The branch, v3-5-test has been updated
       via  2a9accd85e992798ee36cb1ea74ed06f5379be3d (commit)
       via  d76c914adc17e4374c9e21b6733514fd7ad9bdac (commit)
      from  2fa98946d9eb3d0b6973dfaeadc55c8112ec30e1 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit 2a9accd85e992798ee36cb1ea74ed06f5379be3d
Author: Günther Deschner <g...@samba.org>
Date:   Mon Oct 5 17:05:38 2009 +0200

    s3-winbindd: make sure to reset connections when machine account password 
change chain was broken.
    
    Guenther
    (cherry picked from commit c344bf0184be484fff8bb5ed93b5c2ca6de58611)

commit d76c914adc17e4374c9e21b6733514fd7ad9bdac
Author: Günther Deschner <g...@samba.org>
Date:   Mon Oct 5 17:04:52 2009 +0200

    s3-netlogon: setup NETLOGON credential chain in 
rpccli_netlogon_set_trust_password() only when needed.
    
    Guenther
    (cherry picked from commit 0c2fc9eedf241746067d1625f643c894bfa11394)

-----------------------------------------------------------------------

Summary of changes:
 source3/rpc_client/cli_netlogon.c |   27 ++++++++++++++-------------
 source3/winbindd/winbindd_dual.c  |    8 ++++++++
 2 files changed, 22 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/rpc_client/cli_netlogon.c 
b/source3/rpc_client/cli_netlogon.c
index 911a50f..6caffd7 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -518,19 +518,20 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct 
rpc_pipe_client *cli,
        uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
        struct netr_Authenticator clnt_creds, srv_cred;
 
-       result = rpccli_netlogon_setup_creds(cli,
-                                            cli->desthost, /* server name */
-                                            lp_workgroup(), /* domain */
-                                            global_myname(), /* client name */
-                                            global_myname(), /* machine 
account name */
-                                            orig_trust_passwd_hash,
-                                            sec_channel_type,
-                                            &neg_flags);
-
-       if (!NT_STATUS_IS_OK(result)) {
-               DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup 
creds (%s)!\n",
-                        nt_errstr(result)));
-               return result;
+       if (!cli->dc) {
+               result = rpccli_netlogon_setup_creds(cli,
+                                                    cli->desthost, /* server 
name */
+                                                    lp_workgroup(), /* domain 
*/
+                                                    global_myname(), /* client 
name */
+                                                    global_myname(), /* 
machine account name */
+                                                    orig_trust_passwd_hash,
+                                                    sec_channel_type,
+                                                    &neg_flags);
+               if (!NT_STATUS_IS_OK(result)) {
+                       DEBUG(3,("rpccli_netlogon_set_trust_password: unable to 
setup creds (%s)!\n",
+                                nt_errstr(result)));
+                       return result;
+               }
        }
 
        netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index edf784c..a832451 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -1100,6 +1100,14 @@ static void machine_password_change_handler(struct 
event_context *ctx,
                DEBUG(10,("machine_password_change_handler: "
                        "failed to change machine password: %s\n",
                         nt_errstr(result)));
+               if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
+                       DEBUG(3,("machine_password_change_handler: password set 
returned "
+                               "ACCESS_DENIED.  Maybe the trust account "
+                               "password was changed and we didn't know it. "
+                               "Killing connections to domain %s\n",
+                               child->domain->name));
+                       invalidate_cm_connection(&child->domain->conn);
+               }
        } else {
                DEBUG(10,("machine_password_change_handler: "
                        "successfully changed machine password\n"));


-- 
Samba Shared Repository

Reply via email to