From bc9c617b16b1996812d6e698d74aef27c5f4e8d7 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 16 Sep 2005 16:20:23 +0000
Subject: r10268: Fix for bug #3095 - winbindd checking credentials. Jeremy.
 (This used to be commit e58d8ee0555a5de0a25757b26cc22e02b9aace31)

---
 source3/nsswitch/winbindd_pam.c | 30 ++++++++++++++++++------------
 1 file changed, 18 insertions(+), 12 deletions(-)

(limited to 'source3/nsswitch')

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 64969a6cf4..a0712144ee 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -404,12 +404,15 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
 		
 	} while ( (attempts < 2) && retry );
 
-	if (NT_STATUS_IS_OK(result) &&
-	    (!clnt_deal_with_creds(session_key, credentials,
-				  &ret_creds))) {
-		DEBUG(3, ("DC %s sent wrong credentials\n",
-			  pipe_cli->cli->srv_name_slash));
-		result = NT_STATUS_ACCESS_DENIED;
+	/* Only check creds if we got a connection. */
+	if (contact_domain->conn.cli &&
+			!(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+				NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL))) {
+		if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) {
+			DEBUG(3, ("DC %s sent wrong credentials\n",
+				pipe_cli->cli->srv_name_slash));
+			result = NT_STATUS_ACCESS_DENIED;
+		}
 	}
 
 	if (NT_STATUS_IS_OK(result)) {
@@ -709,12 +712,15 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 
 	} while ( (attempts < 2) && retry );
 
-	if (NT_STATUS_IS_OK(result) &&
-	    (!clnt_deal_with_creds(session_key, credentials,
-				  &ret_creds))) {
-		DEBUG(3, ("DC %s sent wrong credentials\n",
-			  pipe_cli->cli->srv_name_slash));
-		result = NT_STATUS_ACCESS_DENIED;
+	/* Only check creds if we got a connection. */
+	if (contact_domain->conn.cli &&
+			!(NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ||
+					(NT_STATUS_EQUAL(result, NT_STATUS_UNSUCCESSFUL)))) {
+		if (!clnt_deal_with_creds(session_key, credentials, &ret_creds)) {
+			DEBUG(3, ("DC %s sent wrong credentials\n",
+				pipe_cli->cli->srv_name_slash));
+			result = NT_STATUS_ACCESS_DENIED;
+		}
 	}
 
 	if (NT_STATUS_IS_OK(result)) {
-- 
cgit