[Patch] winbind_lookup_names() fails because of NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Jeremy Allison
jra at samba.org
Tue Jul 23 17:05:43 MDT 2013
On Tue, Jul 23, 2013 at 11:14:19PM +0200, Florian Riehm wrote:
> Hi,
>
> please have a look to the attached patch.
> It fixes a probable regression introduced by
> commit c64473ab88ca36462e7976bf0006bc092386894c
> (Bug 9439 - ncacn_ip_tcp reconnection code for lsa lookups still broken)
> in samba-3.6.10.
>
> Before samba 3.6.10 after a failed cm_connect_lsa_tcp(),
> domain->can_do_ncacn_ip_tcp was set to false and cm_connect_lsat()
> was called to try lookup again. Now after a failed cm_connect_lsat it just
> returns without changing domain->can_do_ncacn_ip_tcp.
>
> A few weeks ago I have reported the problem as bug 9899 but I haven't seen
> any reaction yet. I would be glad if somebody here could have a look to my
> patch.
>
> Thanks in advance!
>
> Regards,
>
> Florian.
>
>
>
> diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
> index b14a4f8..318d2e0 100644
> --- a/source3/winbindd/winbindd_msrpc.c
> +++ b/source3/winbindd/winbindd_msrpc.c
> @@ -1163,6 +1163,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
> connect:
> status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
> if (!NT_STATUS_IS_OK(status)) {
> + domain->can_do_ncacn_ip_tcp = false;
> return status;
> }
I'm not sure it's right (but I can be convinced
otherwise :-).
cm_connect_lsat() checks if domain->can_do_ncacn_ip_tcp
is set and then tries cm_connect_lsa_tcp(), otherwise it
calls cm_connect_lsa() (the non-TCP version).
domain->can_do_ncacn_ip_tcp is set to true from the
bool domain->active_directory, which is set to true
when we call dcerpc_netr_DsrEnumerateDomainTrusts()
and the domain->domain_type == NETR_TRUST_TYPE_UPLEVEL
on return.
domain->active_directory (and domain->can_do_ncacn_ip_tcp)
are also set to true when dcerpc_lsa_QueryInfoPolicy2()
returns success (from the comments) :
/* This particular query is exactly what Win2k clients use
to determine that the DC is active directory */
Under what circumstances should we have 'domain->active_directory = true'
but 'domain->can_do_ncacn_ip_tcp = false' ?
Yeah, I know they're two separate variables which means
they have the potential to be different, but I still
want to know *when* does this actually happen.
What are the conditions where you're getting a failed
TCP connection to an AD controller where a named pipe
connection subsequently succeeds ?
Jeremy.
More information about the samba-technical
mailing list