r10268: Fix for bug #3095 - winbindd checking credentials.

Jeremy.
(This used to be commit e58d8ee0555a5de0a25757b26cc22e02b9aace31)

1 files changed, 18 insertions, 12 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 64969a6cf4..a0712144ee 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -404,12 +404,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
 		
 	} while ( (attempts < 2) && retry );
 
-	if (NT_STATUS_IS_OK(result) &&
-	    (!clnt_deal_with_creds(session_key, credentials,
-				  &ret_creds))) {
-		DEBUG(3, ("DC %s sent wrong credentials\n",
-			  pipe_cli->cli->srv_name_slash));
-		result = NT_STATUS_ACCESS_DENIED;
+	/* Only check creds if we got a connection. */
+	if (contact_domain->conn.cli &&
+			!(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+				NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
+		if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) {
+			DEBUG(3, ("DC %s sent wrong credentials\n",
+				pipe_cli->cli->srv_name_slash));
+			result = NT_STATUS_ACCESS_DENIED;
+		}
 	}
 
 	if (NT_STATUS_IS_OK(result)) {
@@ -709,12 +712,15 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 
 	} while ( (attempts < 2) && retry );
 
-	if (NT_STATUS_IS_OK(result) &&
-	    (!clnt_deal_with_creds(session_key, credentials,
-				  &ret_creds))) {
-		DEBUG(3, ("DC %s sent wrong credentials\n",
-			  pipe_cli->cli->srv_name_slash));
-		result = NT_STATUS_ACCESS_DENIED;
+	/* Only check creds if we got a connection. */
+	if (contact_domain->conn.cli &&
+			!(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+					(NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+		if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) {
+			DEBUG(3, ("DC %s sent wrong credentials\n",
+				pipe_cli->cli->srv_name_slash));
+			result = NT_STATUS_ACCESS_DENIED;
+		}
 	}
 
 	if (NT_STATUS_IS_OK(result)) {