If winbindd connects to a domain controller it doesn't establish the lsa connection over ncacn_ip_tcp direct. This happens only on demand. If someone does a 'net rpc testjoin' and then a wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with ACCESS_DENIED/SEC_PGK_ERROR, because winbindd's in memory copy of the schannel session key is invalidated. The long term fix is to store the schannel client state in a tdb, but for now it's enough to catch the error and invalidate the all connections to the dc and reestablish the schannel session key. The fix for bug 7568 make this worse, as it assumes winbindd's in memory session key is always the current one.
Created attachment 6244 [details] Patch for v3-5
Comment on attachment 6244 [details] Patch for v3-5 looks good
Karolin, please pick for 3.5
Pushed to v3-5-test. Closing out bug report. Thanks!