diff options
| author | Volker Lendecke <vl@samba.org> | 2009-11-19 17:20:47 +0100 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2009-11-19 19:04:39 +0100 |
| commit | 882350b0abe87ca7b3542996acfabc6d4bff5509 (patch) | |
| tree | d71ab3ac858de86b3125303da2aedab5b919a918 | |
| parent | 4d0ebc90dce05a66736c070d97d01c4167265a9a (diff) | |
| download | samba-882350b0abe87ca7b3542996acfabc6d4bff5509.tar.gz samba-882350b0abe87ca7b3542996acfabc6d4bff5509.tar.bz2 samba-882350b0abe87ca7b3542996acfabc6d4bff5509.zip | |
s3: Protect against flooding the DC with pwchange requests
When there is a temporary problem changing passwords we flooded the DC with
pwchange requests. This gives the DC a 60-second break to recover.
| -rw-r--r-- | source3/winbindd/winbindd_dual.c | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 904d3e4ed3..ae8f236cb4 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -1117,21 +1117,31 @@ static void machine_password_change_handler(struct event_context *ctx, "trust_pw_find_change_and_store_it returned %s\n", nt_errstr(result))); + if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { + DEBUG(3,("machine_password_change_handler: password set returned " + "ACCESS_DENIED. Maybe the trust account " + "password was changed and we didn't know it. " + "Killing connections to domain %s\n", + child->domain->name)); + TALLOC_FREE(child->domain->conn.netlogon_pipe); + } + + if (!calculate_next_machine_pwd_change(child->domain->name, + &next_change)) { + DEBUG(10, ("calculate_next_machine_pwd_change failed\n")); + return; + } + + DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n", + timeval_string(talloc_tos(), &next_change, false))); + if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("machine_password_change_handler: " - "failed to change machine password: %s\n", - nt_errstr(result))); - if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { - DEBUG(3,("machine_password_change_handler: password set returned " - "ACCESS_DENIED. Maybe the trust account " - "password was changed and we didn't know it. " - "Killing connections to domain %s\n", - child->domain->name)); - TALLOC_FREE(child->domain->conn.netlogon_pipe); - } - } else { - DEBUG(10,("machine_password_change_handler: " - "successfully changed machine password\n")); + struct timeval tmp; + /* + * In case of failure, give the DC a minute to recover + */ + tmp = timeval_current_ofs(60, 0); + next_change = timeval_max(&next_change, &tmp); } done: |