Attachment 6244 Details for Bug 7944 – Patch for v3-5

[patch] Patch for v3-5

tmp.diff (text/plain), 5.35 KB, created by Stefan Metzmacher on 2011-02-02 22:09:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2011-02-02 22:09:51 UTC

Size: 5.35 KB

patch

obsolete

>From 7b68576af5f8e6a41e029691dd9580c922ec1758 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Sun, 30 Jan 2011 17:34:11 +0100
>Subject: [PATCH 1/4] dcerpc.idl: add DCERPC_FAULT_SEC_PKG_ERROR
>
>metze
>(cherry picked from commit 8d07deaeaacbd376f9824ac350c01510e05a76ca)
>(cherry picked from commit 85358c0534472fde71e304ddada678b61637ba40)
>---
> librpc/idl/dcerpc.idl |    1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
>diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
>index 3ec416d..2aeb7eb 100644
>--- a/librpc/idl/dcerpc.idl
>+++ b/librpc/idl/dcerpc.idl
>@@ -105,6 +105,7 @@ interface dcerpc
> 	const int DCERPC_FAULT_OTHER              = 0x00000001;
> 	const int DCERPC_FAULT_ACCESS_DENIED      = 0x00000005;
> 	const int DCERPC_FAULT_CANT_PERFORM       = 0x000006d8;
>+	const int DCERPC_FAULT_SEC_PKG_ERROR      = 0x00000721;
> 
> 	/* we return this fault when we haven't yet run the test
> 	   to see what fault w2k3 returns in this case */
>-- 
>1.7.0.4
>
>
>From 7761e0f0fb48c0c33e26e17489e8c6e52931e68d Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 2 Feb 2011 14:20:58 +0100
>Subject: [PATCH 2/4] rerun 'make samba3-idl'
>
>metze
>---
> librpc/gen_ndr/dcerpc.h |    1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
>diff --git a/librpc/gen_ndr/dcerpc.h b/librpc/gen_ndr/dcerpc.h
>index 5408cf4..f64f7ae 100644
>--- a/librpc/gen_ndr/dcerpc.h
>+++ b/librpc/gen_ndr/dcerpc.h
>@@ -22,6 +22,7 @@
> #define DCERPC_FAULT_OTHER	( 0x00000001 )
> #define DCERPC_FAULT_ACCESS_DENIED	( 0x00000005 )
> #define DCERPC_FAULT_CANT_PERFORM	( 0x000006d8 )
>+#define DCERPC_FAULT_SEC_PKG_ERROR	( 0x00000721 )
> #define DCERPC_FAULT_TODO	( 0x00000042 )
> #define DCERPC_AUTH_LEVEL_DEFAULT	( DCERPC_AUTH_LEVEL_CONNECT )
> #define DCERPC_AUTH_TRAILER_LENGTH	( 8 )
>-- 
>1.7.0.4
>
>
>From 32b8bdf1ce91e73f604ae6ba6ed767e4a2158788 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Wed, 2 Feb 2011 14:18:33 +0100
>Subject: [PATCH 3/4] librpc/rpc: display DCERPC_FAULT_SEC_PKG_ERROR nicely in dcerpc_errstr()
>
>metze
>---
> librpc/rpc/dcerpc_error.c |    1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
>diff --git a/librpc/rpc/dcerpc_error.c b/librpc/rpc/dcerpc_error.c
>index dbab783..51112b4 100644
>--- a/librpc/rpc/dcerpc_error.c
>+++ b/librpc/rpc/dcerpc_error.c
>@@ -36,6 +36,7 @@ static const struct dcerpc_fault_table dcerpc_faults[] =
> 	{ "DCERPC_FAULT_CONTEXT_MISMATCH",	DCERPC_FAULT_CONTEXT_MISMATCH },
> 	{ "DCERPC_FAULT_OTHER",			DCERPC_FAULT_OTHER },
> 	{ "DCERPC_FAULT_ACCESS_DENIED",		DCERPC_FAULT_ACCESS_DENIED },
>+	{ "DCERPC_FAULT_SEC_PKG_ERROR",		DCERPC_FAULT_SEC_PKG_ERROR },
> 
> 	{ NULL,					0}
> };
>-- 
>1.7.0.4
>
>
>From 2044f84408bbe7d5ac23f7e7bb142fd700f5c374 Mon Sep 17 00:00:00 2001
>From: Stefan Metzmacher <metze@samba.org>
>Date: Tue, 1 Feb 2011 18:46:57 +0100
>Subject: [PATCH 4/4] s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)
>
>If winbindd connects to a domain controller it doesn't establish the lsa
>connection over ncacn_ip_tcp direct. This happens only on demand.
>
>If someone does a 'net rpc testjoin' and then a
>wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with
>ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy
>of the schannel session key is invalidated.
>
>This problem can also happen on other calls, but the
>lookup_names/sids calls on thet lsa ncacn_ip_tcp connection
>are the most important ones.
>
>The long term fix is to store the schannel client state in a
>tdb, but for now it's enough to catch the error and invalidate
>the all connections to the dc and reestablish the schannel
>session key.
>
>The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a)
>made this worse, as it assumes winbindd's in memory session key is
>always the current one.
>
>metze
>(cherry picked from commit 255f2e06991aa543cd2c6f4d0123664b2a76c99d)
>(cherry picked from commit a699ac50f7c9a5eeb57215879e17631c9a1f534f)
>---
> source3/winbindd/winbindd_rpc.c |   24 ++++++++++++++++++++++++
> 1 files changed, 24 insertions(+), 0 deletions(-)
>
>diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
>index b65b126..59d3457 100644
>--- a/source3/winbindd/winbindd_rpc.c
>+++ b/source3/winbindd/winbindd_rpc.c
>@@ -1237,6 +1237,18 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
> 	/* And restore our original timeout. */
> 	rpccli_set_timeout(cli, orig_timeout);
> 
>+	if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
>+	    NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
>+		/*
>+		 * This can happen if the schannel key is not
>+		 * valid anymore, we need to invalidate the
>+		 * all connections to the dc and reestablish
>+		 * a netlogon connection first.
>+		 */
>+		invalidate_cm_connection(&domain->conn);
>+		status = NT_STATUS_ACCESS_DENIED;
>+	}
>+
> 	if (!NT_STATUS_IS_OK(status)) {
> 		return status;
> 	}
>@@ -1304,6 +1316,18 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
> 	/* And restore our original timeout. */
> 	rpccli_set_timeout(cli, orig_timeout);
> 
>+	if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
>+	    NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
>+		/*
>+		 * This can happen if the schannel key is not
>+		 * valid anymore, we need to invalidate the
>+		 * all connections to the dc and reestablish
>+		 * a netlogon connection first.
>+		 */
>+		invalidate_cm_connection(&domain->conn);
>+		status = NT_STATUS_ACCESS_DENIED;
>+	}
>+
> 	if (!NT_STATUS_IS_OK(status)) {
> 		return status;
> 	}
>-- 
>1.7.0.4
>

Flags:

gd: review+

Actions: View

Attachments on bug 7944: 6244