In order to get more protection against external schannel session resets, we should try netr_Validation level 6 if the server supports it and fallback to level 3 if not. This is related to https://bugzilla.samba.org/show_bug.cgi?id=7568 and https://bugzilla.samba.org/show_bug.cgi?id=7944 The long term fix is to store the schannel client state in a tdb, but for now it's enough to catch the error and invalidate the all connections to the dc and reestablish the schannel session key.
Created attachment 6245 [details] Backport Patch for v3-5-test GD: Please also test the rpc bind stuff with "net rpc testjoin" to make sure that the user session key is correct. Kai: if you have a chance please also test it.
I'll test winbind with the applied test. Looks good for now. I've let them try this until this friday and would give another comment then. Björn
Comment on attachment 6245 [details] Backport Patch for v3-5-test tested with w2k and w2k8r2 dcs, looks good
Karolin, please add to 3.5
Pushed to v3-5-test. Closing out bug report. Thanks!