Bug 3095 - winbindd gives NT_STATUS_INVALID_HANDLE after unsuccessfull auth
winbindd gives NT_STATUS_INVALID_HANDLE after unsuccessfull auth
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.20
x86 Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-14 04:30 UTC by Radek Bohunsky
Modified: 2005-09-16 10:01 UTC (History)
0 users

See Also:


Attachments
Steps to reproduce (1.12 KB, text/plain)
2005-09-14 04:32 UTC, Radek Bohunsky
no flags Details
winbind debug (154.14 KB, text/plain)
2005-09-14 04:33 UTC, Radek Bohunsky
no flags Details
Possible fix (1.01 KB, patch)
2005-09-15 09:26 UTC, Volker Lendecke
no flags Details
Patch for HEAD. (1.47 KB, patch)
2005-09-15 10:26 UTC, Jeremy Allison
no flags Details
Patch I've applied to 3.0 (1.65 KB, patch)
2005-09-16 09:18 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Radek Bohunsky 2005-09-14 04:30:09 UTC
After one failed authentication, winbind refuses all next authentication
attempts with NT_STATUS_INVALID_HANDLE message. The same with 3.0.14a was
without problems. Problem is reproduceable anytimes, for example with wbinfo -a
command.
winbindd_v1.patch only gives more info, the problem outlasts.
Expected results are obtained form wbinfo -t, wbinfo -u, etc. anytime, only
wbinfo -m gives nothing (already before failed auth).
PDC is samba-3.0.14a.
I tried some smb.conf changes (caching, schannel, signing, spnego), but without
any effect.
Comment 1 Radek Bohunsky 2005-09-14 04:32:11 UTC
Created attachment 1443 [details]
Steps to reproduce

Steps to reproduce with winbind responses
Comment 2 Radek Bohunsky 2005-09-14 04:33:05 UTC
Created attachment 1444 [details]
winbind debug

winbindd -Find 10 output form wbinfo attempts from previous attachement
Comment 3 Volker Lendecke 2005-09-15 08:15:37 UTC
Just a quick info: Got it reproduced. The credential chain check fails on the
3.0.14a PDC. Strange....

Volker
Comment 4 Volker Lendecke 2005-09-15 09:26:32 UTC
Created attachment 1446 [details]
Possible fix

Could you try the attached patch? This fixes it for me.

This is *very* weird, I tested the original and this version against NT4, W2k3
and Samba3.0.14a. Only Samba3.0.14a complained, the others seemed a lot more
liberal.

Jerry, Jeremy: Could you take a look at the patch?

Thanks,

Volker
Comment 5 Jeremy Allison 2005-09-15 10:26:00 UTC
Volker can you pull jcmd and maybe jpjanoski into this as I believe this may be
related to a change they made here (from svn blame on 3.0) :

 9112       jmcd       /* moved from right after deal_with_creds above, since we
weren't
  9112       jmcd          supposed to update unless logon was successful */
  9112       jmcd
  9112       jmcd       reseed_client_creds(&p->dc.clnt_cred,
&q_u->sam_id.client.cred);
  9112       jmcd       memcpy(&p->dc.srv_cred, &p->dc.clnt_cred,
sizeof(p->dc.clnt_cred));

I've changed this for HEAD and I think I need to check this more carefully to
ensure I've got this right.
Jeremy.
Comment 6 Jeremy Allison 2005-09-15 10:26:52 UTC
Created attachment 1447 [details]
Patch for HEAD.

Here's an attachment showing how I've fixed this in HEAD. I think this is
correct (although it's hard to check right now as I'm out of the office).
Jeremy.
Comment 7 Radek Bohunsky 2005-09-16 08:40:22 UTC
Attached patch (1446) fixed problem for me too. Thanks.
Only problem with "wbinfo -m" (no output) remains (only cosmetic problem :-). Do
you have this problem too, or it's only some my misconfiguration?
Comment 8 Jeremy Allison 2005-09-16 09:18:12 UTC
Created attachment 1451 [details]
Patch I've applied to 3.0

Ok, here's how I've fixed this in SVN.
Jeremy.
Comment 9 Jeremy Allison 2005-09-16 10:01:00 UTC
Fixed by svn patch I think.
Jeremy.