Problem description: With a samba 3.0.20 additional server in a Samba domain, when an invalid user connects to the additional server, the communications between the Samba domain controller and the additional server "get out of whack" and no new connections are then allowed on the samba additional server. To reproduce: Setup a samba domain. Samba DC should be any recent release. Setup an additional server w/ 3.0.20rc1 or latest from svn Connect to the additional server from windows w/ an invalid userid. C:\temp>net use \\as1lnx1\ipc$ /user:junk System error 1311 has occurred. There are currently no logon servers available to service the logon request. -- Then ALL attempts are rejected: C:\temp>net use k: \\as1lnx1\bmarsh System error 1311 has occurred. There are currently no logon servers available to service the logon request. You will see things like this in the log.wb-DOMAIN logs [2005/08/03 08:54:07, 2] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(795) 635816800: NTLM CRAP authentication for user [DOMAIN]\[wit6] returned NT_STATUS_NO_SUCH_USER (PAM: 10) JMCD states - Basically, the credentials chain involves each side computing the next credential from the previous one, and what happens is that a samba DC (yes, it's your DC that is broken, 3.0.20 is simply what made it show up) assumes that it should go to the next step, but that's not correct in certain cases (like NO_SUCH_USER). The winbindd client correctly assumes that it will pickup where it left off, which works against windows. I'm assuming that winbind just used to close connections more often. Also, the existence of the user was checked first, so a samlogon wasn't done in this case...we already knew from the normal nsswitch call that the user didn't exist.
I'll take this one. I've got a hack that patches it, but I'll clean it up.
Fixed by only updating credentials after we logon the user. r9112
updating version for future searches
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.