From: Andrew Tridgell Date: Thu, 1 Nov 2012 02:30:47 +0000 (+1100) Subject: s4-librpc: try a 2nd logon for more error cases X-Git-Tag: ldb-1.1.14~83 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5d6ae3498ad77ccdb7a8b3a316d7aa86c2f0c56a;p=thirdparty%2Fsamba.git s4-librpc: try a 2nd logon for more error cases not all servers give LOGON_FAILURE on authentication failures, so we need to do the retry with a new ticket on a wider range of error types Pair-Programmed-With: Andrew Bartlett --- diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 15847efa9df..2a0c40566d7 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -396,7 +396,13 @@ static void continue_auth_auto(struct composite_context *ctx) s->binding); composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c); return; - } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) { + } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE) || + NT_STATUS_EQUAL(c->status, NT_STATUS_UNSUCCESSFUL)) { + /* + try a second time on any error. We don't just do it + on LOGON_FAILURE as some servers will give a + NT_STATUS_UNSUCCESSFUL on a authentication error on RPC + */ const char *principal; principal = gensec_get_target_principal(s->pipe->conn->security_state.generic_state); @@ -408,8 +414,9 @@ static void continue_auth_auto(struct composite_context *ctx) } } - if (cli_credentials_failed_kerberos_login(s->credentials, principal, &s->logon_retries) || - cli_credentials_wrong_password(s->credentials)) { + if ((cli_credentials_failed_kerberos_login(s->credentials, principal, &s->logon_retries) || + cli_credentials_wrong_password(s->credentials)) && + s->binding->endpoint != NULL) { /* * Retry SPNEGO with a better password * send a request for secondary rpc connection