diff options
author | Volker Lendecke <vl@samba.org> | 2009-11-19 17:20:47 +0100 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2009-11-26 11:41:02 +0100 |
commit | 6994daa2e4e79f2fd99475ca3d1cfba1a969c61b (patch) | |
tree | 5abc778946f093ebaefa2adc5e87304c74bd4ac3 | |
parent | 4cd1a74c2b38af77553f59867f1ec32212d7101e (diff) | |
download | samba-6994daa2e4e79f2fd99475ca3d1cfba1a969c61b.tar.gz |
s3: Protect against flooding the DC with pwchange requests
When there is a temporary problem changing passwords we flooded the DC with
pwchange requests. This gives the DC a 60-second break to recover.
(cherry picked from commit a7f742c754e9e658908d113a77241463d8e15d17)
-rw-r--r-- | source3/winbindd/winbindd_dual.c | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c index 904d3e4ed3d..ae8f236cb49 100644 --- a/source3/winbindd/winbindd_dual.c +++ b/source3/winbindd/winbindd_dual.c @@ -1117,21 +1117,31 @@ static void machine_password_change_handler(struct event_context *ctx, "trust_pw_find_change_and_store_it returned %s\n", nt_errstr(result))); + if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { + DEBUG(3,("machine_password_change_handler: password set returned " + "ACCESS_DENIED. Maybe the trust account " + "password was changed and we didn't know it. " + "Killing connections to domain %s\n", + child->domain->name)); + TALLOC_FREE(child->domain->conn.netlogon_pipe); + } + + if (!calculate_next_machine_pwd_change(child->domain->name, + &next_change)) { + DEBUG(10, ("calculate_next_machine_pwd_change failed\n")); + return; + } + + DEBUG(10, ("calculate_next_machine_pwd_change returned %s\n", + timeval_string(talloc_tos(), &next_change, false))); + if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("machine_password_change_handler: " - "failed to change machine password: %s\n", - nt_errstr(result))); - if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) { - DEBUG(3,("machine_password_change_handler: password set returned " - "ACCESS_DENIED. Maybe the trust account " - "password was changed and we didn't know it. " - "Killing connections to domain %s\n", - child->domain->name)); - TALLOC_FREE(child->domain->conn.netlogon_pipe); - } - } else { - DEBUG(10,("machine_password_change_handler: " - "successfully changed machine password\n")); + struct timeval tmp; + /* + * In case of failure, give the DC a minute to recover + */ + tmp = timeval_current_ofs(60, 0); + next_change = timeval_max(&next_change, &tmp); } done: |