Bug 7944 - winbindd lsa ncacn_ip_tcp doesn't recover from ACCESS_DENIED/SEC_PKG_ERROR
Summary: winbindd lsa ncacn_ip_tcp doesn't recover from ACCESS_DENIED/SEC_PKG_ERROR
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.5.6
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 7568
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-02 08:19 UTC by Stefan Metzmacher
Modified: 2013-10-13 11:51 UTC (History)
1 user (show)

See Also:

Attachments
Patch for v3-5 (5.35 KB, patch)
2011-02-02 22:09 UTC, Stefan Metzmacher 		gd: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2011-02-02 08:19:13 UTC 
If winbindd connects to a domain controller it doesn't establish the lsa connection over ncacn_ip_tcp direct. This happens only on demand.

If someone does a 'net rpc testjoin' and then a
wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with 
ACCESS_DENIED/SEC_PGK_ERROR, because winbindd's in memory copy
of the schannel session key is invalidated.

The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.

The fix for bug 7568 make this worse, as it assumes
winbindd's in memory session key is always the current one.
Comment 1 Stefan Metzmacher 2011-02-02 22:09:51 UTC 
Created attachment 6244 [details]
Patch for v3-5
Comment 2 Guenther Deschner 2011-02-03 04:08:39 UTC 
Comment on attachment 6244 [details]
Patch for v3-5

looks good
Comment 3 Guenther Deschner 2011-02-03 04:09:06 UTC 
Karolin, please pick for 3.5
Comment 4 Karolin Seeger 2011-02-05 11:51:49 UTC 
Pushed to v3-5-test.
Closing out bug report.

Thanks!