From bfd3a6f13aa935950142a24bf331feb98f987bde Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@sernet.de>
Date: Thu, 24 Sep 2009 21:35:38 +0200
Subject: s3:winbindd_cm: don't invalidate the whole connection when just samr
 gave ACCCESS_DENIED

metze
---
 source3/winbindd/winbindd_cm.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'source3/winbindd')

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 05df19fd0c..9a788397a9 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2165,7 +2165,18 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 
  done:
 
-	if (!NT_STATUS_IS_OK(result)) {
+	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
+		/*
+		 * if we got access denied, we might just have no access rights
+		 * to talk to the remote samr server server (e.g. when we are a
+		 * PDC and we are connecting a w2k8 pdc via an interdomain
+		 * trust). In that case do not invalidate the whole connection
+		 * stack
+		 */
+		TALLOC_FREE(conn->samr_pipe);
+		ZERO_STRUCT(conn->sam_domain_handle);
+		return result;
+	} else if (!NT_STATUS_IS_OK(result)) {
 		invalidate_cm_connection(conn);
 		return result;
 	}
-- 
cgit