summaryrefslogtreecommitdiffstats
path: root/source3/nsswitch
Commit message (Collapse)AuthorAgeFilesLines
* r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison2007-10-1017-107/+670
| | | | | | | | to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
* r16941: Fix crash bug when the pam conversation receives an empty token.Günther Deschner2007-10-101-2/+2
| | | | | | | Thanks to Bjoern Jacke for the report and test-case. Guenther (This used to be commit f2ebc0e3de396f44f49dabbfe42cb3ad1c1a7ec1)
* r16940: libnscd sets errno, use that to display error message.Günther Deschner2007-10-101-2/+2
| | | | | Guenther (This used to be commit df10448e2c6166d1c129c2d9a9a74c5b4a42555f)
* r16939: Still clear the winbind_cache.tdb when offline logons are not enabled.Günther Deschner2007-10-101-2/+4
| | | | | Guenther (This used to be commit 4121ccfc3e39001d5b7b8288e3bc27d919f79167)
* r16823: Allow to call wbinfo --domain-info="" or --domain-info="." to get domainGünther Deschner2007-10-101-4/+7
| | | | | | | info for our own domain. Guenther (This used to be commit ebd3c547e508e191d5e1b5bb001797666db7b269)
* r16800: correct a probable cut&paste errorSimo Sorce2007-10-101-1/+1
| | | | (This used to be commit c139a2293bfb66554e1be09c6824d04381de58e1)
* r16790: Fix memleak.Günther Deschner2007-10-101-0/+1
| | | | | Guenther (This used to be commit 48ab7f46814dfbd777f142cdd8f59e6c1962eb15)
* r16755: Hunting warning has some benefits....Volker Lendecke2007-10-101-2/+2
| | | | | | | | Solaris found this one that needs to go into 3.0.23, actually munlock the password memory. Volker (This used to be commit 6fa928f96a70b7b063dd1bdbb08c6a3f5d942229)
* r16687: Fix bugs #3901, #3902, #3903 reported by jason@ncac.gwu.edu.Jeremy Allison2007-10-102-7/+18
| | | | | Jeremy (This used to be commit c4896b17faa6802f18cc1cec7fcc6168bde2eef0)
* r16678: Fix bug #3898 reported by jason@ncac.gwu.edu.Jeremy Allison2007-10-101-1/+1
| | | | | Jeremy. (This used to be commit 5c5ea3152f8dbdfd7717b65e035191ffed3ec548)
* r16644: Fix bug #3887 reported by jason@ncac.gwu.eduJeremy Allison2007-10-101-2/+2
| | | | | | | by converting the lookup_XX functions to correctly return SID_NAME_TYPE enums. Jeremy. (This used to be commit ee2b2d96b60c668e37592c79e86c2fd851e15f69)
* r16610: Subtle one from Klocwork #2076. If multiple flagsJeremy Allison2007-10-101-0/+3
| | | | | | | are set in a winbindd request it might overwrite existing state->response.extra_data.data values without freeing. Jeremy. (This used to be commit 4e7262c81ad2945048cb8d0789af032a05008988)
* r16480: (Ugly) workaround before the set_dc_type_flags & friends cleanup:Günther Deschner2007-10-101-1/+39
| | | | | | | | When trying to login using krb5 with a trusted domain account, we need to make sure that our and the remote domain are AD. Guenther (This used to be commit 5853525f111c0ab6a97b081d5964f778e7c36565)
* r16479: When dcip_to_name failed to get the name of the ip in saf_servername weGünther Deschner2007-10-101-1/+1
| | | | | | | | | | cannot put saf_name in the failed conn cache as it's uninitialized. Store saf_servername (the ip) in that case. Volker, please check. Guenther (This used to be commit 098a87f492f69caeb523478a7ebcd0e3f636497d)
* r16475: destroy talloc ctx when we weren't able to collect onlinestatusGünther Deschner2007-10-101-0/+4
| | | | | | | messages. Guenther (This used to be commit d6b52e818109e6eb5a3df1bbc127c333e819141d)
* r16474: There is no point in figuring out lockout policies if we do not allowGünther Deschner2007-10-101-1/+1
| | | | | | | offline logons at all. Guenther (This used to be commit dfbe555c69b3272bcff1d76a699aae2bdb85bdaf)
* r16473: There is no point in calling set_dc_type_and_flags() before eachGünther Deschner2007-10-101-2/+9
| | | | | | | pam_auth login (when using kerberos). Guenther (This used to be commit 520777f7946e55b1437df138e529fdc053362d16)
* r16422: winbindd_demote_client isn't used and generatesJeremy Allison2007-10-101-8/+0
| | | | | | a Klocwork issue (#1844). Remove it Jeremy. (This used to be commit e83c3e0a65edeb423d964488e219e30d023b13e8)
* r16361: Fix Klocwork ID 1731 1770 1771 1775 1796Volker Lendecke2007-10-104-3/+14
| | | | | Volker (This used to be commit 8a5cebc19e4709399976efe9e3ba3bf29249620a)
* r16358: ALWAYS compile this stuff on a 64-bit box beforeJeremy Allison2007-10-101-1/+3
| | | | | | checking in. size_t != uint32 on a 64-bit machine. Jeremy. (This used to be commit 09c89732869eae0d8c8971ac78235d34e4dcecb9)
* r16349: Another fix to make winbind more robust in large domains:Günther Deschner2007-10-101-11/+52
