2024-12-23 17:34:34 +03:00 · 2023-07-04 14:12:03 +02:00 · 2023-07-04 14:12:03 +02:00 · 50e771c12f
commit 50e771c12f
parent b317b10dff
1 changed files with 22 additions and 0 deletions
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@ -1637,6 +1637,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 	int attempts = 0;
 	int netr_attempts = 0;
 	bool retry = false;
+	bool valid_result = false;
 	NTSTATUS result;
 	enum netr_LogonInfoClass logon_type_i;
 	enum netr_LogonInfoClass logon_type_n;
@ -1817,6 +1818,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 			continue;
 		}

+		valid_result = true;
+
 		if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
 			/*
 			 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
@ -1843,6 +1846,25 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,

 	} while ( (attempts < 3) && retry );

+	if (!valid_result) {
+		/*
+		 * This matches what windows does. In a chain of transitive
+		 * trusts the ACCESS_DENIED/authoritative=0 is not propagated
+		 * instead of NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
+		 * passed along the chain if there's no other DC is available.
+		 */
+		DBG_WARNING("Mapping %s/authoritative=%u to "
+			    "NT_STATUS_NO_LOGON_SERVERS/authoritative=1 for"
+			    "USERNAME[%s] USERDOMAIN[%s] REMOTE-DOMAIN[%s] \n",
+			    nt_errstr(result),
+			    *authoritative,
+			    username,
+			    domainname,
+			    domain->name);
+		*authoritative = 1;
+		return NT_STATUS_NO_LOGON_SERVERS;
+	}
+
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
 	}