mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
r22720: Fixes for offline auth when using krb5_auth = yes in pam_winbind.
Assume that "NO_DOMAIN_CONTROLLERS_FOUND" means that the domain
is offline.
(This used to be commit 30f9cc52bf
)
This commit is contained in:
parent
cf4f314fb3
commit
215e033e82
@ -1390,7 +1390,8 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
|
||||
NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
|
||||
NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
|
||||
DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
|
||||
domain->online = False;
|
||||
set_domain_offline( domain );
|
||||
goto cached_logon;
|
||||
}
|
||||
|
||||
/* there are quite some NT_STATUS errors where there is no
|
||||
@ -1430,14 +1431,24 @@ sam_logon:
|
||||
info3->user_flgs |= LOGON_KRB5_FAIL_CLOCK_SKEW;
|
||||
}
|
||||
goto process_result;
|
||||
} else {
|
||||
DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n", nt_errstr(result)));
|
||||
}
|
||||
|
||||
DEBUG(10,("winbindd_dual_pam_auth_samlogon failed: %s\n",
|
||||
nt_errstr(result)));
|
||||
|
||||
if (NT_STATUS_EQUAL(result, NT_STATUS_NO_LOGON_SERVERS) ||
|
||||
NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
|
||||
NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND))
|
||||
{
|
||||
DEBUG(10,("winbindd_dual_pam_auth_samlogon setting domain to offline\n"));
|
||||
set_domain_offline( domain );
|
||||
goto cached_logon;
|
||||
}
|
||||
|
||||
if (domain->online) {
|
||||
/* We're still online - fail. */
|
||||
goto done;
|
||||
}
|
||||
/* Else drop through and see if we can check offline.... */
|
||||
}
|
||||
}
|
||||
|
||||
cached_logon:
|
||||
@ -1472,9 +1483,16 @@ process_result:
|
||||
netsamlogon_cache_store(name_user, info3);
|
||||
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
|
||||
|
||||
/* save name_to_sid info as early as possible */
|
||||
sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
|
||||
cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
|
||||
/* save name_to_sid info as early as possible (only if
|
||||
this is our primary domain so we don't invalidate
|
||||
the cache entry by storing the seq_num for the wrong
|
||||
domain). */
|
||||
if ( domain->primary ) {
|
||||
sid_compose(&user_sid, &info3->dom_sid.sid,
|
||||
info3->user_rid);
|
||||
cache_name2sid(domain, name_domain, name_user,
|
||||
SID_NAME_USER, &user_sid);
|
||||
}
|
||||
|
||||
/* Check if the user is in the right group */
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user