From 9cf3ce5981a65d55fc0f4e59aea5406d1164719b Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Mon, 22 Dec 2014 15:19:47 -0800 Subject: [PATCH 1/2] winbind: Retry LogonControl RPC in ping-dc after session expiration When the underlying session expires, the LogonControl RPC call used in ping-dc returns NT_STATUS_IO_DEVICE_ERROR. Retry once in this case, instead of returning the error to the caller. Signed-off-by: Christof Schmitt Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Dec 23 02:46:34 CET 2014 on sn-devel-104 (cherry picked from commit 2fdc55160309cec89aeb88243cb18d058c67e918) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11034 --- source3/winbindd/winbindd_dual_srv.c | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index 5e33787..bf66fa1 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -668,12 +668,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r) WERROR werr; fstring logon_server; struct dcerpc_binding_handle *b; + bool retry = false; domain = wb_child_domain(); if (domain == NULL) { return NT_STATUS_REQUEST_NOT_ACCEPTED; } +reconnect: status = cm_connect_netlogon(domain, &netlogon_pipe); reset_cm_connection_on_error(domain, status); if (!NT_STATUS_IS_OK(status)) { @@ -701,6 +703,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r) logon_server, NETLOGON_CONTROL_QUERY, 2, &info, &werr); + if (NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR) && !retry) { + DEBUG(10, ("Session might have expired. " + "Reconnect and retry once.\n")); + invalidate_cm_connection(&domain->conn); + retry = true; + goto reconnect; + } + reset_cm_connection_on_error(domain, status); if (!NT_STATUS_IS_OK(status)) { DEBUG(2, ("dcerpc_netr_LogonControl failed: %s\n", -- 1.7.1 From 5bd2a8c0e27539527b6f4b9ddde37ef62674c9bf Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 19 Dec 2014 12:24:53 -0700 Subject: [PATCH 2/2] winbind: Retry after SESSION_EXPIRED error in ping-dc Trying to establish a netlogon connection when the service ticket expires might fail with NT_STATUS_NETWORK_SESSION_EXPIRED. The underlying client code already marks the session as invalid, so retry the netlogon connect in this case. Signed-off-by: Christof Schmit Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Tue Jan 6 02:58:57 CET 2015 on sn-devel-104 (cherry picked from commit a2670f15dea27c10e3827216adf572f9c3894f85) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11034 --- source3/winbindd/winbindd_dual_srv.c | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index bf66fa1..c19179d 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -677,6 +677,14 @@ NTSTATUS _wbint_PingDc(struct pipes_struct *p, struct wbint_PingDc *r) reconnect: status = cm_connect_netlogon(domain, &netlogon_pipe); + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) { + /* + * Retry to open new connection with new kerberos ticket. + */ + invalidate_cm_connection(&domain->conn); + status = cm_connect_netlogon(domain, &netlogon_pipe); + } + reset_cm_connection_on_error(domain, status); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("could not open handle to NETLOGON pipe: %s\n", -- 1.7.1