Primary domain's status in winbindd child process is not consistent with the parent winbindd process.

Tue Jun 3 03:20:55 GMT 2008

>>> Jeremy Allison <jra at samba.org> 06/03/08 8:25 AM >>>
On Mon, Jun 02, 2008 at 01:54:55PM -0700, Jeremy Allison wrote:
> On Mon, Jun 02, 2008 at 02:15:15AM -0600, Bo Yang wrote:
> > Hi, All:
> > 
> >     Assume winbindd parent process is Pp, and domain A(primary domain) trusts domain B, child process for domain A and B is Pa and Pb respectively.
> > 
> >    cached logon is enabled and kerberos login is disabled.
> > 
> >    Pa, Pb will both be forked, and the primary domain's status in the two process is initialized and offline.
> > 
> >   Some time later, Domain A(primary domain) and domain B both go online. Thus the status of primary domain is updated in Pp and Pa, but not in Pb. 
> >   So the status of primary domain in Pb is still offline and initialized. But domain B's status is online. And when PAM_AUTH request arrived, cached logon is not performed because domain B is online, Samlogon is performed. And Pb tries to connect to DC of primary domain(domain A) for pass through authentication. But domain A's status in Pb is always offline and initialized(never being updated), thus PAM_AUTH will always returns DOMAIN_CONTROLLER_NOT_FOUND error............
> > 
> >    We should keep track of the status of primary domain in child winbindd process, I think.
> > 
> >   Patch for 3-0-test and v3-2-test in the attachment.
> > 
> >   Please review it.
> 
> Ok, I'm trying to review and follow the logic.
> 
> There's a question I have however.
> 
> The pam auth request comes in for the use B\fred,
> ie. user fred in the trusted domain. So the
> auth request gets passed down to Pb. But domain
> B is online - when does Pb need to contact domain
> controller for domain A.
> 
> Give me a better description of the usage scenario
> please.

Ok, I looked very closely at the code. I don't think
this patch is correct for 3.0.x. I can't see any case
where Pb contacts Domain A in 3.0.x.

It will. function call stack is showed below:

winbindd_dual_pam_auth() ----> winbindd_dual_pam_auth_samlogon() [because domain B(Pb, trusted domain) is online] ---->

because we are domain member, not DC, contact_domain = find_our_domain(); and then result = cm_connect_netlogon(contact_domain, &netlogon_pipe);

ie, cm_connect_netlogon() is called to contact the primary domain(domain A) ------> init_dc_connection(), here is the problem. If the status of primary domain is not 
updated in Pb, the status is always initialized and offline. Please have a look at 

        if (domain->initialized && !domain->online) {
                /* We check for online status elsewhere. */
                return NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
        }
in init_dc_connection(), which always returns NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND.

Please keep in touch if there is anything I was wrong or I didn't explain clearly.

Thanks!

In 3.2 however I think you're correct. The function
set_dc_type_and_flags_trustinfo() does cause Pb to
attempt to contact Domain A, so the fix is good there.

I'll commit it in the 3.2 and 3.3 branches (with
added comments) - thanks a *lot* for catching this.
Good work !

Jeremy.