summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_pam.c
AgeCommit message (Collapse)AuthorFilesLines
2012-11-12s3:winbind: BUG 9386: Failover if netlogon pipe is not available.Andreas Schneider1-13/+39
Samba continues to query a broken DC while the DC did not finish to rebuild Sysvol (after a Windows crash, for example). It causes end users to received strange codes while trying to authenticate, even if there is a secondary DC available. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
2012-09-20winbind: Extend wbcAuthenticateUserEx to provide PACChristof Schmitt1-6/+122
With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2012-08-21Fix bug #9098 - winbind does not refresh kerberos tickets.Jeremy Allison1-0/+9
Based on work from Ian Gordon <ian.gordon@strath.ac.uk>. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
2012-08-09Correctly check for errors in strlower_m() returns.Jeremy Allison1-1/+3
2012-08-09Check error returns from strupper_m() (in all reasonable places).Jeremy Allison1-2/+6
2012-07-23s3-winbind: Fix bug #9052 resolving our own "Domain Local" groups.Andreas Schneider1-1/+1
We don't resolve our own "Domain Local" groups since bug #7843 has been fixed. So we need to add the add resource groups to the sid list too. Before bug #7843 the "Domain Local" groups were added with a lookupuseraliases call, but this isn't done anymore for our domain so we need to resolve resource groups here. When to use Resource Groups: http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jul 23 22:12:30 CEST 2012 on sn-devel-104
2012-07-18source3/winbindd/winbindd_pam.c: fix stackframe leakRusty Russell1-0/+1
check_info3_in_group() doesn't always free its stackframe. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2012-04-19s3: Fix Coverity ID 2727 to 2740 -- UNINITVolker Lendecke1-2/+2
2012-03-19s3-winbindd Only use SamLogonEx when we can get unencrypted session keysAndrew Bartlett1-2/+2
This ensures that we have some check on the session keys being returned as the RC4 cipher is not checksumed. The check comes from the fact that the credentials chain is tied to the session key, and so if the credentials check passes then the netlogon session key will be correct, and so the user session key will be correctly decrypted. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104
2012-02-27s3-winbindd: Close netlogon connection if the status returned by the ↵Matthieu Patou1-1/+20
NetrSamLogonEx call is timeout in the pam_auth_crap path If not the child process would hang for quite a long time up to the moment when the connection is cleaned by the kernel (took ~ 20 minutes) in my tests. Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Feb 27 23:10:03 CET 2012 on sn-devel-104
2012-02-20s3-winbindd: pass logon parmeters down to check_sam_security()Andrew Bartlett1-2/+6
This allows ntlm_auth --diagnostics to work against the local DC, just as it works against a member server. Andrew Bartlett
2012-01-30s3-winbind: don't try to do clever thing if the username is not found while ↵Matthieu Patou1-1/+2
authenticating through winbind This could cause that we authenticate a user with a bogus domain to winbind's domain if the password supplied for the PAM_AUTH match. The problem was reported by Jeff Venable (jvenable@juniper.net). Patch from Andrew Bartlett (abartlett@samba.org). Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104
2011-10-28Fix bug #8548 - winbind_samlogon_retry_loop ignores logon_parameters flags.Jeremy Allison1-2/+2
Fix confirmed by reporter. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Oct 28 23:04:47 CEST 2011 on sn-devel-104
2011-10-24idl: Improve MS-PAC IDLSimo Sorce1-7/+7
Change some misleading variable names to reflect the actual function. Add missing field name/types previously marked as unkown. Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
2011-07-04s3-auth: Pass the remote_address down to user_info.Andreas Schneider1-2/+13
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2011-06-30s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCsGünther Deschner1-7/+19
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Jun 30 00:42:23 CEST 2011 on sn-devel-104
2011-06-09s3-param Remove special case for global_myname(), rename to lp_netbios_name()Andrew Bartlett1-3/+3
There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
2011-05-25s3-winbind: BUG 8166 - Don't lockout users when offline.Jim McDonough1-1/+4
Windows does not track bad password attempts when offline. We were locking users out but not honoring the lockout duration. Autobuild-User: Jim McDonough <jmcd@samba.org> Autobuild-Date: Wed May 25 18:11:10 CEST 2011 on sn-devel-104
2011-05-05More simple const fixups.Jeremy Allison1-3/+3
2011-05-04Fix simple uses of safe_strcpy -> strlcpy. Easy ones where we just remove -1.Jeremy Allison1-2/+2
2011-05-02s3: remove various references to server side dcerpc structs (which are not ↵Günther Deschner1-1/+0
needed). Guenther
2011-04-24s3:rpc_client: map fault codes to NTSTATUS with dcerpc_fault_to_nt_status()Stefan Metzmacher1-5/+5
Most fault codes have a NTSTATUS representation, so use that. This brings the fault handling in common with the source4/librpc/rpc code, which make it possible to share more highlevel code, between source3 and source4 as the error checking can be the same now. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104
2011-03-30s3-includes: only include ntdomain.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-30s3-auth: use auth.h where needed.Günther Deschner1-0/+1
Guenther
2011-03-30s3-passdb: use passdb headers where needed.Günther Deschner1-0/+1
Guenther
2011-02-28s3-rpc_client: Move client pipe functions to own header.Andreas Schneider1-0/+1
2011-02-04s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945)Günther Deschner1-2/+57
The benefit of this that it makes us more robust to secure channel resets triggered from tools outside the winbind process. Long term we need to have a shared tdb secure channel store though as well. Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 4 18:11:04 CET 2011 on sn-devel-104
2011-02-02s3-winbind: prefer dcerpc_samr_X functions in winbindd/winbindd_pam.c.Günther Deschner1-13/+37
Guenther
2011-01-28s3: inline get_uid_from_stateVolker Lendecke1-6/+1
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Jan 28 23:38:16 CET 2011 on sn-devel-104
2011-01-28s3: Lift winbindd_cli_state from fillup_password_policyVolker Lendecke1-4/+6
2011-01-28s3: Do not use state->mem_ctx in fillup_password_policyVolker Lendecke1-4/+8
2011-01-28s3: Lift winbindd_cli_state from winbindd_dual_pam_auth_samlogonVolker Lendecke1-21/+27
2011-01-28s3: Lift winbindd_cli_state from winbindd_raw_kerberos_loginVolker Lendecke1-18/+26
2011-01-26s3-winbind: share a common winbind_samlogon_retry_loop().Günther Deschner1-168/+147
Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Jan 26 12:41:14 CET 2011 on sn-devel-104
2011-01-26Revert "s3: These assignments are overwritten immediately"Günther Deschner1-0/+4
This reverts commit 18962ea3852d0d0fc7371e99813bebd54fae0a19.
2011-01-26Revert "s3-winbind: fix winbindd_dual_pam_auth_samlogon() for NT4 domains."Günther Deschner1-1/+0
This reverts commit cea36aeacf8778493463f31e6afc3f58384639e2.
2011-01-24s3-winbind: fix winbindd_dual_pam_auth_samlogon() for NT4 domains.Günther Deschner1-0/+1
After failing the netr_LogonSamLogonEx, we failed to retry with netr_LogonSamLogon. Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Jan 24 12:35:42 CET 2011 on sn-devel-104
2010-12-19s3: Use the right uid winbindd_raw_kerberos_login()Volker Lendecke1-1/+1
2010-12-19s3: wcache_invalidate_samlogon only needs the SIDVolker Lendecke1-4/+10
2010-12-10s3-winbind Improve memory handling in NTLMv2-backend plaintext authenticationAndrew Bartlett1-17/+6
Andrew Bartlett
2010-12-10s3-winbind Don't send the LM password to the server, everAndrew Bartlett1-11/+1
This is for the case where we have the plaintext password locally, and can construct the challenge-response values here. We should never ever use the LM password in domain authentication. The last domain controller to only have LM passwords stored was NT 3.5. Andrew Bartlett
2010-11-27s3: Return the correct result from winbindd_dual_auth_passdbVolker Lendecke1-2/+3
2010-11-17s3: Remove a reference to "winbindd_cli_state" from append_auth_dataVolker Lendecke1-13/+14
Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Wed Nov 17 12:02:34 UTC 2010 on sn-devel-104
2010-11-17s3: Remove a reference to "winbindd_cli_state" from append_info3_as_txtVolker Lendecke1-28/+29
2010-11-17s3: Remove a reference to "winbindd_cli_state" from append_afs_tokenVolker Lendecke1-8/+6
2010-11-17s3: Remove a reference to "winbindd_cli_state" from append_info3_as_ndrVolker Lendecke1-4/+5
2010-11-17s3: Remove a reference to "winbindd_cli_state" from append_unix_usernameVolker Lendecke1-6/+6
2010-11-17s3: Remove a reference to "winbindd_cli_state" from append_auth_dataVolker Lendecke1-11/+11
2010-10-14s3-auth Use security_token_debug() from common codeAndrew Bartlett1-1/+1
This prints the security token including the privileges as strings instead of just a bitmap. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett1-1/+1
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104