diff options
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 64969a6cf4..a0712144ee 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -404,12 +404,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, } while ( (attempts < 2) && retry ); - if (NT_STATUS_IS_OK(result) && - (!clnt_deal_with_creds(session_key, credentials, - &ret_creds))) { - DEBUG(3, ("DC %s sent wrong credentials\n", - pipe_cli->cli->srv_name_slash)); - result = NT_STATUS_ACCESS_DENIED; + /* Only check creds if we got a connection. */ + if (contact_domain->conn.cli && + !(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || + NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) { + if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) { + DEBUG(3, ("DC %s sent wrong credentials\n", + pipe_cli->cli->srv_name_slash)); + result = NT_STATUS_ACCESS_DENIED; + } } if (NT_STATUS_IS_OK(result)) { @@ -709,12 +712,15 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, } while ( (attempts < 2) && retry ); - if (NT_STATUS_IS_OK(result) && - (!clnt_deal_with_creds(session_key, credentials, - &ret_creds))) { - DEBUG(3, ("DC %s sent wrong credentials\n", - pipe_cli->cli->srv_name_slash)); - result = NT_STATUS_ACCESS_DENIED; + /* Only check creds if we got a connection. */ + if (contact_domain->conn.cli && + !(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) || + (NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) { + if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) { + DEBUG(3, ("DC %s sent wrong credentials\n", + pipe_cli->cli->srv_name_slash)); + result = NT_STATUS_ACCESS_DENIED; + } } if (NT_STATUS_IS_OK(result)) { |