[PATCHES] Retry ping-dc when session expires
Jeremy Allison
jra at samba.org
Mon Dec 22 16:10:06 MST 2014
On Fri, Dec 19, 2014 at 03:16:32PM -0700, Christof Schmitt wrote:
> The call to wbinfo --ping-dc can return an error when the underlying SMB
> connection expires. Since the goal of --ping-dc is to test whether the
> DC is available, temporary session status changes should not be returned
> to the caller.
> From c2d1e53f0f14f7c738d765d1add8ec3418f024f9 Mon Sep 17 00:00:00 2001
> From: Christof Schmitt <cs at samba.org>
> Date: Fri, 19 Dec 2014 12:24:53 -0700
> Subject: [PATCH 1/2] winbind: Retry after SESSION_EXPIRED error in ping-dc
>
> Trying to establish a netlogon connection when the service ticket
> expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The
> underlying client code already marks the session as invalid, so retry
> the netlogon connect in this case.
>
> Signed-off-by: Christof Schmit <cs at samba.org>
> ---
> source3/winbindd/winbindd_dual_srv.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> index 108b201..769d8d5 100644
> --- a/source3/winbindd/winbindd_dual_srv.c
> +++ b/source3/winbindd/winbindd_dual_srv.c
> @@ -675,6 +675,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
> }
>
> status = cm_connect_netlogon(domain, &netlogon_pipe);
> +
> + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
> + /*
> + * Retry to open new connection with new kerberos ticket.
> + */
invalidate_cm_connection(domain)
is an idempotent call here. For safety's sake I'd prefer
this patch to call invalidate_cm_connection(domain) before
re-calling cm_connect_netlogon(). There are code paths out
of cm_connect_netlogon() that don't shut down the connection.
Especially as you're calling invalidate_cm_connection(domain)
below in the same situation.
Jeremy.
> + status = cm_connect_netlogon(domain, &netlogon_pipe);
> + }
> +
> reset_cm_connection_on_error(domain, status);
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
> --
> 1.7.1
>
>
> From 427a19e56038d3f0fad9f0ebd0a7a47a367f0c1f Mon Sep 17 00:00:00 2001
> From: Christof Schmitt <cs at samba.org>
> Date: Fri, 19 Dec 2014 13:43:33 -0700
> Subject: [PATCH 2/2] winbind: Retry LogonControl RPC in ping-dc after session expiration
>
> When the underlying session expires, the LogonControl RPC call used in
> ping-dc returns NT_STATUS_IO_DEVICE_ERROR. Retry once in this case,
> instead of returning the error to the caller.
>
> Signed-off-by: Christof Schmitt <cs at samba.org>
> ---
> source3/winbindd/winbindd_dual_srv.c | 10 ++++++++++
> 1 files changed, 10 insertions(+), 0 deletions(-)
>
> diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> index 769d8d5..1152836 100644
> --- a/source3/winbindd/winbindd_dual_srv.c
> +++ b/source3/winbindd/winbindd_dual_srv.c
> @@ -668,12 +668,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
> WERROR werr;
> fstring logon_server;
> struct dcerpc_binding_handle *b;
> + bool retry = false;
>
> domain = wb_child_domain();
> if (domain == NULL) {
> return NT_STATUS_REQUEST_NOT_ACCEPTED;
> }
>
> +reconnect:
> status = cm_connect_netlogon(domain, &netlogon_pipe);
>
> if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
> @@ -709,6 +711,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
> logon_server, NETLOGON_CONTROL_QUERY,
> 2, &info, &werr);
>
> + if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) {
> + DEBUG(10, ("Session might have expired. "
> + "Reconnect and retry once.\n"));
> + invalidate_cm_connection(domain);
> + retry = true;
> + goto reconnect;
> + }
> +
> reset_cm_connection_on_error(domain, status);
> if (!NT_STATUS_IS_OK(status)) {
> DEBUG(2, ("dcerpc_netr_LogonControl failed: %s\n",
> --
> 1.7.1
>
More information about the samba-technical
mailing list