From 026c43f6f0f5778b1b4d440550437dc4450596d6 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 5 Mar 2011 16:44:58 +0100
Subject: [PATCH] s3: Fix bug 7888 -- deal with buggy 3.0 based PDCs

---
 source3/winbindd/winbindd_pam.c |   52 ++++++++++++++++++++++++++++----------
 1 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index e958a7e..3407cc6 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1345,13 +1345,25 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain,
 				  &my_info3);
 		attempts += 1;
 
-		if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
-		    && contact_domain->can_do_samlogon_ex) {
-			DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
-				  "retrying with NetSamLogon\n"));
-			contact_domain->can_do_samlogon_ex = false;
-			retry = true;
-			continue;
+		if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
+
+			if (contact_domain->can_do_samlogon_ex) {
+				DEBUG(3, ("Got a DC that can not do "
+					  "NetSamLogonEx, retrying with "
+					  "NetSamLogon\n"));
+				contact_domain->can_do_samlogon_ex = false;
+				retry = true;
+				continue;
+			}
+
+			/*
+			 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
+			 * (no Ex). This happens against old Samba
+			 * DCs. Drop the connection.
+			 */
+			invalidate_cm_connection(&contact_domain->conn);
+			result = NT_STATUS_LOGON_FAILURE;
+			break;
 		}
 
 		/* We have to try a second time as cm_connect_netlogon
@@ -1918,13 +1930,25 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 				  nt_resp,
 				  &info3);
 
-		if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
-		    && contact_domain->can_do_samlogon_ex) {
-			DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
-				  "retrying with NetSamLogon\n"));
-			contact_domain->can_do_samlogon_ex = false;
-			retry = true;
-			continue;
+		if (NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR) {
+
+			if (contact_domain->can_do_samlogon_ex) {
+				DEBUG(3, ("Got a DC that can not do "
+					  "NetSamLogonEx, retrying with "
+					  "NetSamLogon\n"));
+				contact_domain->can_do_samlogon_ex = false;
+				retry = true;
+				continue;
+			}
+
+			/*
+			 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
+			 * (no Ex). This happens against old Samba
+			 * DCs. Drop the connection.
+			 */
+			invalidate_cm_connection(&contact_domain->conn);
+			result = NT_STATUS_LOGON_FAILURE;
+			break;
 		}
 
 		attempts += 1;
-- 
1.5.6.5