s3: Avoid races to change the machine password in winbind

The machine password handler has code to deal with every node in the cluster
trying to change the machine password at the same time. However, it is not very
nice to the DC if everyone tries this simultaneously. This adds a random 0-255
second offset to our timed event. When this fires a bit later than strictly
calculated, someone else might have stepped in and have already changed it. The
timed event handler will handle this gracefully, it won't even try to do it
again.

1 files changed, 18 insertions, 0 deletions

diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index ae8f236cb49..376d7c73090 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -1051,6 +1051,24 @@ static bool calculate_next_machine_pwd_change(const char *domain,
 		DEBUG(10,("machine password still valid until: %s\n",
 			http_timestring(talloc_tos(), next_change)));
 		*t = timeval_set(next_change, 0);
+
+		if (lp_clustering()) {
+			uint8_t randbuf;
+			/*
+			 * When having a cluster, we have several
+			 * winbinds racing for the password change. In
+			 * the machine_password_change_handler()
+			 * function we check if someone else was
+			 * faster when the event triggers. We add a
+			 * 255-second random delay here, so that we
+			 * don't run to change the password at the
+			 * exact same moment.
+			 */
+			generate_random_buffer(&randbuf, sizeof(randbuf));
+			DEBUG(10, ("adding %d seconds randomness\n",
+				   (int)randbuf));
+			t->tv_sec += randbuf;
+		}
 		return true;
 	}