sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code

s3:winbindd: make use of reset_cm_connection_on_error() in winbind_samlogon_retry_loop()

Browse Source 
Note this is more than a simple invalidate_cm_connection() as it may set
domain->conn.netlogon_force_reauth = true, which is important in order
to recover from NT_STATUS_RPC_SEC_PKG_ERROR errors.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
This commit is contained in:
Stefan Metzmacher 2023-07-04 13:01:24 +02:00
parent 0cb6de4b1d
commit b317b10dff
1 changed files with 15 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
source3/winbindd/winbindd_pam.c
View File

@ -1678,6 +1678,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
"(error: %s, attempts: %d)\n",
nt_errstr(result), netr_attempts));
reset_cm_connection_on_error(domain, NULL, result);
/* After the first retry always close the connection */
if (netr_attempts > 0) {
DEBUG(3, ("This is again a problem for this "
@ -1800,27 +1802,21 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
might not yet have noticed that the DC has killed
our connection. */
if (!rpccli_is_connected(netlogon_pipe)) {
retry = true;
retry = reset_cm_connection_on_error(domain,
netlogon_pipe->binding_handle,
result);
if (retry) {
DBG_PREFIX(attempts > 1 ? DBGLVL_NOTICE : DBGLVL_INFO, (
"This is problem %d for this "
"particular call,"
"DOMAIN[%s] DC[%s] - %s\n",
attempts,
domain->name,
domain->dcname,
nt_errstr(result)));
continue;
}
/* if we get access denied, a possible cause was that we had
an open connection to the DC, but someone changed our
machine account password out from underneath us using 'net
rpc changetrustpw' */
if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
DEBUG(1,("winbind_samlogon_retry_loop: sam_logon returned "
"ACCESS_DENIED. Maybe the DC has Restrict "
"NTLM set or the trust account "
"password was changed and we didn't know it. "
"Killing connections to domain %s\n",
domainname));
invalidate_cm_connection(domain);
retry = true;
}
if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
/*
* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
@ -1845,15 +1841,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
break;
}
} while ( (attempts < 2) && retry );
if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
DEBUG(3,("winbind_samlogon_retry_loop: sam_network_logon(ex) "
"returned NT_STATUS_IO_TIMEOUT after the retry. "
"Killing connections to domain %s\n",
domainname));
invalidate_cm_connection(domain);
}
} while ( (attempts < 3) && retry );
if (!NT_STATUS_IS_OK(result)) {
return result;