Bug 200 - net rpc changetrustpw interferes with winbinds connection-management
net rpc changetrustpw interferes with winbinds connection-management
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
Other other
: P2 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks: 382
  Show dependency treegraph
 
Reported: 2003-07-03 03:04 UTC by Guenther Deschner
Modified: 2005-08-24 10:22 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Guenther Deschner 2003-07-03 03:04:29 UTC
one site where we use samba3beta2 a nightly machine-password-change rendered
winbind unusable (always returning ACCESS_DENIED).

once the password has been changed via rpc, winbind has no active NETLOGON-pipe
to our dc and is not trying to reestablish one. if you simply check for the
validity of your new machine password, the pipe seems to be reestablished.

[2003/07/03 11:43:23, 3] nsswitch/winbindd_misc.c:winbindd_check_machine_acct(38)
  [ 4398]: check machine account
[2003/07/03 11:43:23, 3] nsswitch/winbindd_cm.c:connection_ok(202)
  Connection to MYDC4 for domain MYDOMAIN (pipe \PIPE\NETLOGON) has NULL conn->cli!


very easy to reproduce:

mthelena:/home/gd # wbinfo -a MYDOMAIN\\SuSEAG%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded

mthelena:/home/gd # net rpc changetrustpw -S mydc4

mthelena:/home/gd # wbinfo -a MYDOMAIN\\SuSEAG%secret
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user MYDOMAIN\SuSEAG%secret with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user MYDOMAIN\SuSEAG with challenge/response

mthelena:/home/gd # wbinfo -t
checking the trust secret via RPC calls succeeded

mthelena:/home/gd # wbinfo -a MYDOMAIN\\SuSEAG%secret
plaintext password authentication succeeded
challenge/response password authentication succeeded
Comment 1 Gerald (Jerry) Carter 2003-07-03 06:52:07 UTC
I can't reproduce this using beta2 + the wins-srv-is-dead.patch
against a Samba PDC.  Will try again using an NT4 PDC.
Comment 2 Guenther Deschner 2003-07-03 07:38:39 UTC
sorry. i forgot to mention: 

this was against a native win2k dc.

and yes, indeed. wins was marked dead in "net cache list". so i have put the dc
in "password server = mydc4".
Comment 3 Gerald (Jerry) Carter 2003-07-03 08:06:18 UTC
ok.  Reproduced.  Working on a fix.
Comment 4 Gerald (Jerry) Carter 2003-07-03 09:25:06 UTC
fixed.  Checkout nsswitch/winbindd_pam.c from CVS and retest
Comment 5 Gerald (Jerry) Carter 2005-02-07 08:39:09 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 6 Gerald (Jerry) Carter 2005-08-24 10:22:50 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.