summaryrefslogtreecommitdiffstats
path: root/source3/winbindd/winbindd_pam.c
Commit message (Collapse)AuthorAgeFilesLines
* s3-winbindd: Implement SamLogon IRPC callAndrew Bartlett2014-06-111-48/+81
| | | | | | | | | | | | | | We do this by lifting parts of the winbindd_dual_pam_auth_crap() code into a new helper function winbind_dual_SamLogon(). This allows us to implement the semantics we need for IRPC, without the artifacts of the winbindd pipe protocol. Change-Id: Idb169217e6d68d387c99765d0af7ed394cb5b93a Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jun 11 12:43:58 CEST 2014 on sn-devel-104
* auth: Provide a way to use the auth stack for winbindd authenticationAndrew Bartlett2014-06-111-3/+42
| | | | | | | | | | | | | | This adds in flags that allow winbindd to request authentication without directly calling into the auth_sam module. That in turn will allow winbindd to call auth_samba4 and so permit winbindd operation in the AD DC. Andrew Bartlett Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:lib/afs move afs.c to common lib dirChristian Ambach2014-06-041-0/+1
| | | | | | | | | | some of the code in afs.c is needed by wbinfo that lives in the toplevel nsswitch directory, so move the afs.c file to a new top-level lib/afs directory. Use the name afs_funcs to avoid collisions with the afs.h header from OpenAFS Signed-off-by: Christian Ambach <ambi@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-auth: Finally change make_user_info_*() use a parent talloc contextAndrew Bartlett2014-04-021-3/+6
| | | | | | Change-Id: Iedf516e8c24e0d18064aeedd8e287ed692d3c5b4 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3-kerberos: let kerberos_return_pac() return a PAC container.Günther Deschner2014-03-121-1/+7
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-kerberos: return a full PAC in kerberos_return_pac().Günther Deschner2014-03-121-1/+21
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3-libads: pass down local_service to kerberos_return_pac().Günther Deschner2014-03-121-0/+9
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s3:winbindd: make use of rpccli_netlogon_network_logon()Stefan Metzmacher2014-01-071-13/+15
| | | | | Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3:rpc_client: make use of the new netlogon_creds_cli_contextStefan Metzmacher2014-01-071-110/+26
| | | | | | | | | | | | | | | This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds and lets the secure channel session state be stored in node local database. This is the proper fix for a large number of bugs: https://bugzilla.samba.org/show_bug.cgi?id=6563 https://bugzilla.samba.org/show_bug.cgi?id=7944 https://bugzilla.samba.org/show_bug.cgi?id=7945 https://bugzilla.samba.org/show_bug.cgi?id=7568 https://bugzilla.samba.org/show_bug.cgi?id=8599 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbind: Add support for the kernel krb5 keyring buffer.Andreas Schneider2013-09-101-0/+4
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-winbind: Don't set a default directory for DIR.Andreas Schneider2013-09-101-4/+0
| | | | | | | | There is not default so you should always have to specify a directory in the config file. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* s3-winbindd: support the DIR pragma for raw kerberos user pam authentication.Günther Deschner2013-07-231-0/+23
| | | | | | | | | | | | It is currently only available in MIT. In addition, allow to define custom filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the %u pattern. Guenther Signed-off-by: Günther Deschner <gd@samba.org> Pair-Programmed-With: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s3-winbind: Do not delete an existing valid credential cache.Andreas Schneider2013-07-151-0/+8
| | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=9994 Thanks to David Woodhouse <dwmw2@infradead.org>. Reviewed-by: Günther Deschner <gd@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Jul 15 12:48:46 CEST 2013 on sn-devel-104
* winbind: Correctly use names in the domain struct.Andreas Schneider2013-03-051-3/+19
| | | | Reviewed-by: David Disseldorp <ddiss@samba.org>
