From 4681838c0d1cc6544fe6ff4e0ee2d70e2bd05bf7 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 22 Jun 2012 14:26:45 +0200 Subject: [PATCH 1/2] s3: Give machine password changes 10 minutes of time This is what we do at domain join time as well, see lib/netapi/joindomain.c:141 Signed-off-by: Stefan Metzmacher (cherry picked from commit b9a15f1bfad30a824f9ec87bc9f7c65adf50dae0) --- source3/rpc_client/cli_netlogon.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c index bd3232d..c69a933 100644 --- a/source3/rpc_client/cli_netlogon.c +++ b/source3/rpc_client/cli_netlogon.c @@ -625,11 +625,14 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) { struct netr_CryptPassword new_password; + uint32_t old_timeout; init_netr_CryptPassword(new_trust_pwd_cleartext, cli->dc->session_key, &new_password); + old_timeout = dcerpc_binding_handle_set_timeout(b, 600000); + status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx, cli->srv_name_slash, cli->dc->account_name, @@ -639,6 +642,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, &srv_cred, &new_password, &result); + + dcerpc_binding_handle_set_timeout(b, old_timeout); + if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n", nt_errstr(status))); @@ -647,9 +653,13 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, } else { struct samr_Password new_password; + uint32_t old_timeout; + memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash)); netlogon_creds_des_encrypt(cli->dc, &new_password); + old_timeout = dcerpc_binding_handle_set_timeout(b, 600000); + status = dcerpc_netr_ServerPasswordSet(b, mem_ctx, cli->srv_name_slash, cli->dc->account_name, @@ -659,6 +669,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli, &srv_cred, &new_password, &result); + + dcerpc_binding_handle_set_timeout(b, old_timeout); + if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n", nt_errstr(status))); -- 1.7.9.5 From 79c7eb69a416665a5e7503bce278d794d9bc11e2 Mon Sep 17 00:00:00 2001 From: Christian Ambach Date: Tue, 5 Mar 2013 11:44:03 +0100 Subject: [PATCH 2/2] s3:libnet increase timeout for machine password change DCs might run password filter modules that can delay the setting of the machine password for a significant amount of time use the same timeout as in the other paths of domain join (e.g. rpccli_netlogon_set_trust_password) Signed-off-by: Christian Ambach Reviewed-by: Volker Lendecke (cherry picked from commit 9755541ed156d71df98607375ee3b925266c3c74) --- source3/libnet/libnet_join.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 7bb436b..e84682d 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -850,6 +850,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, struct samr_Ids name_types; union samr_UserInfo user_info; struct dcerpc_binding_handle *b = NULL; + unsigned int old_timeout = 0; struct samr_CryptPassword crypt_pwd; struct samr_CryptPasswordEx crypt_pwd_ex; @@ -1061,6 +1062,12 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, /* Set password on machine account - first try level 26 */ + /* + * increase the timeout as password filter modules on the DC + * might delay the operation for a significant amount of time + */ + old_timeout = rpccli_set_timeout(pipe_hnd, 600000); + init_samr_CryptPasswordEx(r->in.machine_password, &cli->user_session_key, &crypt_pwd_ex); @@ -1092,6 +1099,8 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx, &result); } + old_timeout = rpccli_set_timeout(pipe_hnd, old_timeout); + if (!NT_STATUS_IS_OK(status)) { dcerpc_samr_DeleteUser(b, mem_ctx, -- 1.7.9.5