[PATCHES] Retry ping-dc when session expires

Mon Jan 5 16:05:30 MST 2015

On Mon, Jan 05, 2015 at 12:42:15PM -0800, Jeremy Allison wrote:
> On Mon, Dec 22, 2014 at 03:10:06PM -0800, Jeremy Allison wrote:
> > On Fri, Dec 19, 2014 at 03:16:32PM -0700, Christof Schmitt wrote:
> > > The call to wbinfo --ping-dc can return an error when the underlying SMB
> > > connection expires. Since the goal of --ping-dc is to test whether the
> > > DC is available, temporary session status changes should not be returned
> > > to the caller.
> > 
> > > From c2d1e53f0f14f7c738d765d1add8ec3418f024f9 Mon Sep 17 00:00:00 2001
> > > From: Christof Schmitt <cs at samba.org>
> > > Date: Fri, 19 Dec 2014 12:24:53 -0700
> > > Subject: [PATCH 1/2] winbind: Retry after SESSION_EXPIRED error in ping-dc
> > > 
> > > Trying to establish a netlogon connection when the service ticket
> > > expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The
> > > underlying client code already marks the session as invalid, so retry
> > > the netlogon connect in this case.
> > > 
> > > Signed-off-by: Christof Schmit <cs at samba.org>
> > > ---
> > >  source3/winbindd/winbindd_dual_srv.c |    8 ++++++++
> > >  1 files changed, 8 insertions(+), 0 deletions(-)
> > > 
> > > diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
> > > index 108b201..769d8d5 100644
> > > --- a/source3/winbindd/winbindd_dual_srv.c
> > > +++ b/source3/winbindd/winbindd_dual_srv.c
> > > @@ -675,6 +675,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
> > >  	}
> > >  
> > >  	status = cm_connect_netlogon(domain, &netlogon_pipe);
> > > +
> > > +	if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
> > > +		/*
> > > +		 * Retry to open new connection with new kerberos ticket.
> > > +		 */
> > 
> > invalidate_cm_connection(domain)
> > 
> > is an idempotent call here. For safety's sake I'd prefer
> > this patch to call invalidate_cm_connection(domain) before
> > re-calling cm_connect_netlogon(). There are code paths out
> > of cm_connect_netlogon() that don't shut down the connection.
> > 
> > Especially as you're calling invalidate_cm_connection(domain)
> > below in the same situation.
> 
> Ping ! Christof, can you add the invalidate_cm_connection()
> call and re-submit this one ? I pushed the second patch
> already.

Yes, here is the updated patch, sorry for the delay. This would also be
an important fix for the currently active 4.x branches; i will open a
bug for the backport of the patches.

Christof
-------------- next part --------------
From 8fe2c392a0faeb35c0e9026999ff3f299920de36 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs at samba.org>
Date: Fri, 19 Dec 2014 12:24:53 -0700
Subject: [PATCH] winbind: Retry after SESSION_EXPIRED error in ping-dc

Trying to establish a netlogon connection when the service ticket
expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The
underlying client code already marks the session as invalid, so retry
the netlogon connect in this case.

Signed-off-by: Christof Schmit <cs at samba.org>
---
 source3/winbindd/winbindd_dual_srv.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 22e709f..061de72 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -677,6 +677,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r)
 
 reconnect:
 	status = cm_connect_netlogon(domain, &netlogon_pipe);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
+		/*
+		 * Retry to open new connection with new kerberos ticket.
+		 */
+		invalidate_cm_connection(domain);
+		status = cm_connect_netlogon(domain, &netlogon_pipe);
+	}
+
 	reset_cm_connection_on_error(domain, status);
         if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n",
-- 
1.7.1

