summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2012-11-01 13:30:47 +1100
committerAndrew Tridgell <tridge@samba.org>2012-11-01 15:40:41 +1100
commit5d6ae3498ad77ccdb7a8b3a316d7aa86c2f0c56a (patch)
tree0f9888e30ebecfbbd5883348678f25651e38c231
parent30ffdda45bd3ae602b453c9c1bbdb77ea3de8a8d (diff)
downloadsamba-5d6ae3498ad77ccdb7a8b3a316d7aa86c2f0c56a.tar.gz
samba-5d6ae3498ad77ccdb7a8b3a316d7aa86c2f0c56a.tar.bz2
samba-5d6ae3498ad77ccdb7a8b3a316d7aa86c2f0c56a.zip
s4-librpc: try a 2nd logon for more error cases
not all servers give LOGON_FAILURE on authentication failures, so we need to do the retry with a new ticket on a wider range of error types Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source4/librpc/rpc/dcerpc_util.c13
1 files changed, 10 insertions, 3 deletions
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 15847efa9d..2a0c40566d 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -396,7 +396,13 @@ static void continue_auth_auto(struct composite_context *ctx)
s->binding);
composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
return;
- } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
+ } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE) ||
+ NT_STATUS_EQUAL(c->status, NT_STATUS_UNSUCCESSFUL)) {
+ /*
+ try a second time on any error. We don't just do it
+ on LOGON_FAILURE as some servers will give a
+ NT_STATUS_UNSUCCESSFUL on a authentication error on RPC
+ */
const char *principal;
principal = gensec_get_target_principal(s->pipe->conn->security_state.generic_state);
@@ -408,8 +414,9 @@ static void continue_auth_auto(struct composite_context *ctx)
}
}
- if (cli_credentials_failed_kerberos_login(s->credentials, principal, &s->logon_retries) ||
- cli_credentials_wrong_password(s->credentials)) {
+ if ((cli_credentials_failed_kerberos_login(s->credentials, principal, &s->logon_retries) ||
+ cli_credentials_wrong_password(s->credentials)) &&
+ s->binding->endpoint != NULL) {
/*
* Retry SPNEGO with a better password
* send a request for secondary rpc connection