winbindd_ads: prevent negative GM/ cache entries due to broken connections
authorMichael Adam <obnox@samba.org>
Thu, 20 Nov 2008 22:26:35 +0000 (23:26 +0100)
committerMichael Adam <obnox@samba.org>
Fri, 21 Nov 2008 22:33:33 +0000 (23:33 +0100)
The ads lookup_groupmem() function calls lda_lookupsids to resolve sids
to names. This is tried only once. So in case the connection was broken,
e.g. closed by the server (without a reset packet), there will be an empty
GM/ cache entry for the requested group which will prevent proper working
of access checks among other checks for the expiry period.

This patch works around this problem by retrying once if the lsa_lookupsids
call fails, re-establishing the dc-connection, as we already do in many other
places (e.g. the winbindd retry methods for the rpc layer).

Michael

source/winbindd/winbindd_ads.c

index bc8902dc807717e8c2245ae45f3215f34569fbed..5906c07200f31ee2d306c01b830c01fabbd0349b 100644 (file)
@@ -1080,6 +1080,29 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
                                                &names_nocache,
                                                &name_types_nocache);
 
+               if (!(NT_STATUS_IS_OK(status) ||
+                     NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED) ||
+                     NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)))
+               {
+                       DEBUG(1, ("lsa_lookupsids call failed with %s "
+                                 "- retrying...\n", nt_errstr(status)));
+
+                       status = cm_connect_lsa(domain, tmp_ctx, &cli,
+                                               &lsa_policy);
+
+                       if (!NT_STATUS_IS_OK(status)) {
+                               goto done;
+                       }
+
+                       status = rpccli_lsa_lookup_sids(cli, tmp_ctx,
+                                                       &lsa_policy,
+                                                       num_nocache,
+                                                       sid_mem_nocache,
+                                                       &domains_nocache,
+                                                       &names_nocache,
+                                                       &name_types_nocache);
+               }
+
                if (NT_STATUS_IS_OK(status) ||
                    NT_STATUS_EQUAL(status, STATUS_SOME_UNMAPPED))
                {