s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS

When we were not able to get a valid response from any DC we should
report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1.

This matches what windows does. In a chain of transitive
trusts the ACCESS_DENIED/authoritative=0 is not propagated,
instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
passed along the chain if there's no other DC is available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 50e771c12f84f9268c2e9ddeef0965f79f85de3d)

Autobuild-User(v4-17-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-17-test): Thu Jul  6 13:29:28 UTC 2023 on sn-devel-184

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9953ffeb94b175a9ace9acc854df71bd3c982c64..b1acc7efabcaf3b532c670870773ee05ea34e031 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1637,6 +1637,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
        int attempts = 0;
        int netr_attempts = 0;
        bool retry = false;
+       bool valid_result = false;
        NTSTATUS result;
        enum netr_LogonInfoClass logon_type_i;
        enum netr_LogonInfoClass logon_type_n;
@@ -1817,6 +1818,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
                        continue;
                }
 
+               valid_result = true;
+
                if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
                        /*
                         * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
@@ -1843,6 +1846,25 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 
        } while ( (attempts < 3) && retry );
 
+       if (!valid_result) {
+               /*
+                * This matches what windows does. In a chain of transitive
+                * trusts the ACCESS_DENIED/authoritative=0 is not propagated
+                * instead of NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
+                * passed along the chain if there's no other DC is available.
+                */
+               DBG_WARNING("Mapping %s/authoritative=%u to "
+                           "NT_STATUS_NO_LOGON_SERVERS/authoritative=1 for"
+                           "USERNAME[%s] USERDOMAIN[%s] REMOTE-DOMAIN[%s] \n",
+                           nt_errstr(result),
+                           *authoritative,
+                           username,
+                           domainname,
+                           domain->name);
+               *authoritative = 1;
+               return NT_STATUS_NO_LOGON_SERVERS;
+       }
+
        if (!NT_STATUS_IS_OK(result)) {
                return result;
        }