From 215e033e82ec8f02b4a73ead19640220610e8ece Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Sun, 6 May 2007 21:26:01 +0000 Subject: r22720: Fixes for offline auth when using krb5_auth = yes in pam_winbind. Assume that "NO_DOMAIN_CONTROLLERS_FOUND" means that the domain is offline. (This used to be commit 30f9cc52bf8270652624c79691d147e05e476583) --- source3/nsswitch/winbindd_pam.c | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 6eb587f0ee..3fcb094198 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -1390,7 +1390,8 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) || NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) { DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n")); - domain->online = False; + set_domain_offline( domain ); + goto cached_logon; } /* there are quite some NT_STATUS errors where there is no @@ -1430,14 +1431,24 @@ sam_logon: info3->user_flgs |= LOGON_KRB5_FAIL_CLOCK_SKEW; } goto process_result; - } else { - DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", nt_errstr(result))); + } + + DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", + nt_errstr(result))); + + if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) || + NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) || + NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) + { + DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n")); + set_domain_offline( domain ); + goto cached_logon; + } + if (domain->online) { /* We're still online - fail. */ goto done; } - /* Else drop through and see if we can check offline.... */ - } } cached_logon: @@ -1472,9 +1483,16 @@ process_result: netsamlogon_cache_store(name_user, info3); wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3); - /* save name_to_sid info as early as possible */ - sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid); - cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid); + /* save name_to_sid info as early as possible (only if + this is our primary domain so we don't invalidate + the cache entry by storing the seq_num for the wrong + domain). */ + if ( domain->primary ) { + sid_compose(&user_sid, &info3->dom_sid.sid, + info3->user_rid); + cache_name2sid(domain, name_domain, name_user, + SID_NAME_USER, &user_sid); + } /* Check if the user is in the right group */ -- cgit