s3:winbindd: catch lookup_names/sids schannel errors over ncacn_ip_tcp (bug #7944)

If winbindd connects to a domain controller it doesn't establish the lsa
connection over ncacn_ip_tcp direct. This happens only on demand.

If someone does a 'net rpc testjoin' and then a
wbinfo -n DOMAIN\\administrator, we'll get DCERPC faults with
ACCESS_DENIED/SEC_PKG_ERROR, because winbindd's in memory copy
of the schannel session key is invalidated.

This problem can also happen on other calls, but the
lookup_names/sids calls on thet lsa ncacn_ip_tcp connection
are the most important ones.

The long term fix is to store the schannel client state in a
tdb, but for now it's enough to catch the error and invalidate
the all connections to the dc and reestablish the schannel
session key.

The fix for bug 7568 (commit be396411a4e1f3a174f8a44b6c062d834135e70a)
made this worse, as it assumes winbindd's in memory session key is
always the current one.

metze
(cherry picked from commit 255f2e06991aa543cd2c6f4d0123664b2a76c99d)
(cherry picked from commit a699ac50f7c9a5eeb57215879e17631c9a1f534f)
(cherry picked from commit b40ce0559c6da04f269cb9ac4d4a215ea8e9f925)

diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
index b65b126cf03c0c7ecc5b1021d8ce34385a7806b3..59d345746e4aa73a25515e118654e85ad3e645ee 100644 (file)
--- a/source3/winbindd/winbindd_rpc.c
+++ b/source3/winbindd/winbindd_rpc.c
@@ -1237,6 +1237,18 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
        /* And restore our original timeout. */
        rpccli_set_timeout(cli, orig_timeout);
 
+       if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+           NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+               /*
+                * This can happen if the schannel key is not
+                * valid anymore, we need to invalidate the
+                * all connections to the dc and reestablish
+                * a netlogon connection first.
+                */
+               invalidate_cm_connection(&domain->conn);
+               status = NT_STATUS_ACCESS_DENIED;
+       }
+
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -1304,6 +1316,18 @@ NTSTATUS winbindd_lookup_names(TALLOC_CTX *mem_ctx,
        /* And restore our original timeout. */
        rpccli_set_timeout(cli, orig_timeout);
 
+       if (NT_STATUS_V(status) == DCERPC_FAULT_ACCESS_DENIED ||
+           NT_STATUS_V(status) == DCERPC_FAULT_SEC_PKG_ERROR) {
+               /*
+                * This can happen if the schannel key is not
+                * valid anymore, we need to invalidate the
+                * all connections to the dc and reestablish
+                * a netlogon connection first.
+                */
+               invalidate_cm_connection(&domain->conn);
+               status = NT_STATUS_ACCESS_DENIED;
+       }
+
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }