection_network is called again and again which in turn rescans the DC each time (which of course fails each time with NT_STATUS_BUFFER_TOO_SMALL). Just continue with the non-PI_LSARPC_DS scan so that the domain is initialized properly. Guenther (This used to be commit c6f63a08f55a4121cbe5aac537d2ef983dc25a97)
2007-10-10r21358: Some more debugging for _nss_winbind_initgroups_dyn() on Linux.Günther Deschner1-0/+12
Guenther (This used to be commit 639b7989b3ad1438a443a33dc41115bcc90f72d2)
2007-10-10r21357: Fix typo.Günther Deschner1-1/+1
Guenther (This used to be commit e3c32583795631212dc0d5cd01981b27cde2a489)
2007-10-10r21353: In the turn of tracking down nss_winbind related bugs on Linux:Günther Deschner1-19/+100
print NSS_STATUS code with DEBUG_NSS when leaving a function. Guenther (This used to be commit 53ecd63d94fd0a502ef5cdeb512c8e38795698e1)
2007-10-10r21336: Fix indent (as pointed out by Volker).Günther Deschner1-6/+6
Guenther (This used to be commit dcbf7a1250aa5c6293ffba6a930ee23537ec9484)
2007-10-10r21318: Fix Bug #4225.Günther Deschner2-11/+69
Cached logon with pam_winbind should work now also for NT4 and samba3 domains. Guenther (This used to be commit b2f91154820219959b8008b15802c70e1d76d158)
2007-10-10r21310: Fix invalid printfs in pam_winbind.Günther Deschner1-12/+20
Guenther (This used to be commit 5a7b2fccb3cdc6a849aedcd256eea86faec1d54c)
2007-10-10r21309: Add PRINTF_ATTRIBUTE checks for log statements.Günther Deschner1-0/+3
Guenther (This used to be commit 968dfcc8218cacdd97c2c66929e95f5062ff464a)
2007-10-10r21308: Fix some typos and ensure to null terminate the correct strings.Günther Deschner3-6/+6
Guenther (This used to be commit 16c90f30b93f32c4f8fed00a6cc154c596e4244d)
2007-10-10r21284: Fix some unitilized variable warnings pointed out by Volker.Gerald Carter1-4/+6
(This used to be commit 5c3edad86098c5271cb141b8f7885ca7f5b48072)
2007-10-10r21240: Fix longstanding Bug #4009.Günther Deschner3-15/+33
For the winbind cached ADS LDAP connection handling (ads_cached_connection()) we were (incorrectly) assuming that the service ticket lifetime equaled the tgt lifetime. For setups where the service ticket just lives 10 minutes, we were leaving hundreds of LDAP connections in CLOSE_WAIT state, until we fail to service entirely with "Too many open files". Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP connection after the ads_do_search_retry() has failed to submit the search request (although the bind succeeded (returning an expired service ticket that we cannot delete from the memory cred cache - this will get fixed later)). Guenther (This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
2007-10-10r21231: get rid of unused defines that cause a redefined warningHerb Lewis1-2/+0
(This used to be commit 509ae5ffa17be340c41fecaaace75816c18316c6)
2007-10-10r21228: Fix for fd leak on error path. Thanks toJeremy Allison1-1/+3
dleonard@vintela.com for this fix ! Jeremy. (This used to be commit 70b5db7d8c6aa324ad98436fe3fafe715c04c5a8)
2007-10-10r21182: * Refactor the code to obtain the LDAP connection credentialsGerald Carter2-123/+125
from both idmap_ldap_{alloc,db}_init() * Fix the backwards compat support in idmap_ldap.c * Fix a spelling error in the idmap_fetch_secret() function name (This used to be commit 615a10435618abb89852910a0d36c1d9ff35647f)
2007-10-10r21180: fix backwards compatible idmap backends parameter parsingGerald Carter1-6/+17
(This used to be commit 01af19cc9d8e282ffd6ff6b52699ed2d0369ff69)
2007-10-10r21161: Another fix for pam_winbind: Move the entire pwd expiry handling intoGünther Deschner1-14/+14
the PAM_SUCCESS block. Guenther (This used to be commit f4a704745cb0bd2c5dc2a9b16619d8ee30fd7ba1)
2007-10-10r21160: Some more pam_winbind fixes:Günther Deschner1-32/+79
* Consolidate all pam_winbind password expiry warnings in the one _pam_send_password_expiry_message() call. * Also convert some more NTSTATUS codes to error messages. * Add paranoia check to only do all the post-processing after PAM_SUCCESS. Guenther (This used to be commit 02713f314b65a14e659e801f7eebea453756ac44)
2007-10-10r21159: Cleanup pam_sm_chauthtok() in pam_winbind:Günther Deschner2-31/+44
