diff options
author | Gerald Carter <jerry@samba.org> | 2003-07-03 16:23:11 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2003-07-03 16:23:11 +0000 |
commit | 62370b093a336dc78e1e41e444f13baa11ffb140 (patch) | |
tree | 36025799a50024839350e1da050bb907f93e64f8 /source3 | |
parent | 6dc3885999b6b69bf9960fda012bece214e27ad5 (diff) | |
download | samba-62370b093a336dc78e1e41e444f13baa11ffb140.tar.gz samba-62370b093a336dc78e1e41e444f13baa11ffb140.tar.bz2 samba-62370b093a336dc78e1e41e444f13baa11ffb140.zip |
fix for bug #200. flush connections if the machine trsut account
changed underneath us.
(This used to be commit 6a1ad1ded1d619394ed4ca9e05fdffaa3b902b3b)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 32 |
1 files changed, 31 insertions, 1 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 3099944301..75e10eb405 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -188,7 +188,19 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) lm_resp, nt_resp, &info3); attempts += 1; - + + /* if we get access denied, a possible cuase was that we had and open + connection to the DC, but someone changed our machine accoutn password + out from underneath us using 'net rpc changetrustpw' */ + + if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) { + DEBUG(3,("winbindd_pam_auth: sam_logon returned ACCESS_DENIED. Maybe the trust account " + "password was changed and we didn't know it. Killing connections to domain %s\n", + name_domain)); + winbindd_cm_flush(); + cli->fd = -1; + } + /* We have to try a second time as cm_get_netlogon_cli might not yet have noticed that the DC has killed our connection. */ @@ -197,6 +209,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) clnt_deal_with_creds(cli->sess_key, &(cli->clnt_cred), &ret_creds); + + if (NT_STATUS_IS_OK(result)) { + netsamlogon_cache_store( cli->mem_ctx, &info3 ); + wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); + } + done: @@ -334,6 +352,18 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) attempts += 1; + /* if we get access denied, a possible cuase was that we had and open + connection to the DC, but someone changed our machine accoutn password + out from underneath us using 'net rpc changetrustpw' */ + + if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) { + DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust account " + "password was changed and we didn't know it. Killing connections to domain %s\n", + domain)); + winbindd_cm_flush(); + cli->fd = -1; + } + /* We have to try a second time as cm_get_netlogon_cli might not yet have noticed that the DC has killed our connection. */ |