summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-02-01 18:46:57 +0100
committerStefan Metzmacher <metze@samba.org>2011-02-02 15:45:19 +0100
commit255f2e06991aa543cd2c6f4d0123664b2a76c99d (patch)
treebe0f8ef26eb84f1b8739a2201c9d3065bdcfbf42
parent50be0b2c1e7e0573245e21df886ab491a0738226 (diff)
downloadsamba-255f2e06991aa543cd2c6f4d0123664b2a76c99d.tar.gz
samba-255f2e06991aa543cd2c6f4d0123664b2a76c99d.tar.bz2
samba-255f2e06991aa543cd2c6f4d0123664b2a76c99d.zip
s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)
If winbindd connects to a domain controller it doesn't establish the lsa connection over ncacn_ip_tcp direct. This happens only on demand. If someone does a 'net rpc testjoin' and then a wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy of the schannel session key is invalidated. This problem can also happen on other calls, but the lookup_names/sids calls on thet lsa ncacn_ip_tcp connection are the most important ones. The long term fix is to store the schannel client state in a tdb, but for now it's enough to catch the error and invalidate the all connections to the dc and reestablish the schannel session key. The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a) made this worse, as it assumes winbindd's in memory session key is always the current one. metze
-rw-r--r--source3/winbindd/winbindd_msrpc.c28
1 files changed, 28 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 7cff38d4e2..98c5e3ad0f 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -1115,6 +1115,22 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
/* And restore our original timeout. */
rpccli_set_timeout(cli, orig_timeout);
+ if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+ NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+ /*
+ * This can happen if the schannel key is not
+ * valid anymore, we need to invalidate the
+ * all connections to the dc and reestablish
+ * a netlogon connection first.
+ */
+ invalidate_cm_connection(&domain->conn);
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
return status;
}
@@ -1178,6 +1194,18 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
/* And restore our original timeout. */
rpccli_set_timeout(cli, orig_timeout);
+ if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+ NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+ /*
+ * This can happen if the schannel key is not
+ * valid anymore, we need to invalidate the
+ * all connections to the dc and reestablish
+ * a netlogon connection first.
+ */
+ invalidate_cm_connection(&domain->conn);
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}