1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

1447 Commits

Author SHA1 Message Date
Günther Deschner
a6c249b592 r21537: Avoid to trigger the confusing "cached entry differs." warning when
there is just no cache around for a user.

Guenther
2007-10-10 12:18:11 -05:00
Jeremy Allison
773001870d r21530: Don't code with jet-lag and Volker looking over your
shoulder.... Correct fix for warning :-)
Jeremy.
2007-10-10 12:18:10 -05:00
Jeremy Allison
34675624e2 r21529: Fix warning from bad cast.
Jeremy.
2007-10-10 12:18:10 -05:00
Gerald Carter
0d2b80c6c4 r21525: Go ahead and checkin the mlock() & memalign() fixes so
others don't get stuck with the winbindd hang.
Still waiting on additional confirmation from Guenther
that this fixes thes issues he was observing as well.
But it's been running in my local tree for a day without
problems.
2007-10-10 12:18:10 -05:00
Simo Sorce
a5354aa9a0 r21508: Fix memleak in new idmap_tdb, thanks Herb.
Jerry please check.

Simo.
2007-10-10 12:18:09 -05:00
Gerald Carter
52e6a2ceab r21505: make sure mlock()'d memory is aligned on a page boundary 2007-10-10 12:18:08 -05:00
Günther Deschner
c3005c48cd r21500: Fix inappropriate creation of a krb5 ticket refreshing event when a user
changed a password via pam_chauthtok. Only do this if

a) a user logs on using an expired password (or a password that needs to
be changed immediately) or

b) the user itself changes his password.

Also make sure to delete the in-memory krb5 credential cache (when a
user did not request a FILE based cred cache).

Finally honor the krb5 settings in the first pam authentication in the
chauthtok block (PAM_PRELIM_CHECK). This circumvents confusion when
NTLM samlogon authentication is still possible with the old password after
the password has been already changed (on w2k3 sp1 dcs).

Guenther
2007-10-10 12:18:08 -05:00
Jeremy Allison
08998b74a5 r21474: Ensure trustdom_cache_shutdown() gets called
on terminate. Pointed out by Herb.
Jeremy.
2007-10-10 12:18:07 -05:00
Günther Deschner
5c4a58ff3a r21454: Fix debug typo.
Guenther
2007-10-10 12:18:05 -05:00
Günther Deschner
ad063d9a94 r21450: No need to TALLOC_FREE twice here.
Guenther
2007-10-10 12:18:04 -05:00
Herb Lewis
aa8f306fa5 r21399: need to zero the request and response structures 2007-10-10 12:18:02 -05:00
Herb Lewis
9fe5f78857 r21397: revert accidential commit 2007-10-10 12:18:02 -05:00
Herb Lewis
7acc9421b0 r21396: fix wbinfo --lookup-rids command
allow detection of libbiconv if all others fail - need for FreeBSD
2007-10-10 12:18:02 -05:00
Günther Deschner
155b9e7c74 r21394: Prevent nscd crash due to potential NULL pointer dereference in
_nss_winbind_initgroups_dyn() on an empty group list.

Guenther
2007-10-10 12:18:01 -05:00
Günther Deschner
03f5f7d014 r21387: Another important fix for non-AD domains:
Avoid assigning 0 as primary group id for users in NSS calls.
Jerry, please check.

Guenther
2007-10-10 12:18:01 -05:00
Günther Deschner
c6f63a08f5 r21382: Important fix for winbind when using non-AD domains.
Jeremy, I'm afraid you removed the "domain->initialized" from the
set_dc_types_and_flags() call when the connect to PI_LSARPC_DS failed
(with rev. 19148).

This causes now that init_dc_connection_network is called again and
again which in turn rescans the DC each time (which of course fails each
time with NT_STATUS_BUFFER_TOO_SMALL). Just continue with the
non-PI_LSARPC_DS scan so that the domain is initialized properly.

Guenther
2007-10-10 12:17:59 -05:00
Günther Deschner
639b7989b3 r21358: Some more debugging for _nss_winbind_initgroups_dyn() on Linux.
Guenther
2007-10-10 12:17:58 -05:00
Günther Deschner
e3c3258379 r21357: Fix typo.
Guenther
2007-10-10 12:17:58 -05:00
Günther Deschner
53ecd63d94 r21353: In the turn of tracking down nss_winbind related bugs on Linux:
print NSS_STATUS code with DEBUG_NSS when leaving a function.

Guenther
2007-10-10 12:17:58 -05:00
Günther Deschner
dcbf7a1250 r21336: Fix indent (as pointed out by Volker).
Guenther
2007-10-10 12:17:56 -05:00
Günther Deschner
b2f9115482 r21318: Fix Bug #4225.
Cached logon with pam_winbind should work now also for NT4 and samba3
domains.

Guenther
2007-10-10 12:17:56 -05:00
Günther Deschner
5a7b2fccb3 r21310: Fix invalid printfs in pam_winbind.
Guenther
2007-10-10 12:17:55 -05:00
Günther Deschner
968dfcc821 r21309: Add PRINTF_ATTRIBUTE checks for log statements.
Guenther
2007-10-10 12:17:55 -05:00
Günther Deschner
16c90f30b9 r21308: Fix some typos and ensure to null terminate the correct strings.
Guenther
2007-10-10 12:17:54 -05:00
Gerald Carter
5c3edad860 r21284: Fix some unitilized variable warnings pointed out by Volker. 2007-10-10 12:17:54 -05:00
Günther Deschner
7e1a84b722 r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".

Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).

Guenther
2007-10-10 12:17:50 -05:00
Herb Lewis
509ae5ffa1 r21231: get rid of unused defines that cause a redefined warning 2007-10-10 12:17:49 -05:00
Jeremy Allison
70b5db7d8c r21228: Fix for fd leak on error path. Thanks to
dleonard@vintela.com for this fix !
Jeremy.
2007-10-10 12:17:49 -05:00
Gerald Carter
615a104356 r21182: * Refactor the code to obtain the LDAP connection credentials
from both idmap_ldap_{alloc,db}_init()
* Fix the backwards compat support in idmap_ldap.c
* Fix a spelling error in the idmap_fetch_secret() function name
2007-10-10 12:17:46 -05:00
Gerald Carter
01af19cc9d r21180: fix backwards compatible idmap backends parameter parsing 2007-10-10 12:17:46 -05:00
Günther Deschner
f4a704745c r21161: Another fix for pam_winbind: Move the entire pwd expiry handling into
the PAM_SUCCESS block.

Guenther
2007-10-10 12:17:44 -05:00
Günther Deschner
02713f314b r21160: Some more pam_winbind fixes:
* Consolidate all pam_winbind password expiry warnings in the one
_pam_send_password_expiry_message() call.
* Also convert some more NTSTATUS codes to error messages.
* Add paranoia check to only do all the post-processing after PAM_SUCCESS.

Guenther
2007-10-10 12:17:44 -05:00
Günther Deschner
034d42ba72 r21159: Cleanup pam_sm_chauthtok() in pam_winbind:
Set info3 strings, krb5ccname and returned username after we changed a
password and sucessfully re-authenticated afterwards. In that case we
ended up without this information.

Guenther
2007-10-10 12:17:44 -05:00
Günther Deschner
1feb961577 r21158: Add _pam_setup_krb5_env() and _pam_warn_logon_type() functions for
pam_winbind.

Guenther
2007-10-10 12:17:44 -05:00
Günther Deschner
86b34cd5d6 r21155: Forgot one _PAM_LOG_STATE_DATA_STRING call (only in 3_0).
Guenther
2007-10-10 12:17:44 -05:00
Günther Deschner
97a0b1b794 r21154: Add PAM_WINBIND_LOGONSERVER, also merge the various pam_set_data calls.
Guenther
2007-10-10 12:17:43 -05:00
Günther Deschner
ebfae9a671 r21152: Correctly omit pam conversations when PAM_SILENT has been set by the
calling application.

Guenther
2007-10-10 12:17:43 -05:00
Gerald Carter
1d46b2ae34 r21151: applying patches for CVE-2007-045[34] 2007-10-10 12:17:43 -05:00
Günther Deschner
a9ac4630b4 r21149: Only say we are a groupmember for the optimized (rid 513) membership
lookup when we actually are. Although the Linux nss winbind backend
protects against num_mem != 0 && buf == NULL.

Guenther
2007-10-10 12:17:43 -05:00
Günther Deschner
cdef1d00b8 r21146: Fix debug typos.
Guenther
2007-10-10 12:17:43 -05:00
Günther Deschner
1b82c5fa0e r21145: Convert some int to BOOL in pam_winbind (only in 3_0).
Guenther
2007-10-10 12:17:42 -05:00
Günther Deschner
2ac9cb3bbd r21144: Create more accurate warning message when the pam_winbind chauthtok has
received NT_STATUS_PASSWORD_RESTRICTION.

Guenther
2007-10-10 12:17:42 -05:00
Günther Deschner
88e2185d29 r21143: Fix wrong check for pam error codes for getpwnam and lookup winbind
requests in pam_winbind (Bug #4094).

Inspired by fix from Lars Heete.

Guenther
2007-10-10 12:17:42 -05:00
Gerald Carter
5c36d67d27 r21130: Don't mix SAFE_FREE() and TALLOC_FREE(). 2007-10-10 12:17:41 -05:00
Günther Deschner
08ca5ea6f1 r21122: Simplify code in pam_winbind a bit.
Guenther
2007-10-10 12:17:40 -05:00
Gerald Carter
6b754f7c96 r21112: fix const compile warning 2007-10-10 12:17:39 -05:00
Günther Deschner
7d0e2e7068 r21106: We neither need a account lockout policy handler nor a check domain
online handler for internal (local SAM, BUILTIN) childs. Jeremy, please
check.

Guenther
2007-10-10 12:17:38 -05:00
Jeremy Allison
ede30a8b4b r21101: Remove "unused" warning from Jerry's code. We still
have a build failure in 3.0.24 in event_add_timed ?
Jeremy
2007-10-10 12:17:37 -05:00
Günther Deschner
bf0c4ce7b1 r21098: When get_dc_name_via_netlogon() in get_dcs() fails to find a trusted DC
we may not just assume that we look for our own realm's dcs next.

Guenther
2007-10-10 12:17:37 -05:00
Gerald Carter
bd8238417b r21070: * Add the new boolean 'winbind normalize names' option as discussed
on the samba-technical ml.  The replacement character is hardcoded
  as a '_' for now.
2007-10-10 12:17:32 -05:00