The Samba-Bugzilla – Attachment 6244 Details for
Bug 7944
winbindd lsa ncacn_ip_tcp doesn't recover from ACCESS_DENIED/SEC_PKG_ERROR
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v3-5
tmp.diff (text/plain), 5.35 KB, created by
Stefan Metzmacher
on 2011-02-02 22:09:51 UTC
(
hide
)
Description:
Patch for v3-5
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2011-02-02 22:09:51 UTC
Size:
5.35 KB
patch
obsolete
>From 7b68576af5f8e6a41e029691dd9580c922ec1758 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Sun, 30 Jan 2011 17:34:11 +0100 >Subject: [PATCH 1/4] dcerpc.idl: add DCERPC_FAULT_SEC_PKG_ERROR > >metze >(cherry picked from commit 8d07deaeaacbd376f9824ac350c01510e05a76ca) >(cherry picked from commit 85358c0534472fde71e304ddada678b61637ba40) >--- > librpc/idl/dcerpc.idl | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > >diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl >index 3ec416d..2aeb7eb 100644 >--- a/librpc/idl/dcerpc.idl >+++ b/librpc/idl/dcerpc.idl >@@ -105,6 +105,7 @@ interface dcerpc > const int DCERPC_FAULT_OTHER = 0x00000001; > const int DCERPC_FAULT_ACCESS_DENIED = 0x00000005; > const int DCERPC_FAULT_CANT_PERFORM = 0x000006d8; >+ const int DCERPC_FAULT_SEC_PKG_ERROR = 0x00000721; > > /* we return this fault when we haven't yet run the test > to see what fault w2k3 returns in this case */ >-- >1.7.0.4 > > >From 7761e0f0fb48c0c33e26e17489e8c6e52931e68d Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 2 Feb 2011 14:20:58 +0100 >Subject: [PATCH 2/4] rerun 'make samba3-idl' > >metze >--- > librpc/gen_ndr/dcerpc.h | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > >diff --git a/librpc/gen_ndr/dcerpc.h b/librpc/gen_ndr/dcerpc.h >index 5408cf4..f64f7ae 100644 >--- a/librpc/gen_ndr/dcerpc.h >+++ b/librpc/gen_ndr/dcerpc.h >@@ -22,6 +22,7 @@ > #define DCERPC_FAULT_OTHER ( 0x00000001 ) > #define DCERPC_FAULT_ACCESS_DENIED ( 0x00000005 ) > #define DCERPC_FAULT_CANT_PERFORM ( 0x000006d8 ) >+#define DCERPC_FAULT_SEC_PKG_ERROR ( 0x00000721 ) > #define DCERPC_FAULT_TODO ( 0x00000042 ) > #define DCERPC_AUTH_LEVEL_DEFAULT ( DCERPC_AUTH_LEVEL_CONNECT ) > #define DCERPC_AUTH_TRAILER_LENGTH ( 8 ) >-- >1.7.0.4 > > >From 32b8bdf1ce91e73f604ae6ba6ed767e4a2158788 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 2 Feb 2011 14:18:33 +0100 >Subject: [PATCH 3/4] librpc/rpc: display DCERPC_FAULT_SEC_PKG_ERROR nicely in dcerpc_errstr() > >metze >--- > librpc/rpc/dcerpc_error.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > >diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c >index dbab783..51112b4 100644 >--- a/librpc/rpc/dcerpc_error.c >+++ b/librpc/rpc/dcerpc_error.c >@@ -36,6 +36,7 @@ static const struct dcerpc_fault_table dcerpc_faults[] = > { "DCERPC_FAULT_CONTEXT_MISMATCH", DCERPC_FAULT_CONTEXT_MISMATCH }, > { "DCERPC_FAULT_OTHER", DCERPC_FAULT_OTHER }, > { "DCERPC_FAULT_ACCESS_DENIED", DCERPC_FAULT_ACCESS_DENIED }, >+ { "DCERPC_FAULT_SEC_PKG_ERROR", DCERPC_FAULT_SEC_PKG_ERROR }, > > { NULL, 0} > }; >-- >1.7.0.4 > > >From 2044f84408bbe7d5ac23f7e7bb142fd700f5c374 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 1 Feb 2011 18:46:57 +0100 >Subject: [PATCH 4/4] s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944) > >If winbindd connects to a domain controller it doesn't establish the lsa >connection over ncacn_ip_tcp direct. This happens only on demand. > >If someone does a 'net rpc testjoin' and then a >wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with >ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy >of the schannel session key is invalidated. > >This problem can also happen on other calls, but the >lookup_names/sids calls on thet lsa ncacn_ip_tcp connection >are the most important ones. > >The long term fix is to store the schannel client state in a >tdb, but for now it's enough to catch the error and invalidate >the all connections to the dc and reestablish the schannel >session key. > >The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a) >made this worse, as it assumes winbindd's in memory session key is >always the current one. > >metze >(cherry picked from commit 255f2e06991aa543cd2c6f4d0123664b2a76c99d) >(cherry picked from commit a699ac50f7c9a5eeb57215879e17631c9a1f534f) >--- > source3/winbindd/winbindd_rpc.c | 24 ++++++++++++++++++++++++ > 1 files changed, 24 insertions(+), 0 deletions(-) > >diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c >index b65b126..59d3457 100644 >--- a/source3/winbindd/winbindd_rpc.c >+++ b/source3/winbindd/winbindd_rpc.c >@@ -1237,6 +1237,18 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx, > /* And restore our original timeout. */ > rpccli_set_timeout(cli, orig_timeout); > >+ if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED || >+ NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) { >+ /* >+ * This can happen if the schannel key is not >+ * valid anymore, we need to invalidate the >+ * all connections to the dc and reestablish >+ * a netlogon connection first. >+ */ >+ invalidate_cm_connection(&domain->conn); >+ status = NT_STATUS_ACCESS_DENIED; >+ } >+ > if (!NT_STATUS_IS_OK(status)) { > return status; > } >@@ -1304,6 +1316,18 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx, > /* And restore our original timeout. */ > rpccli_set_timeout(cli, orig_timeout); > >+ if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED || >+ NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) { >+ /* >+ * This can happen if the schannel key is not >+ * valid anymore, we need to invalidate the >+ * all connections to the dc and reestablish >+ * a netlogon connection first. >+ */ >+ invalidate_cm_connection(&domain->conn); >+ status = NT_STATUS_ACCESS_DENIED; >+ } >+ > if (!NT_STATUS_IS_OK(status)) { > return status; > } >-- >1.7.0.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gd
:
review+
Actions:
View
Attachments on
bug 7944
: 6244