* s3:winbind: BUG 9386: Failover if netlogon pipe is not available.Andreas Schneider2012-11-121-13/+39
| | | | | | | | | | | | | Samba continues to query a broken DC while the DC did not finish to rebuild Sysvol (after a Windows crash, for example). It causes end users to received strange codes while trying to authenticate, even if there is a secondary DC available. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Nov 12 18:57:18 CET 2012 on sn-devel-104
* winbind: Extend wbcAuthenticateUserEx to provide PACChristof Schmitt2012-09-201-6/+122
| | | | | | | | | | | | | | With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* Fix bug #9098 - winbind does not refresh kerberos tickets.Jeremy Allison2012-08-211-0/+9
| | | | | | | Based on work from Ian Gordon <ian.gordon@strath.ac.uk>. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Aug 21 22:01:15 CEST 2012 on sn-devel-104
* Correctly check for errors in strlower_m() returns.Jeremy Allison2012-08-091-1/+3
|
* Check error returns from strupper_m() (in all reasonable places).Jeremy Allison2012-08-091-2/+6
|
* s3-winbind: Fix bug #9052 resolving our own "Domain Local" groups.Andreas Schneider2012-07-231-1/+1
| | | | | | | | | | | | | | | | | We don't resolve our own "Domain Local" groups since bug #7843 has been fixed. So we need to add the add resource groups to the sid list too. Before bug #7843 the "Domain Local" groups were added with a lookupuseraliases call, but this isn't done anymore for our domain so we need to resolve resource groups here. When to use Resource Groups: http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jul 23 22:12:30 CEST 2012 on sn-devel-104
* source3/winbindd/winbindd_pam.c: fix stackframe leakRusty Russell2012-07-181-0/+1
| | | | | | | check_info3_in_group() doesn't always free its stackframe. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
* s3: Fix Coverity ID 2727 to 2740 -- UNINITVolker Lendecke2012-04-191-2/+2
|
* s3-winbindd Only use SamLogonEx when we can get unencrypted session keysAndrew Bartlett2012-03-191-2/+2
| | | | | | | | | | | | | | | | | This ensures that we have some check on the session keys being returned as the RC4 cipher is not checksumed. The check comes from the fact that the credentials chain is tied to the session key, and so if the credentials check passes then the netlogon session key will be correct, and so the user session key will be correctly decrypted. Andrew Bartlett Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Mar 19 21:31:46 CET 2012 on sn-devel-104
* s3-winbindd: Close netlogon connection if the status returned by the ↵Matthieu Patou2012-02-271-1/+20
| | | | | | | | | | | | | NetrSamLogonEx call is timeout in the pam_auth_crap path If not the child process would hang for quite a long time up to the moment when the connection is cleaned by the kernel (took ~ 20 minutes) in my tests. Signed-off-by: Jeremy Allison <jra@samba.org> Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Mon Feb 27 23:10:03 CET 2012 on sn-devel-104
* s3-winbindd: pass logon parmeters down to check_sam_security()Andrew Bartlett2012-02-201-2/+6
| | | | | | | This allows ntlm_auth --diagnostics to work against the local DC, just as it works against a member server. Andrew Bartlett
* s3-winbind: don't try to do clever thing if the username is not found while ↵Matthieu Patou2012-01-301-1/+2
| | | | | | | | | | | | | authenticating through winbind This could cause that we authenticate a user with a bogus domain to winbind's domain if the password supplied for the PAM_AUTH match. The problem was reported by Jeff Venable (jvenable@juniper.net). Patch from Andrew Bartlett (abartlett@samba.org). Autobuild-User: Matthieu Patou <mat@samba.org> Autobuild-Date: Mon Jan 30 18:58:12 CET 2012 on sn-devel-104
* Fix bug #8548 - winbind_samlogon_retry_loop ignores logon_parameters flags.Jeremy Allison2011-10-281-2/+2
| | | | | | | Fix confirmed by reporter. Autobuild-User: Jeremy Allison <jra@samba.org> Autobuild-Date: Fri Oct 28 23:04:47 CEST 2011 on sn-devel-104
* idl: Improve MS-PAC IDLSimo Sorce2011-10-241-7/+7