| | | | | | | | | | | We may only feed rpc_useraliases with chunks of 1024 entries. This is important as the token generation otherwise fails when a user is member of more then 1024 groups. Volker, please check. Guenther (This used to be commit d8fd94648f965eb043f957b154ce63b245a90328)
* r16285: On a 64-bit box, size_t != uint32. Ensure we useJeremy Allison2007-10-101-2/+4
| | | | | | the right parameter type. Jeremy. (This used to be commit 938545f5352161b4fe195c2a826a26db5236f851)
* r16284: Start fixing up gcc4 -O6 warnings on an x86_64 box. size_t != unsignedJeremy Allison2007-10-102-6/+6
| | | | | | | int in a format string. Jeremy. (This used to be commit face01ef01e1a3c96eae17c56cadf01020d4cb46)
* r16222: Fix DEBUG statements.Günther Deschner2007-10-102-2/+2
| | | | | Guenther (This used to be commit 5ecfaf7d505e6acc23a06dd64d00f5e6fb8efe6f)
* r16221: No need for friednly error messages at log level 10.Günther Deschner2007-10-101-27/+26
| | | | | Guenther (This used to be commit 58a7c0900325065cc969eb4f2f4c85d41e27bc89)
* r16196: A bit of defensive programming:Volker Lendecke2007-10-101-1/+1
| | | | | | | | | Klocwork ID 1773 complained about oldest being dereferenced in line 2275 where it could be NULL. I think you can construct extreme racy conditions where this actually could happen. Volker (This used to be commit b5602cc4f1d77ed48ddca0f7f42b28706160c923)
* r16192: Fix timeformats in the winbind response struct.Günther Deschner2007-10-101-8/+8
| | | | | | | (pam_winbind users were forced to change a password inappropriately) Guenther (This used to be commit 65643d31725a4e3fe157d66e9ecad03a65a484e2)
* r16187: Fix memleak.Günther Deschner2007-10-101-9/+12
| | | | | Guenther (This used to be commit e7d2b84aba2f2f5d844ba6a5fdcce35c3750d0b2)
* r16154: Fix winbind function table typo.Günther Deschner2007-10-101-1/+1
| | | | | Guenther (This used to be commit aeff1f0c47992ce3941e27e63f9b1516c4918963)
* r16114: Make winbindd's group enumeration (set|get|endgrent) work again (whenGünther Deschner2007-10-101-1/+1
| | | | | | | | | | | enabled). Do not bail out when a group just has 0 members. Jeremy, please check, this has been removed with r13915. Guenther (This used to be commit 3a738a855d335e44e167351e6396bf3fe81a03af)
* r16080: Re-add accidentially excluded in-forest domain trusts (fixes bug #3823).Günther Deschner2007-10-101-1/+1
| | | | | Guenther (This used to be commit 8759a00fedfe5d8d789c8b707c924d8116da1102)
* r15985: Adding "own-domain" switch to wbinfo which is handy from time to time.Günther Deschner2007-10-101-1/+17
| | | | | Guenther (This used to be commit 3c9416c2bedeec7f075e94d45d08f37ae6dd41d1)
* r15984: Correctly handle the case when there is no configuration file forGünther Deschner2007-10-101-1/+1
| | | | | | | pam_winbind. Guenther (This used to be commit 29758ea1c4e1b9b57d27765d539306058299fcd1)
* r15983: Honour the krb5 principal name change (of the new ads join code) in theGünther Deschner2007-10-101-1/+1
| | | | | | | kerberized winbind pam_auth. Guenther (This used to be commit 216125fe132fa6b886b99139e38988725beb88f0)
* r15982: Fix confusing order of DEBUG statements in winbindds pam_auth.Günther Deschner2007-10-101-3/+3
| | | | | Guenther (This used to be commit 3f5a2e49c108bfe8f8b875af9e69d5ad3b0567ee)
* r15977: Fillup the password_policy method in winbindd for winbindd_passdb. ThisGünther Deschner2007-10-101-2/+41
| | | | | | | should make pam_winbind work again on a Samba PDC (and fix Bug #3800). Guenther (This used to be commit 4addabd054a2627133d3fff71234db18cf2c822c)
* r15976: Set our internal domains to "online" by default in winbindd.Günther Deschner2007-10-101-1/+1
| | | | | Guenther (This used to be commit 2678582c6cc7fb100cb3bfd867816878461ae7b4)
* r15904: This does two things:Volker Lendecke2007-10-101-25/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | Fix more potential segfaults when something on our way to a DC connection fails. We can not continue if dcip_to_name() fails. With 192.168.234.100 nt4pdc 192.168.234.100 windows#1c 192.168.234.100 windows#1b in the lmhosts file when nt4pdc is rebooted, we do find the DC's IP address, we can connect to TCP 139 while it is booting but anything else fails. So we fall back to put the IP address into domain->dcname. When the DC is fully up later on we try to do the auth2 against \\192.168.234.100 which gives INVALID_COMPUTER_NAME. And we never get out of this loop again. Fix this. Jerry, maybe you can take a look. Thanks, Volker (This used to be commit b1244e79068af9e287252b2dfbb8d612e717674a)
