[SCM] Samba Shared Repository - branch v3-5-test updated
Karolin Seeger
kseeger at samba.org
Sat Feb 5 10:51:44 MST 2011
The branch, v3-5-test has been updated
via b40ce05 s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)
via ab49215 librpc/rpc: display DCERPC_FAULT_SEC_PKG_ERROR nicely in dcerpc_errstr()
via 782726a rerun 'make samba3-idl'
via 80b95a1 dcerpc.idl: add DCERPC_FAULT_SEC_PKG_ERROR
from 44a2e73 s3:lib/events: use DLIST_DEMOTE() for fd events
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit b40ce0559c6da04f269cb9ac4d4a215ea8e9f925
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Feb 1 18:46:57 2011 +0100
s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)
If winbindd connects to a domain controller it doesn't establish the lsa
connection over ncacn_ip_tcp direct. This happens only on demand.
If someone does a 'net rpc testjoin' and then a
wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with
ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy
of the schannel session key is invalidated.
This problem can also happen on other calls, but the
lookup_names/sids calls on thet lsa ncacn_ip_tcp connection
are the most important ones.
The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.
The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a)
made this worse, as it assumes winbindd's in memory session key is
always the current one.
metze
(cherry picked from commit 255f2e06991aa543cd2c6f4d0123664b2a76c99d)
(cherry picked from commit a699ac50f7c9a5eeb57215879e17631c9a1f534f)
commit ab492152e86220600429d0bc85a3783463889cee
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 2 14:18:33 2011 +0100
librpc/rpc: display DCERPC_FAULT_SEC_PKG_ERROR nicely in dcerpc_errstr()
metze
commit 782726a5161da3ad1369dc63e13956a3faad4980
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Feb 2 14:20:58 2011 +0100
rerun 'make samba3-idl'
metze
commit 80b95a13dd7c0ef57e079b370b80993326bc616d
Author: Stefan Metzmacher <metze at samba.org>
Date: Sun Jan 30 17:34:11 2011 +0100
dcerpc.idl: add DCERPC_FAULT_SEC_PKG_ERROR
metze
(cherry picked from commit 8d07deaeaacbd376f9824ac350c01510e05a76ca)
(cherry picked from commit 85358c0534472fde71e304ddada678b61637ba40)
-----------------------------------------------------------------------
Summary of changes:
librpc/gen_ndr/dcerpc.h | 1 +
librpc/idl/dcerpc.idl | 1 +
librpc/rpc/dcerpc_error.c | 1 +
source3/winbindd/winbindd_rpc.c | 24 ++++++++++++++++++++++++
4 files changed, 27 insertions(+), 0 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/gen_ndr/dcerpc.h b/librpc/gen_ndr/dcerpc.h
index 5408cf4..f64f7ae 100644
--- a/librpc/gen_ndr/dcerpc.h
+++ b/librpc/gen_ndr/dcerpc.h
@@ -22,6 +22,7 @@
#define DCERPC_FAULT_OTHER ( 0x00000001 )
#define DCERPC_FAULT_ACCESS_DENIED ( 0x00000005 )
#define DCERPC_FAULT_CANT_PERFORM ( 0x000006d8 )
+#define DCERPC_FAULT_SEC_PKG_ERROR ( 0x00000721 )
#define DCERPC_FAULT_TODO ( 0x00000042 )
#define DCERPC_AUTH_LEVEL_DEFAULT ( DCERPC_AUTH_LEVEL_CONNECT )
#define DCERPC_AUTH_TRAILER_LENGTH ( 8 )
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 3ec416d..2aeb7eb 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -105,6 +105,7 @@ interface dcerpc
const int DCERPC_FAULT_OTHER = 0x00000001;
const int DCERPC_FAULT_ACCESS_DENIED = 0x00000005;
const int DCERPC_FAULT_CANT_PERFORM = 0x000006d8;
+ const int DCERPC_FAULT_SEC_PKG_ERROR = 0x00000721;
/* we return this fault when we haven't yet run the test
to see what fault w2k3 returns in this case */
diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c
index dbab783..51112b4 100644
--- a/librpc/rpc/dcerpc_error.c
+++ b/librpc/rpc/dcerpc_error.c
@@ -36,6 +36,7 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
{ "DCERPC_FAULT_CONTEXT_MISMATCH", DCERPC_FAULT_CONTEXT_MISMATCH },
{ "DCERPC_FAULT_OTHER", DCERPC_FAULT_OTHER },
{ "DCERPC_FAULT_ACCESS_DENIED", DCERPC_FAULT_ACCESS_DENIED },
+ { "DCERPC_FAULT_SEC_PKG_ERROR", DCERPC_FAULT_SEC_PKG_ERROR },
{ NULL, 0}
};
diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index b65b126..59d3457 100644
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -1237,6 +1237,18 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
/* And restore our original timeout. */
rpccli_set_timeout(cli, orig_timeout);
+ if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+ NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+ /*
+ * This can happen if the schannel key is not
+ * valid anymore, we need to invalidate the
+ * all connections to the dc and reestablish
+ * a netlogon connection first.
+ */
+ invalidate_cm_connection(&domain->conn);
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -1304,6 +1316,18 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
/* And restore our original timeout. */
rpccli_set_timeout(cli, orig_timeout);
+ if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+ NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+ /*
+ * This can happen if the schannel key is not
+ * valid anymore, we need to invalidate the
+ * all connections to the dc and reestablish
+ * a netlogon connection first.
+ */
+ invalidate_cm_connection(&domain->conn);
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list