Bug 10006 - Primary domain is not marked as offline if NETLOGON connection fails during trusted domains query on startup
Summary: Primary domain is not marked as offline if NETLOGON connection fails during t...
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-10 12:21 UTC by Daniel Gan-Levi (dead mail address)
Modified: 2013-07-15 07:46 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Gan-Levi (dead mail address) 2013-07-10 12:21:06 UTC
The immediate consequence of this is that trusted domain list remains empty indefinitely, causing login failures for all users of those domains.
There is an obvious bug in the code that causes it (although I'm not sure what the solution should be):
In winbind_cache.c, function trusted_domains(), under do_query label there is a call to trusted_domains() method of the domain's backend. If this backend is ADS, trusted_domains() in winbindd_ads.c gets called. It calls cm_connect_netlogon() and if it fails, returns NT_STATUS_UNSUCCESSFUL. Now back in winbind_cache.c, this status is _not_ among the statuses that cause set_domain_offline() to get called, therefore the domain stays marked as online and timer is not set to retry.

The problem seems to be the same as described in bug #3798, from 2006(!).
Comment 1 Andrew Bartlett 2013-07-15 07:37:43 UTC
Have you created a patch to test your theory?
Comment 2 Daniel Gan-Levi (dead mail address) 2013-07-15 07:46:33 UTC
(In reply to comment #1)
> Have you created a patch to test your theory?

As have mentioned, I am not sure what the solution should be. I have added NT_STATUS_UNSUCCESSFUL to the list of the statuses that are checked against in trusted_domains() [winbind_cache.c], and yes, I saw the domain marked again as online after 10 seconds and trusted domain list now gets populated. But that would be too broad a catch, wouldn't it?