summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
authorGerald Carter <jerry@samba.org>2003-07-03 16:23:11 +0000
committerGerald Carter <jerry@samba.org>2003-07-03 16:23:11 +0000
commit62370b093a336dc78e1e41e444f13baa11ffb140 (patch)
tree36025799a50024839350e1da050bb907f93e64f8 /source3/nsswitch
parent6dc3885999b6b69bf9960fda012bece214e27ad5 (diff)
downloadsamba-62370b093a336dc78e1e41e444f13baa11ffb140.tar.gz
samba-62370b093a336dc78e1e41e444f13baa11ffb140.tar.bz2
samba-62370b093a336dc78e1e41e444f13baa11ffb140.zip
fix for bug #200. flush connections if the machine trsut account
changed underneath us. (This used to be commit 6a1ad1ded1d619394ed4ca9e05fdffaa3b902b3b)
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/winbindd_pam.c32
1 files changed, 31 insertions, 1 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 3099944301..75e10eb405 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -188,7 +188,19 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
lm_resp, nt_resp,
&info3);
attempts += 1;
-
+
+ /* if we get access denied, a possible cuase was that we had and open
+ connection to the DC, but someone changed our machine accoutn password
+ out from underneath us using 'net rpc changetrustpw' */
+
+ if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
+ DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust account "
+ "password was changed and we didn't know it. Killing connections to domain %s\n",
+ name_domain));
+ winbindd_cm_flush();
+ cli->fd = -1;
+ }
+
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */
@@ -197,6 +209,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds);
+
+ if (NT_STATUS_IS_OK(result)) {
+ netsamlogon_cache_store( cli->mem_ctx, &info3 );
+ wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
+ }
+
done:
@@ -334,6 +352,18 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
attempts += 1;
+ /* if we get access denied, a possible cuase was that we had and open
+ connection to the DC, but someone changed our machine accoutn password
+ out from underneath us using 'net rpc changetrustpw' */
+
+ if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
+ DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account "
+ "password was changed and we didn't know it. Killing connections to domain %s\n",
+ domain));
+ winbindd_cm_flush();
+ cli->fd = -1;
+ }
+
/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */