Bug 200 - net rpc changetrustpw interferes with winbinds connection-management
Summary: net rpc changetrustpw interferes with winbinds connection-management
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P2 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks: 382
  Show dependency treegraph
 
Reported: 2003-07-03 03:04 UTC by Guenther Deschner
Modified: 2005-08-24 10:22 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2003-07-03 03:04:29 UTC 
one site where we use samba3beta2 a nightly machine-password-change rendered
winbind unusable (always returning ACCESS_DENIED).

once the password has been changed via rpc, winbind has no active NETLOGON-pipe
to our dc and is not trying to reestablish one. if you simply check for the
validity of your new machine password, the pipe seems to be reestablished.

[2003/07/03 11:43:23, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(38)
  [ 4398]: check machine account
[2003/07/03 11:43:23, 3] nsswitch/winbindd_cm.c:connection_ok(202)
  Connection to MYDC4 for domain MYDOMAIN (pipe \PIPE\NETLOGON) has NULL conn->cli!


very easy to reproduce:

mthelena:/home/gd # wbinfo -a MYDOMAIN\\SuSEAG%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded

mthelena:/home/gd # net rpc changetrustpw -S mydc4

mthelena:/home/gd # wbinfo -a MYDOMAIN\\SuSEAG%secret
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user MYDOMAIN\SuSEAG%secret with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user MYDOMAIN\SuSEAG with challenge/response

mthelena:/home/gd # wbinfo -t
checking the trust secret via RPC calls succeeded

mthelena:/home/gd # wbinfo -a MYDOMAIN\\SuSEAG%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
Comment 1 Gerald (Jerry) Carter (dead mail address) 2003-07-03 06:52:07 UTC 
I can't reproduce this using beta2 + the wins-srv-is-dead.patch
against a Samba PDC.  Will try again using an NT4 PDC.
Comment 2 Guenther Deschner 2003-07-03 07:38:39 UTC 
sorry. i forgot to mention: 

this was against a native win2k dc.

and yes, indeed. wins was marked dead in "net cache list". so i have put the dc
in "password server = mydc4".
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-07-03 08:06:18 UTC 
ok.  Reproduced.  Working on a fix.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-07-03 09:25:06 UTC 
fixed.  Checkout nsswitch/winbindd_pam.c from CVS and retest
Comment 5 Gerald (Jerry) Carter (dead mail address) 2005-02-07 08:39:09 UTC 
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:22:50 UTC 
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.