NT4 domain, NETLOGON failure detection

[boyang]

thanks for your help. I dived into samba about 3 months ago, so I am newbie.

Andrew Bartlett wrote:


> On Mon, 2007-07-09 at 10:59 +0800, boyang wrote:
>   
>> catch netlogon failure upon user login or session setup(when access
>> samba shares):
>> 1. in pam_winbind.c, when return err code is related to netlogon, 
>> resend request expecting to find one fully functional domain controller,
>> which is used for netlogon failure detection when user login.
>>
>> 2. in wb_common.c, retry several times expecting to find one fully
>> operational domain controller, which is used for netlogon failure
>> detection when user access samba shares
>>     
>
> Why can't the winbind server side do this?  I don't think this belongs
> in the client lib.
>   
yes. I tried to catch netlogon failure in winbind server(winbind_pam.c),
but it was somewhat frustrating that the first attemp to login will
failure if netlogon pipe is broken.
And then, subsequent login finished successfully. Because first login is
used to trigger the detection of
netlogon failure and then recover from that. So, I fall back on client
side to send duplicate request to gain the
impression of smooth login.

I will dig into it to finish it on winbind server side.


>   
>> 3. in winbindd_pam.c, detect netlogon failure when try to connect to
>> netlogon pipe, and force winbind to find another fully operational
>> domain controller
>> 4. In case of winbindd is not available, ntdomain authentication method
>> is used, thus add netlogon failure detection in auth_ntdomain.c too.
>>     
>
> Given how critical winbind is to getting this right, I think it's more
> important to just use winbind all the time.  Perhaps we should document
> that more?
>   
nop. In samba session setup, if winbind is
unavailable(NSS_STATUS_UNAVAIL), authentication will fall
back on ntdomain authentication methods. Therefore, I have to catch
netlogon failure
here too.


> Andrew Bartlett
>
>   

best
       regards
Boyang