diff options
author | Günther Deschner <gd@samba.org> | 2006-03-16 22:17:03 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:15:34 -0500 |
commit | 88ae0a25bacf381098d19d191bbb31ddd5c2e7c3 (patch) | |
tree | 0d7fb4f414bc827bd6622773c983348bba0d07c7 /source3/nsswitch/winbindd_pam.c | |
parent | 419871306c5e26abe4b63bc2414d726910810873 (diff) | |
download | samba-88ae0a25bacf381098d19d191bbb31ddd5c2e7c3.tar.gz samba-88ae0a25bacf381098d19d191bbb31ddd5c2e7c3.tar.bz2 samba-88ae0a25bacf381098d19d191bbb31ddd5c2e7c3.zip |
r14493: There is no point in falling back to a samlogon when a krb5login has
failed with a clear error indication. This prevents the bad logon count
beeing increased on the DC.
Guenther
(This used to be commit 5fdddffba5cf05ccac23a64fbe404a34e73fa73c)
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index d460c14769..9cd2dd9c0c 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -1088,6 +1088,23 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n")); domain->online = False; } + + /* there are quite some NT_STATUS errors where there is no + * point in retrying with a samlogon, we explictly have to take + * care not to increase the bad logon counter on the DC */ + + if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) || + NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) || + NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) || + NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) || + NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) || + NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) || + NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) || + NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) || + NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) || + NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) { + goto process_result; + } if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) { DEBUG(3,("falling back to samlogon\n")); |