summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2009-11-19 17:20:47 +0100
committerVolker Lendecke <vl@samba.org>2009-11-19 19:04:39 +0100
commit882350b0abe87ca7b3542996acfabc6d4bff5509 (patch)
treed71ab3ac858de86b3125303da2aedab5b919a918 /source3
parent4d0ebc90dce05a66736c070d97d01c4167265a9a (diff)
downloadsamba-882350b0abe87ca7b3542996acfabc6d4bff5509.tar.gz
samba-882350b0abe87ca7b3542996acfabc6d4bff5509.tar.bz2
samba-882350b0abe87ca7b3542996acfabc6d4bff5509.zip
s3: Protect against flooding the DC with pwchange requests
When there is a temporary problem changing passwords we flooded the DC with pwchange requests. This gives the DC a 60-second break to recover.
Diffstat (limited to 'source3')
-rw-r--r--source3/winbindd/winbindd_dual.c38
1 files changed, 24 insertions, 14 deletions
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 904d3e4ed3..ae8f236cb4 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -1117,21 +1117,31 @@ static void machine_password_change_handler(struct event_context *ctx,
"trust_pw_find_change_and_store_it returned %s\n",
nt_errstr(result)));
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
+ DEBUG(3,("machine_password_change_handler: password set returned "
+ "ACCESS_DENIED. Maybe the trust account "
+ "password was changed and we didn't know it. "
+ "Killing connections to domain %s\n",
+ child->domain->name));
+ TALLOC_FREE(child->domain->conn.netlogon_pipe);
+ }
+
+ if (!calculate_next_machine_pwd_change(child->domain->name,
+ &next_change)) {
+ DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
+ return;
+ }
+
+ DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
+ timeval_string(talloc_tos(), &next_change, false)));
+
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("machine_password_change_handler: "
- "failed to change machine password: %s\n",
- nt_errstr(result)));
- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
- DEBUG(3,("machine_password_change_handler: password set returned "
- "ACCESS_DENIED. Maybe the trust account "
- "password was changed and we didn't know it. "
- "Killing connections to domain %s\n",
- child->domain->name));
- TALLOC_FREE(child->domain->conn.netlogon_pipe);
- }
- } else {
- DEBUG(10,("machine_password_change_handler: "
- "successfully changed machine password\n"));
+ struct timeval tmp;
+ /*
+ * In case of failure, give the DC a minute to recover
+ */
+ tmp = timeval_current_ofs(60, 0);
+ next_change = timeval_max(&next_change, &tmp);
}
done: