IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
from the krb5 ticket renewal code. This allows cached
credentials to be stored for single sign-on via ntlm_auth
for machines in a domain still using NTLM. Also (hopefully)
fixes the reference counting problem with pam_logon/logoff
so multiple logons/logoffs won't lose cached credentials.
This compiles, but I'm intending to test it over the weekend
so don't complain too much :-). I also want it in the tree
so Coverity can scan it for errors. Guenther, check this over
please - I ran through the architecture with Jerry and he's
ok with it, but this is modifying your code a lot.
Jeremy.
(This used to be commit 679eeeb911)
* Merge patches from SLES10 to make sure we talk to the correct
winbindd process when performing pam_auth (and pull the password policy info).
(This used to be commit 43bd8c00ab)
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97)
ntlm_auth module to allow it to use winbindd cached
credentials.The credentials are currently only stored
in a krb5 MIT environment - we need to add an option to
winbindd to allow passwords to be stored even in an NTLM-only
environment.
Patch from Robert O'Callahan, modified with some fixes
by me.
Jeremy.
(This used to be commit ae7cc298a1)
This mode proxies pre-calculated blobs from a remote (probably VPN)
client into the domain. This allows clients to change their password
over a PPTP connection (where they would not be able to connect to
SAMR directly).
The precalculated blobs do not reveal the plaintext password.
Original patch by Alexey Kobozev <cobedump@gmail.com>
(This used to be commit 967292b713)
are set in a winbindd request it might overwrite existing
state->response.extra_data.data values without freeing.
Jeremy.
(This used to be commit 4e7262c81a)
When trying to login using krb5 with a trusted domain account, we
need to make sure that our and the remote domain are AD.
Guenther
(This used to be commit 5853525f11)
prevents a nasty failure condition in winbindd's pam_auth where a tgt
and a service ticket could have been succefully retrieved, but just not
validated.
Guenther
(This used to be commit a75dd80c62)
kerberized pam_winbind and workstation restrictions are in effect.
The krb5 AS-REQ needs to add the host netbios-name in the address-list.
We don't get the clear NT_STATUS_INVALID_WORKSTATION code back yet from
the edata of the KRB_ERROR but the login at least fails when the local
machine is not in the workstation list on the DC.
Guenther
(This used to be commit 8b2ba11508)
cache with a valid TGT in it but we werent able to get or verify the
service ticket for this local host afterwards and therefor didn't get
the PAC, we need to remove that ccache entirely.
Also remove an ugly pair of (not needed) seteuid calls around the ticket
destroy wrapper.
Guenther
(This used to be commit 25a2fb3896)
group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'
* Add a SID domain to the group mapping enumeration passdb call
to fix the checks for local and builtin groups. The SID can be
NULL if you want the old semantics for internal maintenance.
I only updated the tdb group mapping code.
* remove any group mapping from the tdb that have a
gid of -1 for better consistency with pdb_ldap.c.
The fixes the problem with calling add_group_map() in
the tdb code for unmapped groups which might have had
a record present.
* Ensure that we distinguish between groups in the
BUILTIN and local machine domains via getgrnam()
Other wise BUILTIN\Administrators & SERVER\Administrators
would resolve to the same gid.
* Doesn't strip the global_sam_name() from groups in the
local machine's domain (this is required to work with
'winbind default domain' code)
Still todo.
* Fix fallback Administrators membership for root and domain Admins
if nested groups = no or winbindd is not running
* issues with "su - user -c 'groups'" command
* There are a few outstanding issues with BUILTIN\Users that
Windows apparently tends to assume. I worked around this
presently with a manual group mapping but I do not think
this is a good solution. So I'll probably add some similar
as I did for Administrators.
(This used to be commit 612979476a)
can not work for NTLM auth, where we only have a workstation account for our
own domain. For the PAM Kerberos login we need to find a better way to do
this, probably using Dsr_GetDCName and some winbind-crafted krb5.conf.
Volker
(This used to be commit bf7c608147)
* ignore the primary group SID attribute from struct samu*
* generate the primary group SID strictlky from the Unix
primary group when dealing with passdb users
* Fix memory leak in original patch caused by failing to free a
talloc *
* add wrapper around samu_set_unix() to prevent exposing the create
BOOL to callers. Wrappers are samu_set_unix() and samu-allic_rid_unix()
(This used to be commit bcf269e2ec)
Fix parse_domain_user to fail when splitting a full name like "DOM\user"
when "winbind use default domain" and "winbind trusted domains only" are
not enabled.
This allows pam_winbind to behave correctly when more modules are
stacked in the "account" or "password" PAM facility. pam_winbindd calls
WINBINDD_GETPWNAM which can decide whether or not a user is a winbind
user and return correct PAM error codes.
Guenther
(This used to be commit e6d52c1e9d)
talloc_string_sub. Someone with time on his hands could convert all the
callers of all_string_sub to this.
realloc_string_sub is *only* called from within substitute.c, it could be
moved there I think.
Volker
(This used to be commit be6c9012da)
Also remove the mem_ctx from the netsamlogon_cache_store() API.
Guenther, what should we be doing with the other fields in
the PAC_LOGON_INFO?
(This used to be commit 8bead2d282)
around failed query_user calls. This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.
As per comments on samba-technical, I still need to add
(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away
Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b)