Set info3 strings, krb5ccname and returned username after we changed a password and sucessfully re-authenticated afterwards. In that case we ended up without this information. Guenther (This used to be commit 034d42ba7236e67303a8221b7a613799d1a61b83)
2007-10-10r21158: Add _pam_setup_krb5_env() and _pam_warn_logon_type() functions forGünther Deschner1-31/+70
pam_winbind. Guenther (This used to be commit 1feb961577475dceb97948cd2fdb987005890498)
2007-10-10r21155: Forgot one _PAM_LOG_STATE_DATA_STRING call (only in 3_0).Günther Deschner1-0/+1
Guenther (This used to be commit 86b34cd5d6675c8f0a0becdcded36de4a815c898)
2007-10-10r21154: Add PAM_WINBIND_LOGONSERVER, also merge the various pam_set_data calls.Günther Deschner2-36/+69
Guenther (This used to be commit 97a0b1b79499af10930500ce857c93ffbacfdb6e)
2007-10-10r21152: Correctly omit pam conversations when PAM_SILENT has been set by theGünther Deschner2-57/+61
calling application. Guenther (This used to be commit ebfae9a671d2c960178228ba7fdcd07cb2f49a05)
2007-10-10r21151: applying patches for CVE-2007-045[34]Gerald Carter1-2/+4
(This used to be commit 1d46b2ae3447b3521987b2ab1064a6ea314cfa07)
2007-10-10r21149: Only say we are a groupmember for the optimized (rid 513) membershipGünther Deschner1-1/+4
lookup when we actually are. Although the Linux nss winbind backend protects against num_mem != 0 && buf == NULL. Guenther (This used to be commit a9ac4630b46242f88bd7a4e92511b55cc82e9940)
2007-10-10r21146: Fix debug typos.Günther Deschner2-2/+2
Guenther (This used to be commit cdef1d00b89abd632281d428f1e1a6b322559af4)
2007-10-10r21145: Convert some int to BOOL in pam_winbind (only in 3_0).Günther Deschner1-13/+13
Guenther (This used to be commit 1b82c5fa0e363942947453a8e1b74aa2b95d8733)
2007-10-10r21144: Create more accurate warning message when the pam_winbind chauthtok hasGünther Deschner1-12/+76
received NT_STATUS_PASSWORD_RESTRICTION. Guenther (This used to be commit 2ac9cb3bbd1980df54f1b6cc2cfb823be43f3230)
2007-10-10r21143: Fix wrong check for pam error codes for getpwnam and lookup winbindGünther Deschner1-13/+26
requests in pam_winbind (Bug #4094). Inspired by fix from Lars Heete. Guenther (This used to be commit 88e2185d2913e835e074dc3cc4ab1c631c3296a5)
2007-10-10r21130: Don't mix SAFE_FREE() and TALLOC_FREE().Gerald Carter1-1/+1
(This used to be commit 5c36d67d272a52f58532daa3c3c09b8f8b6a34e0)
2007-10-10r21122: Simplify code in pam_winbind a bit.Günther Deschner1-23/+20
Guenther (This used to be commit 08ca5ea6f1b09506055b2508aa79704f39b3bbd7)
2007-10-10r21112: fix const compile warningGerald Carter1-2/+2
(This used to be commit 6b754f7c96400d5d1f14e807aac0aa925c45eefb)
2007-10-10r21106: We neither need a account lockout policy handler nor a check domainGünther Deschner1-1/+2
online handler for internal (local SAM, BUILTIN) childs. Jeremy, please check. Guenther (This used to be commit 7d0e2e70684a7e3d377f56ed0244ed136b0b1a99)
2007-10-10r21101: Remove "unused" warning from Jerry's code. We stillJeremy Allison1-1/+0
have a build failure in 3.0.24 in event_add_timed ? Jeremy (This used to be commit ede30a8b4b705808d9c46ae848f5cbd89a808cdc)
2007-10-10r21098: When get_dc_name_via_netlogon() in get_dcs() fails to find a trusted DCGünther Deschner1-2/+2
we may not just assume that we look for our own realm's dcs next. Guenther (This used to be commit bf0c4ce7b1194e18cc16a044b042d0066463cf87)
2007-10-10r21070: * Add the new boolean 'winbind normalize names' option as discussedGerald Carter4-2/+49
on the samba-technical ml. The replacement character is hardcoded as a '_' for now. (This used to be commit bd8238417b8d692ed381a870901ff1ee4cfa80f6)
2007-10-10r21064: The core of this patch isVolker Lendecke3-21/+35
void message_register(int msg_type, void (*fn)(int msg_type, struct process_id pid, - void *buf, size_t len)) + void *buf, size_t len, + void *private_data), + void *private_data) { struct dispatch_fns *dfn; So this adds a (so far unused) private pointer that is passed from message_register to the message handler. A prerequisite to implement a tiny samba4-API compatible wrapper around our messaging system. That itself is necessary for the Samba4 notify system. Yes, I know, I could import the whole Samba4 messaging system, but I want to do it step by step and I think getting notify in is more important in this step. Volker (This used to be commit c8ae60ed65dcce9660ee39c75488f2838cf9a28b)
