From 98cfbd3ccfb3d2255a65289410e5e358ff3d1a64 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sun, 3 Sep 2006 03:46:07 +0000 Subject: r18015: Try and detect network failures immediately in set_dc_type_and_flags(). Fix problem when DC is down in ads_connect, where we fall back to NetBIOS and try exactly the same IP addresses we just put in the negative connection cache.... We can never succeed, so don't try lookups a second time. Jeremy. (This used to be commit 2d28f3e94a1a87bc9e9ed6630ef48b1ce17022e8) --- source3/libads/ldap.c | 20 ++++++++++++++++++++ source3/nsswitch/winbindd_cm.c | 17 ++++++++++++----- 2 files changed, 32 insertions(+), 5 deletions(-) (limited to 'source3') diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index b23bc277e8..a02f954360 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -286,6 +286,26 @@ again: if ( !NT_STATUS_IS_OK(check_negative_conn_cache(realm, server)) ) continue; + + if (!got_realm) { + /* realm in this case is a workgroup name. We need + to ignore any IP addresses in the negative connection + cache that match ip addresses returned in the ad realm + case. It sucks that I have to reproduce the logic above... */ + c_realm = ads->server.realm; + if ( !c_realm || !*c_realm ) { + if ( !ads->server.workgroup || !*ads->server.workgroup ) { + c_realm = lp_realm(); + } + } + if (c_realm && *c_realm && + !NT_STATUS_IS_OK(check_negative_conn_cache(c_realm, server))) { + /* Ensure we add the workgroup name for this + IP address as negative too. */ + add_failed_connection_entry( realm, server, NT_STATUS_UNSUCCESSFUL ); + continue; + } + } if ( ads_try_connect(ads, server) ) { SAFE_FREE(ip_list); diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c index b6a3b3ac05..ce4e3cae18 100644 --- a/source3/nsswitch/winbindd_cm.c +++ b/source3/nsswitch/winbindd_cm.c @@ -594,7 +594,7 @@ static BOOL dcip_to_name( const char *domainname, const char *realm, /* For active directory servers, try to get the ldap server name. None of these failures should be considered critical for now */ - if ( lp_security() == SEC_ADS ) { + if (lp_security() == SEC_ADS) { ADS_STRUCT *ads; ads = ads_init(realm, domainname, NULL); @@ -976,10 +976,11 @@ void set_dc_type_and_flags( struct winbindd_domain *domain ) TALLOC_CTX *mem_ctx = NULL; struct rpc_pipe_client *cli; POLICY_HND pol; - + char *domain_name = NULL; char *dns_name = NULL; DOM_SID *dom_sid = NULL; + int try_count = 0; ZERO_STRUCT( ctr ); @@ -991,8 +992,10 @@ void set_dc_type_and_flags( struct winbindd_domain *domain ) return; } + try_again: + result = init_dc_connection(domain); - if (!NT_STATUS_IS_OK(result)) { + if (!NT_STATUS_IS_OK(result) || try_count > 2) { DEBUG(5, ("set_dc_type_and_flags: Could not open a connection " "to %s: (%s)\n", domain->name, nt_errstr(result))); domain->initialized = True; @@ -1007,7 +1010,9 @@ void set_dc_type_and_flags( struct winbindd_domain *domain ) "PI_LSARPC_DS on domain %s: (%s)\n", domain->name, nt_errstr(result))); domain->initialized = True; - return; + /* We want to detect network failures asap to try another dc. */ + try_count++; + goto try_again; } result = rpccli_ds_getprimarydominfo(cli, cli->cli->mem_ctx, @@ -1028,7 +1033,9 @@ void set_dc_type_and_flags( struct winbindd_domain *domain ) if (cli == NULL) { domain->initialized = True; - return; + /* We want to detect network failures asap to try another dc. */ + try_count++; + goto try_again; } mem_ctx = talloc_init("set_dc_type_and_flags on domain %s\n", -- cgit