s3: Deal with races for password changes

When two winbinds (in a cluster) change the password at the same time, the
later one gets an NT_STATUS_ACCESS_DENIED. The netlogon session works fine, but
the next time we retry the pwchange, we again get NT_STATUS_ACCESS_DENIED. This
code deals with this race by dropping just the NETLOGON pipe. The next caller
will re-open it automatically with the changed machine credentials.

With this race in place, we also have to recalculate the timeout for the next
pwchange event.

Signed-off-by: Michael Adam <obnox@samba.org>

diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 6295c0adada9a8256c4e55eae39516c84d0349b1..40700db6649b33b3325aefb7f2c9e6fe8b427b19 100644 (file)
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -979,6 +979,21 @@ static void machine_password_change_handler(struct event_context *ctx,
                   "trust_pw_find_change_and_store_it returned %s\n",
                   nt_errstr(result)));
 
+       if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
+               DEBUG(10, ("Dropping the NETLOGON connection, someone else "
+                          "changed the machine password simultaneously\n"));
+               TALLOC_FREE(child->domain->conn.netlogon_pipe);
+       }
+
+       if (!calculate_next_machine_pwd_change(child->domain->name,
+                                              &next_change)) {
+               DEBUG(10, ("calculate_next_machine_pwd_change failed\n"));
+               return;
+       }
+
+       DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n",
+                  timeval_string(talloc_tos(), &next_change, false)));
+
        if (!NT_STATUS_IS_OK(result)) {
                DEBUG(10,("machine_password_change_handler: "
                        "failed to change machine password: %s\n",