| | | | | | | | | | Change some misleading variable names to reflect the actual function. Add missing field name/types previously marked as unkown. Signed-off-by: Günther Deschner <gd@samba.org> Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Mon Oct 24 19:19:28 CEST 2011 on sn-devel-104
* s3-auth: Pass the remote_address down to user_info.Andreas Schneider2011-07-041-2/+13
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s3-winbind: Fix bug 7888 -- deal with buggy 3.0 based PDCsGünther Deschner2011-06-301-7/+19
| | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Thu Jun 30 00:42:23 CEST 2011 on sn-devel-104
* s3-param Remove special case for global_myname(), rename to lp_netbios_name()Andrew Bartlett2011-06-091-3/+3
| | | | | | | | There is no reason this can't be a normal constant string in the loadparm system, now that we have lp_set_cmdline() to handle overrides correctly. Andrew Bartlett
* s3-winbind: BUG 8166 - Don't lockout users when offline.Jim McDonough2011-05-251-1/+4
| | | | | | | Windows does not track bad password attempts when offline. We were locking users out but not honoring the lockout duration. Autobuild-User: Jim McDonough <jmcd@samba.org> Autobuild-Date: Wed May 25 18:11:10 CEST 2011 on sn-devel-104
* More simple const fixups.Jeremy Allison2011-05-051-3/+3
|
* Fix simple uses of safe_strcpy -> strlcpy. Easy ones where we just remove -1.Jeremy Allison2011-05-041-2/+2
|
* s3: remove various references to server side dcerpc structs (which are not ↵Günther Deschner2011-05-021-1/+0
| | | | | | needed). Guenther
* s3:rpc_client: map fault codes to NTSTATUS with dcerpc_fault_to_nt_status()Stefan Metzmacher2011-04-241-5/+5
| | | | | | | | | | | | | Most fault codes have a NTSTATUS representation, so use that. This brings the fault handling in common with the source4/librpc/rpc code, which make it possible to share more highlevel code, between source3 and source4 as the error checking can be the same now. metze Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Sun Apr 24 10:44:53 CEST 2011 on sn-devel-104
* s3-includes: only include ntdomain.h where needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-auth: use auth.h where needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-passdb: use passdb headers where needed.Günther Deschner2011-03-301-0/+1
| | | | Guenther
* s3-rpc_client: Move client pipe functions to own header.Andreas Schneider2011-02-281-0/+1
|
* s3-winbindd: let winbind try to use samlogon validation level 6. (bug #7945)Günther Deschner2011-02-041-2/+57
| | | | | | | | | | | | | The benefit of this that it makes us more robust to secure channel resets triggered from tools outside the winbind process. Long term we need to have a shared tdb secure channel store though as well. Guenther Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User: Stefan Metzmacher <metze@samba.org> Autobuild-Date: Fri Feb 4 18:11:04 CET 2011 on sn-devel-104
* s3-winbind: prefer dcerpc_samr_X functions in winbindd/winbindd_pam.c.Günther Deschner2011-02-021-13/+37
| | | | Guenther
* s3: inline get_uid_from_stateVolker Lendecke2011-01-281-6/+1
| | | | | Autobuild-User: Volker Lendecke <vlendec@samba.org> Autobuild-Date: Fri Jan 28 23:38:16 CET 2011 on sn-devel-104
* s3: Lift winbindd_cli_state from fillup_password_policyVolker Lendecke2011-01-281-4/+6
|
* s3: Do not use state->mem_ctx in fillup_password_policyVolker Lendecke2011-01-281-4/+8
|
* s3: Lift winbindd_cli_state from winbindd_dual_pam_auth_samlogonVolker Lendecke2011-01-281-21/+27
|
* s3: Lift winbindd_cli_state from winbindd_raw_kerberos_loginVolker Lendecke2011-01-281-18/+26
|
* s3-winbind: share a common winbind_samlogon_retry_loop().Günther Deschner2011-01-261-168/+147
| | | | | | | Guenther Autobuild-User: Günther Deschner <gd@samba.org> Autobuild-Date: Wed Jan 26 12:41:14 CET 2011 on sn-devel-104
* Revert "s3: These assignments are overwritten immediately"Günther Deschner2011-01-261-0/+4
| | | | This reverts commit 18962ea3852d0d0fc7371e99813bebd54fae0a19.
* Revert "s3-winbind: fix winbindd_dual_pam_auth_samlogon() for NT4 domains."Günther Deschner2011-01-261-1/+0
| | | | This reverts commit cea36aeacf8778493463f31e6afc3f58384639e2.
generated by cgit (git 2.34.1) at 2025-09-27 01:42:56 +0000