s3-winbindd: rework reconnect logic in winbindd_lookup_sids().

[kai/samba.git] / source3 / winbindd / winbindd_msrpc.c

diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index f77242838354c42b0411264403927335bc3b5a7a..03b919f35ac0c64b2836eca307624d5c9d9065b8 100644 (file)
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -1079,24 +1079,20 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
        struct policy_handle lsa_policy;
        unsigned int orig_timeout;
        bool use_lookupsids3 = false;
+       bool retried = false;
 
-       if (domain->can_do_ncacn_ip_tcp) {
-               status = cm_connect_lsa_tcp(domain, mem_ctx, &cli);
-               if (NT_STATUS_IS_OK(status)) {
-                       use_lookupsids3 = true;
-                       goto lookup;
-               }
-               domain->can_do_ncacn_ip_tcp = false;
-       }
-       status = cm_connect_lsa(domain, mem_ctx, &cli, &lsa_policy);
-
+ connect:
+       status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
- lookup:
        b = cli->binding_handle;
 
+       if (cli->transport->transport == NCACN_IP_TCP) {
+               use_lookupsids3 = true;
+       }
+
        /*
         * This call can take a long time
         * allow the server to time out.
@@ -1119,7 +1115,8 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
        dcerpc_binding_handle_set_timeout(b, orig_timeout);
 
        if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
-           NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
+           NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR) ||
+           NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
                /*
                 * This can happen if the schannel key is not
                 * valid anymore, we need to invalidate the
@@ -1127,6 +1124,11 @@ NTSTATUS winbindd_lookup_sids(TALLOC_CTX *mem_ctx,
                 * a netlogon connection first.
                 */
                invalidate_cm_connection(&domain->conn);
+               domain->can_do_ncacn_ip_tcp = domain->active_directory;
+               if (!retried) {
+                       retried = true;
+                       goto connect;
+               }
                status = NT_STATUS_ACCESS_DENIED;
        }