From 65f35a5bf327efc1eb7a4968bfb55935872d500b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 4 Jul 2023 14:12:03 +0200 Subject: [PATCH] s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS When we were not able to get a valid response from any DC we should report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1. This matches what windows does. In a chain of transitive trusts the ACCESS_DENIED/authoritative=0 is not propagated, instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is passed along the chain if there's no other DC is available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider Reviewed-by: Volker Lendecke (cherry picked from commit 50e771c12f84f9268c2e9ddeef0965f79f85de3d) Autobuild-User(v4-17-test): Jule Anger Autobuild-Date(v4-17-test): Thu Jul 6 13:29:28 UTC 2023 on sn-devel-184 --- source3/winbindd/winbindd_pam.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 9953ffeb94b..b1acc7efabc 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1637,6 +1637,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, int attempts = 0; int netr_attempts = 0; bool retry = false; + bool valid_result = false; NTSTATUS result; enum netr_LogonInfoClass logon_type_i; enum netr_LogonInfoClass logon_type_n; @@ -1817,6 +1818,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, continue; } + valid_result = true; + if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { /* * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon @@ -1843,6 +1846,25 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain, } while ( (attempts < 3) && retry ); + if (!valid_result) { + /* + * This matches what windows does. In a chain of transitive + * trusts the ACCESS_DENIED/authoritative=0 is not propagated + * instead of NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is + * passed along the chain if there's no other DC is available. + */ + DBG_WARNING("Mapping %s/authoritative=%u to " + "NT_STATUS_NO_LOGON_SERVERS/authoritative=1 for" + "USERNAME[%s] USERDOMAIN[%s] REMOTE-DOMAIN[%s] \n", + nt_errstr(result), + *authoritative, + username, + domainname, + domain->name); + *authoritative = 1; + return NT_STATUS_NO_LOGON_SERVERS; + } + if (!NT_STATUS_IS_OK(result)) { return result; } -- 2.47.2