* r15845: Ok. This was a tough one. If for some reason the tconX fails towards ↵Volker Lendecke2007-10-101-0/+1
| | | | | | | | | | a domain controller the next time we connect this child ran into a segfault because it tried to reference a half-baked connection. Volker (This used to be commit c8a8204c744cf7aa1a1a6992a3433d99b6bb73a1)
* r15842: patch from volker to instruct winbindd to find a trusted DC on its ↵Gerald Carter2007-10-101-1/+1
| | | | | | own when runing on a Samba DC (since we don't implement the getdcname() call that well (This used to be commit 39f7ff75a7a21b85b54cba954f1c5552e562be5c)
* r15705: Fix bug number 3788. Thanks to Jeff Wright.Volker Lendecke2007-10-101-0/+3
| | | | | Volker (This used to be commit e4a2cb4b9143394a54ae1de91e59722c11a0b2e4)
* r15698: An attempt to make the winbind lookup_usergroups() call in security=adsGünther Deschner2007-10-102-17/+116
| | | | | | | | | | | | | | | | | | | | | | | | | | more scalable: The most efficient way is to use the "tokenGroups" attribute which gives the nested group membership. As this attribute can not always be retrieved when binding with the machine account (the only garanteed way to get the tokenGroups I could find is when the machine account is a member of the "Pre Win2k Access" builtin group). Our current fallback when "tokenGroups" failed is looking for all groups where the userdn was in the "member" attribute. This behaves not very well in very large AD domains. The patch first tries the "memberOf" attribute on the user's dn in that case and directly retrieves the group's sids by using the LDAP Extended DN control from the user's object. The way to pass down the control to the ldap search call is rather painfull and probably will be rearranged later on. Successfully tested on win2k sp0, win2k sp4, wink3 sp1 and win2k3 r2. Guenther (This used to be commit 7d766b5505e4099ef7dd4e88bb000ebe38d71bd0)
* r15697: I take no comments as no objections :)Günther Deschner2007-10-102-13/+37
| | | | | | | | | | | Expand the "winbind nss info" to also take "rfc2307" to support the plain posix attributes LDAP schema from win2k3-r2. This work is based on patches from Howard Wilkinson and Bob Gautier (and closes bug #3345). Guenther (This used to be commit 52423e01dc209ba5abde808a446287714ed11567)
* r15675: Man pages say never look at the fd_set after a selectJeremy Allison2007-10-101-2/+8
| | | | | | | if it returned -1 (treat as undefined). Ensure we obey this. Jeremy. (This used to be commit 256ae3a16bcafe70cc1a00496681c709380e4fc3)
* r15634: Prevent passwords of winbindd's list of credential caches from beeingGünther Deschner2007-10-103-1/+51
| | | | | | | swapped to disc using mlock(). (patch was reviewed by Jeremy). Guenther (This used to be commit 206cdbb8e9a4a0900060d56510e58b85a2b8aec5)
* r15632: Remove length limitation from the winbind cache cleanup traversal.Günther Deschner2007-10-101-7/+2
| | | | | Guenther (This used to be commit 181fa02497e353a36e311f94f5bec2e9cfd1b56e)
* r15562: Attempt to fix Coverity bug # 283Volker Lendecke2007-10-101-0/+8
| | | | (This used to be commit 3762effca5e1e2bbb2d1d9dd8504c502485eca7d)
* r15546: When debugging is enabled be just a little more verbose in logging inGünther Deschner2007-10-101-6/+6
| | | | | | | pam_winbind. Guenther (This used to be commit bf077fb2268b79faffd1fdda04847c37ffead32d)
* r15543: New implementation of 'net ads join' to be more like Windows XP.Gerald Carter2007-10-101-8/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The motivating factor is to not require more privileges for the user account than Windows does when joining a domain. The points of interest are * net_ads_join() uses same rpc mechanisms as net_rpc_join() * Enable CLDAP queries for filling in the majority of the ADS_STRUCT->config information * Remove ldap_initialized() from sam/idmap_ad.c and libads/ldap.c * Remove some unnecessary fields from ADS_STRUCT * Manually set the dNSHostName and servicePrincipalName attribute using the machine account after the join Thanks to Guenther and Simo for the review. Still to do: * Fix the userAccountControl for DES only systems * Set the userPrincipalName in order to support things like 'kinit -k' (although we might be able to just use the sAMAccountName instead) * Re-add support for pre-creating the machine account in a specific OU (This used to be commit 4c4ea7b20f44cd200cef8c7b389d51b72eccc39b)
* r15541: Only ever store a user's password in a WINBINDD_CCACHE_ENTRY struct whenGünther Deschner2007-10-101-1/+1
| | | | | | | we have a reason to do so. Guenther (This used to be commit 4da79bd10c17277171aad26ee0278f8e5b64abdb)