s3:winbindd: let winbind_samlogon_retry_loop() fallback to NT_STATUS_NO_LOGON_SERVERS

When we were not able to get a valid response from any DC we should
report NT_STATUS_NO_LOGON_SERVERS with authoritative = 1.

This matches what windows does. In a chain of transitive
trusts the ACCESS_DENIED/authoritative=0 is not propagated,
instead NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
passed along the chain if there's no other DC is available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15413

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index d46abee0aedb5fc0a48be69fb19a02e69d4d6ead..ec643878e4cfdd183437cdfd0f3ca517c6fc0a16 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1637,6 +1637,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
        int attempts = 0;
        int netr_attempts = 0;
        bool retry = false;
+       bool valid_result = false;
        NTSTATUS result;
        enum netr_LogonInfoClass logon_type_i;
        enum netr_LogonInfoClass logon_type_n;
@@ -1817,6 +1818,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
                        continue;
                }
 
+               valid_result = true;
+
                if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
                        /*
                         * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
@@ -1843,6 +1846,25 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 
        } while ( (attempts < 3) && retry );
 
+       if (!valid_result) {
+               /*
+                * This matches what windows does. In a chain of transitive
+                * trusts the ACCESS_DENIED/authoritative=0 is not propagated
+                * instead of NT_STATUS_NO_LOGON_SERVERS/authoritative=1 is
+                * passed along the chain if there's no other DC is available.
+                */
+               DBG_WARNING("Mapping %s/authoritative=%u to "
+                           "NT_STATUS_NO_LOGON_SERVERS/authoritative=1 for"
+                           "USERNAME[%s] USERDOMAIN[%s] REMOTE-DOMAIN[%s] \n",
+                           nt_errstr(result),
+                           *authoritative,
+                           username,
+                           domainname,
+                           domain->name);
+               *authoritative = 1;
+               return NT_STATUS_NO_LOGON_SERVERS;
+       }
+
        if (!NT_STATUS_IS_OK(result)) {
                return result;
        }