2007-10-10r21056: Moving the set_domain_online_request to fork_domain_child() (formerlyGünther Deschner1-9/+12
lived in trustdom_recv(). Jeremy, this is the better place I think but please check. Guenther (This used to be commit beed8b8b320ae9bd8aef669564a5403e4bb35bfd)
2007-10-10r21036: Fix the ad nss info backend to not abort the search when called ↵Gerald Carter1-16/+10
outside the idmap daemon (This used to be commit 57160e3dd96a7a776389da604393c20a738202ea)
2007-10-10r21033: To make the logs a bit more readable let the winbind dc connect childGünther Deschner1-0/+3
write to a separate logfile. Guenther (This used to be commit 0313edc0d66c26b5acb6250e0f146218a02b42cd)
2007-10-10r21020: Some pam_winbind fixes:Günther Deschner1-14/+13
* make debug_state also configurable from the config file * minor code cleanup Guenther (This used to be commit c562095953df55c91e3dad8f5c29c0b66664b62b)
2007-10-10r21019: Fix typo.Günther Deschner1-1/+1
Guenther (This used to be commit adb40884e04069e7de7580b6531675ebaed5c117)
2007-10-10r21018: Removing the set_domain_online_request again in trustdom_recv().Günther Deschner1-9/+0
Jeremy, we really can't do that. There are setups with hundred and more trusted domains out there, I have one customer who tells me it takes more then half an hour for him after winbind is up and running. That request registers the check_domain_online_handler which in turn forks off the child immediately. Also discussed with Volker. Guenther (This used to be commit ccd4812c0b436a12b809668d09c5681111125f3d)
2007-10-10r21016: Fix pam_sm_setcred again.Günther Deschner1-1/+1
Jerry, the switch statement must ignore the PAM_SILENT flag. Guenther (This used to be commit 46d23c72bf4f3bd04021a9caf8d6b1380352b811)
2007-10-10r21015: fix typo that breaks the buildGerald Carter1-1/+1
(This used to be commit f82a5175304a12b18abb2bc3d9fd9f7023998357)
2007-10-10r21014: move some functionss to winbindd_group.c and make staticGerald Carter2-148/+144
(This used to be commit af5a2fa9eccf753106cd944be31f38845363ace6)
2007-10-10r21013: * Remove "inline" keywordGerald Carter1-5/+5
* Remove anpther check for PAM_SILENT that prevents logging to syslog * Add missing check for TRY_FIRST_PASS when using authtok (missed from previous merge) (This used to be commit ed794f0872b749955f56112507fd3ae7a6c6e6f5)
2007-10-10r21012: Patch from Danilo Almeida @ Centeris (via me):Gerald Carter2-21/+168
Details: Improve PAM logging - The improved logging is far tracking down PAM-related bugs - PAM_SILENT was being mis-used to suppress syslog output instead of suppressing user output. This lets PAM_SILENT still log to syslog. - Allow logging of item & data state via debug_state config file option. - Logging tracks the pam handle used. (This used to be commit cc1a13a9f06e5c15c8df19d0fbb31dbdeb81a9cc)
2007-10-10r21011: Another patch from Danilo Almeida @ Centeris (via me):Gerald Carter1-4/+7
Details: Reset the "new password prompt required" state whenever we do a new auth. In more detail, in pam_sm_authenticate, if not settting PAM_WINBIND_NEW_AUTHTOK_REQD, then clean any potentially present PAM_WINBIND_NEW_AUTHTOK_REQD. (This used to be commit 402e8594759b42c1986f4f8d69273f68ec5160af)
2007-10-10r21009: Patch from Danilo Almeida @ Centeris (via me).Gerald Carter3-49/+236
Patch details: Support most options in pam_winbind.conf; support comma-separated names in require-membership-of. Details below: 1) Provides support for almost all config options in pam_winbind.conf (all except for use_first_pass, use_authtok, and unknown_ok). - That allows us to work well when invoked via call_modules from pam_unix2.conf as well as allowing use of spaces in names used w/require_membership_of. 2) Support for comma-separated list of names or SID strings in require_membership_of/require-membership-of. - Increased require_membership_of field in winbind request from fstring (256) to pstring (1024). - In PAM side, parse out multiple names or SID strings and convert all of them to SID strings. - In Winbind side, support membership check against multiple SID strings. (This used to be commit 4aca9864896b3e0890ffc9a6980d7ef1311138f7)