r14493: There is no point in falling back to a samlogon when a krb5login has
authorGünther Deschner <gd@samba.org>
Thu, 16 Mar 2006 22:17:03 +0000 (22:17 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 16:15:34 +0000 (11:15 -0500)
failed with a clear error indication. This prevents the bad logon count
beeing increased on the DC.

Guenther
(This used to be commit 5fdddffba5cf05ccac23a64fbe404a34e73fa73c)

source3/nsswitch/winbindd_pam.c

index d460c1476991ff9479e3cc24501d6ae0654207fd..9cd2dd9c0ccedac3574a0c6103fc4c0621e02524 100644 (file)
@@ -1088,6 +1088,23 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
                        DEBUG(10,("winbindd_dual_pam_auth_kerberos setting domain to offline\n"));
                        domain->online = False;
                }
+
+               /* there are quite some NT_STATUS errors where there is no
+                * point in retrying with a samlogon, we explictly have to take
+                * care not to increase the bad logon counter on the DC */
+
+               if (NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_DISABLED) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_EXPIRED) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_ACCOUNT_LOCKED_OUT) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_INVALID_LOGON_HOURS) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_INVALID_WORKSTATION) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_LOGON_FAILURE) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_USER) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_EXPIRED) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_PASSWORD_MUST_CHANGE) ||
+                   NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)) {
+                       goto process_result;
+               }
                
                if (state->request.flags & WBFLAG_PAM_FALLBACK_AFTER_KRB5) {
                        DEBUG(3,("falling back to samlogon\n"));