winbindd: force netlogon reauth for certain errors in reset_cm_connection_on_error()

NT_STATUS_RPC_SEC_PKG_ERROR is returned by the server if the server
doesn't know the server-side netlogon credentials anymore, eg after a
reboot. If this happens we must force a full netlogon reauth.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13332

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 861451c0fc926952e3b92deea58c8d5b72217809..10345fb81d24b63ca0d939ec82ccc9749a774427 100644 (file)
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -44,6 +44,14 @@ void _wbint_Ping(struct pipes_struct *p, struct wbint_Ping *r)
 bool reset_cm_connection_on_error(struct winbindd_domain *domain,
                                  NTSTATUS status)
 {
+       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+           NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+           NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+               invalidate_cm_connection(domain);
+               domain->conn.netlogon_force_reauth = true;
+               return true;
+       }
+
        if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
            NT_STATUS_EQUAL(status, NT_STATUS_IO_DEVICE_ERROR))
        {