[Patch] winbind_lookup_names() fails because of NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Tue Jul 23 17:05:43 MDT 2013

On Tue, Jul 23, 2013 at 11:14:19PM +0200, Florian Riehm wrote:
> Hi,
> 
> please have a look to the attached patch.
> It fixes a probable regression introduced by
> commit c64473ab88ca36462e7976bf0006bc092386894c
> (Bug 9439 - ncacn_ip_tcp reconnection code for lsa lookups still broken)
> in samba-3.6.10.
> 
> Before samba 3.6.10 after a failed cm_connect_lsa_tcp(),
> domain->can_do_ncacn_ip_tcp was set to false and cm_connect_lsat()
> was called to try lookup again. Now after a failed cm_connect_lsat it just
> returns without changing domain->can_do_ncacn_ip_tcp.
> 
> A few weeks ago I have reported the problem as bug 9899 but I haven't seen
> any reaction yet. I would be glad if somebody here could have a look to my
> patch.
> 
> Thanks in advance!
> 
> Regards,
> 
> Florian.
> 
> 
> 
> diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
> index b14a4f8..318d2e0 100644
> --- a/source3/winbindd/winbindd_msrpc.c
> +++ b/source3/winbindd/winbindd_msrpc.c
> @@ -1163,6 +1163,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
>   connect:
>  	status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
>  	if (!NT_STATUS_IS_OK(status)) {
> +		domain->can_do_ncacn_ip_tcp = false;
>  		return status;
>  	}

I'm not sure it's right (but I can be convinced
otherwise :-).

cm_connect_lsat() checks if domain->can_do_ncacn_ip_tcp
is set and then tries cm_connect_lsa_tcp(), otherwise it
calls cm_connect_lsa() (the non-TCP version).

domain->can_do_ncacn_ip_tcp is set to true from the
bool domain->active_directory, which is set to true
when we call dcerpc_netr_DsrEnumerateDomainTrusts()
and the domain->domain_type == NETR_TRUST_TYPE_UPLEVEL
on return.

domain->active_directory (and domain->can_do_ncacn_ip_tcp)
are also set to true when dcerpc_lsa_QueryInfoPolicy2()
returns success (from the comments) :

               /* This particular query is exactly what Win2k clients use 
                   to determine that the DC is active directory */

Under what circumstances should we have 'domain->active_directory = true'
but 'domain->can_do_ncacn_ip_tcp = false' ?

Yeah, I know they're two separate variables which means
they have the potential to be different, but I still
want to know *when* does this actually happen.

What are the conditions where you're getting a failed
TCP connection to an AD controller where a named pipe
connection subsequently succeeds ?

Jeremy.