Bug 7944 - winbindd lsa ncacn_ip_tcp doesn't recover from ACCESS_DENIED/SEC_PKG_ERROR
Summary: winbindd lsa ncacn_ip_tcp doesn't recover from ACCESS_DENIED/SEC_PKG_ERROR
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.6
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on: 7568
  Show dependency treegraph
Reported: 2011-02-02 08:19 UTC by Stefan Metzmacher
Modified: 2013-10-13 11:51 UTC (History)
1 user (show)

See Also:

Patch for v3-5 (5.35 KB, patch)
2011-02-02 22:09 UTC, Stefan Metzmacher
gd: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2011-02-02 08:19:13 UTC
If winbindd connects to a domain controller it doesn't establish the lsa connection over ncacn_ip_tcp direct. This happens only on demand.

If someone does a 'net rpc testjoin' and then a
wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with 
ACCESS_DENIED/SEC_PGK_ERROR, because winbindd's in memory copy
of the schannel session key is invalidated.

The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.

The fix for bug 7568 make this worse, as it assumes
winbindd's in memory session key is always the current one.
Comment 1 Stefan Metzmacher 2011-02-02 22:09:51 UTC
Created attachment 6244 [details]
Patch for v3-5
Comment 2 Guenther Deschner 2011-02-03 04:08:39 UTC
Comment on attachment 6244 [details]
Patch for v3-5

looks good
Comment 3 Guenther Deschner 2011-02-03 04:09:06 UTC
Karolin, please pick for 3.5
Comment 4 Karolin Seeger 2011-02-05 11:51:49 UTC
Pushed to v3-5-test.
Closing out bug report.