[Patch] winbind_lookup_names() fails because of NT_STATUS_CANT_ACCESS_DOMAIN_INFO

Florian Riehm mail at friehm.de
Wed Jul 24 03:08:54 MDT 2013 

Am 07/24/13 01:05, schrieb Jeremy Allison:
> On Tue, Jul 23, 2013 at 11:14:19PM +0200, Florian Riehm wrote:
>> Hi,
>>
>> please have a look to the attached patch.
>> It fixes a probable regression introduced by
>> commit c64473ab88ca36462e7976bf0006bc092386894c
>> (Bug 9439 - ncacn_ip_tcp reconnection code for lsa lookups still broken)
>> in samba-3.6.10.
>>
>> Before samba 3.6.10 after a failed cm_connect_lsa_tcp(),
>> domain->can_do_ncacn_ip_tcp was set to false and cm_connect_lsat()
>> was called to try lookup again. Now after a failed cm_connect_lsat it just
>> returns without changing domain->can_do_ncacn_ip_tcp.
>>
>> A few weeks ago I have reported the problem as bug 9899 but I haven't seen
>> any reaction yet. I would be glad if somebody here could have a look to my
>> patch.
>>
>> Thanks in advance!
>>
>> Regards,
>>
>> Florian.
>>
>>
>>
>> diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
>> index b14a4f8..318d2e0 100644
>> --- a/source3/winbindd/winbindd_msrpc.c
>> +++ b/source3/winbindd/winbindd_msrpc.c
>> @@ -1163,6 +1163,7 @@ static NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
>>   connect:
>>  	status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
>>  	if (!NT_STATUS_IS_OK(status)) {
>> +		domain->can_do_ncacn_ip_tcp = false;
>>  		return status;
>>  	}
> 
> I'm not sure it's right (but I can be convinced
> otherwise :-).
> 
> cm_connect_lsat() checks if domain->can_do_ncacn_ip_tcp
> is set and then tries cm_connect_lsa_tcp(), otherwise it
> calls cm_connect_lsa() (the non-TCP version).
> 
> domain->can_do_ncacn_ip_tcp is set to true from the
> bool domain->active_directory, which is set to true
> when we call dcerpc_netr_DsrEnumerateDomainTrusts()
> and the domain->domain_type == NETR_TRUST_TYPE_UPLEVEL
> on return.
> 
> domain->active_directory (and domain->can_do_ncacn_ip_tcp)
> are also set to true when dcerpc_lsa_QueryInfoPolicy2()
> returns success (from the comments) :
> 
>                /* This particular query is exactly what Win2k clients use 
>                    to determine that the DC is active directory */
> 
> Under what circumstances should we have 'domain->active_directory = true'
> but 'domain->can_do_ncacn_ip_tcp = false' ?
> 
> Yeah, I know they're two separate variables which means
> they have the potential to be different, but I still
> want to know *when* does this actually happen.
> 
> What are the conditions where you're getting a failed
> TCP connection to an AD controller where a named pipe
> connection subsequently succeeds ?
> 
> Jeremy.
> 

Hi Jeremy,

thank you for the fast reply.
I was wondering about the different values of domain->active_directory
and domain->can_do_ncacn_ip_tcp too, but I could not figure out why this
occurs.

I try to describe my network, so maybe you have an idea.

My DC is a Windows Server 2008 standard, SP 2, 64 bit.
Afaik there is no special config on it. Let me know if you need further
information about the DC.

I'm using samba on OpenBSD for ntlm authentication with squid.

Here my smb.conf:
[global]
netbios name = TST1
server string = tst1
workgroup = TEST
security = DOMAIN
encrypt passwords = yes
password server = 192.168.1.1
preferred master = no
local master = no
domain master = no
dns proxy = no
ldap ssl = no
winbind separator = +
;winbind uid = 10000-20000
;winbind gid = 10000-20000
idmap config * : range = 10000-20000
client schannel = no
server schannel = no
winbind use default domain = yes
winbind cache time = 10
winbind enum users = yes
log file = /var/log/%m.log
log level = 5
client ntlmv2 auth = yes

With Samba 3.6.6 everything works fine even if domain->active_directory and
domain->can_do_ncacn_ip_tcp are different:

# wbinfo -n inetuser1
S-1-5-21-1262556113-2025608247-2761087495-1108 SID_USER (1)

With Samba >=3.6.10 it doesn't work anymore:
Samba 3.6.12:
# wbinfo -n inetuser1
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name inetuser1

In my environment domain->active_directory and
domain->can_do_ncacn_ip_tcp have always been different, but Samba < 3.6.10
has handled the problem in the same way as my patch. Is there a config option
that influences the value of domain->active_directory? Could it be a mistake
in my config? Is there a special reason why the behavior changed in samba
3.6.10?

Thanks

Florian.

More information about the samba-technical mailing list