1 files changed, 28 insertions, 0 deletions

diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 7cff38d4e2..98c5e3ad0f 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -1115,6 +1115,22 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
 	/* And restore our original timeout. */
 	rpccli_set_timeout(cli, orig_timeout);
 
+	if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+	    NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+		/*
+		 * This can happen if the schannel key is not
+		 * valid anymore, we need to invalidate the
+		 * all connections to the dc and reestablish
+		 * a netlogon connection first.
+		 */
+		invalidate_cm_connection(&domain->conn);
+		status = NT_STATUS_ACCESS_DENIED;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
 	return status;
 }
 
@@ -1178,6 +1194,18 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
 	/* And restore our original timeout. */
 	rpccli_set_timeout(cli, orig_timeout);
 
+	if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+	    NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+		/*
+		 * This can happen if the schannel key is not
+		 * valid anymore, we need to invalidate the
+		 * all connections to the dc and reestablish
+		 * a netlogon connection first.
+		 */
+		invalidate_cm_connection(&domain->conn);
+		status = NT_STATUS_ACCESS_DENIED;
+	}
+
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}