Bug 3095 - winbindd gives NT_STATUS_INVALID_HANDLE after unsuccessfull auth
Summary: winbindd gives NT_STATUS_INVALID_HANDLE after unsuccessfull auth
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-14 04:30 UTC by Radek Bohunsky
Modified: 2005-09-16 10:01 UTC (History)
0 users

See Also:

Attachments
Steps to reproduce (1.12 KB, text/plain)
2005-09-14 04:32 UTC, Radek Bohunsky 		no flags Details
winbind debug (154.14 KB, text/plain)
2005-09-14 04:33 UTC, Radek Bohunsky 		no flags Details
Possible fix (1.01 KB, patch)
2005-09-15 09:26 UTC, Volker Lendecke 		no flags Details
Patch for HEAD. (1.47 KB, patch)
2005-09-15 10:26 UTC, Jeremy Allison 		no flags Details
Patch I've applied to 3.0 (1.65 KB, patch)
2005-09-16 09:18 UTC, Jeremy Allison 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Radek Bohunsky 2005-09-14 04:30:09 UTC 
After one failed authentication, winbind refuses all next authentication
attempts with NT_STATUS_INVALID_HANDLE message. The same with 3.0.14a was
without problems. Problem is reproduceable anytimes, for example with wbinfo -a
command.
winbindd_v1.patch only gives more info, the problem outlasts.
Expected results are obtained form wbinfo -t, wbinfo -u, etc. anytime, only
wbinfo -m gives nothing (already before failed auth).
PDC is samba-3.0.14a.
I tried some smb.conf changes (caching, schannel, signing, spnego), but without
any effect.
Comment 1 Radek Bohunsky 2005-09-14 04:32:11 UTC 
Created attachment 1443 [details]
Steps to reproduce

Steps to reproduce with winbind responses
Comment 2 Radek Bohunsky 2005-09-14 04:33:05 UTC 
Created attachment 1444 [details]
winbind debug

winbindd -Find 10 output form wbinfo attempts from previous attachement
Comment 3 Volker Lendecke 2005-09-15 08:15:37 UTC 
Just a quick info: Got it reproduced. The credential chain check fails on the
3.0.14a PDC. Strange....

Volker
Comment 4 Volker Lendecke 2005-09-15 09:26:32 UTC 
Created attachment 1446 [details]
Possible fix

Could you try the attached patch? This fixes it for me.

This is *very* weird, I tested the original and this version against NT4, W2k3
and Samba3.0.14a. Only Samba3.0.14a complained, the others seemed a lot more
liberal.

Jerry, Jeremy: Could you take a look at the patch?

Thanks,

Volker
Comment 5 Jeremy Allison 2005-09-15 10:26:00 UTC 
Volker can you pull jcmd and maybe jpjanoski into this as I believe this may be
related to a change they made here (from svn blame on 3.0) :

 9112       jmcd       /* moved from right after deal_with_creds above, since we
weren't
  9112       jmcd          supposed to update unless logon was successful */
  9112       jmcd
  9112       jmcd       reseed_client_creds(&p->dc.clnt_cred,
&q_u->sam_id.client.cred);
  9112       jmcd       memcpy(&p->dc.srv_cred, &p->dc.clnt_cred,
sizeof(p->dc.clnt_cred));

I've changed this for HEAD and I think I need to check this more carefully to
ensure I've got this right.
Jeremy.
Comment 6 Jeremy Allison 2005-09-15 10:26:52 UTC 
Created attachment 1447 [details]
Patch for HEAD.

Here's an attachment showing how I've fixed this in HEAD. I think this is
correct (although it's hard to check right now as I'm out of the office).
Jeremy.
Comment 7 Radek Bohunsky 2005-09-16 08:40:22 UTC 
Attached patch (1446) fixed problem for me too. Thanks.
Only problem with "wbinfo -m" (no output) remains (only cosmetic problem :-). Do
you have this problem too, or it's only some my misconfiguration?
Comment 8 Jeremy Allison 2005-09-16 09:18:12 UTC 
Created attachment 1451 [details]
Patch I've applied to 3.0

Ok, here's how I've fixed this in SVN.
Jeremy.
Comment 9 Jeremy Allison 2005-09-16 10:01:00 UTC 
Fixed by svn patch I think.
Jeremy.