summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2005-09-16 16:20:23 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:03:40 -0500
commitbc9c617b16b1996812d6e698d74aef27c5f4e8d7 (patch)
tree55a4dcca7e2d116954bc8d34a771920aa7bdbd84
parent3368280b9402dea06d905c27f9b381556017aafe (diff)
downloadsamba-bc9c617b16b1996812d6e698d74aef27c5f4e8d7.tar.gz
samba-bc9c617b16b1996812d6e698d74aef27c5f4e8d7.tar.bz2
samba-bc9c617b16b1996812d6e698d74aef27c5f4e8d7.zip
r10268: Fix for bug #3095 - winbindd checking credentials.
Jeremy. (This used to be commit e58d8ee0555a5de0a25757b26cc22e02b9aace31)
-rw-r--r--source3/nsswitch/winbindd_pam.c30
1 files changed, 18 insertions, 12 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 64969a6cf4..a0712144ee 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -404,12 +404,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
} while ( (attempts < 2) && retry );
- if (NT_STATUS_IS_OK(result) &&
- (!clnt_deal_with_creds(session_key, credentials,
- &ret_creds))) {
- DEBUG(3, ("DC %s sent wrong credentials\n",
- pipe_cli->cli->srv_name_slash));
- result = NT_STATUS_ACCESS_DENIED;
+ /* Only check creds if we got a connection. */
+ if (contact_domain->conn.cli &&
+ !(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+ NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
+ if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) {
+ DEBUG(3, ("DC %s sent wrong credentials\n",
+ pipe_cli->cli->srv_name_slash));
+ result = NT_STATUS_ACCESS_DENIED;
+ }
}
if (NT_STATUS_IS_OK(result)) {
@@ -709,12 +712,15 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
} while ( (attempts < 2) && retry );
- if (NT_STATUS_IS_OK(result) &&
- (!clnt_deal_with_creds(session_key, credentials,
- &ret_creds))) {
- DEBUG(3, ("DC %s sent wrong credentials\n",
- pipe_cli->cli->srv_name_slash));
- result = NT_STATUS_ACCESS_DENIED;
+ /* Only check creds if we got a connection. */
+ if (contact_domain->conn.cli &&
+ !(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+ (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+ if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) {
+ DEBUG(3, ("DC %s sent wrong credentials\n",
+ pipe_cli->cli->srv_name_slash));
+ result = NT_STATUS_ACCESS_DENIED;
+ }
}
if (NT_STATUS_IS_OK(result)) {