diff -up openchange-openchange-2.3-VULCAN/libmapi/IProfAdmin.c.samba-4.15 openchange-openchange-2.3-VULCAN/libmapi/IProfAdmin.c

--- openchange-openchange-2.3-VULCAN/libmapi/IProfAdmin.c.samba-4.15	2021-07-19 12:26:37.615770488 +0200

+++ openchange-openchange-2.3-VULCAN/libmapi/IProfAdmin.c	2021-07-19 12:26:39.640771957 +0200

@@ -794,7 +794,7 @@ _PUBLIC_ enum MAPISTATUS LoadProfile(str

 		cli_credentials_set_password(profile->credentials, profile->password, CRED_SPECIFIED);

 	}

 	if (use_krb != CRED_USE_KERBEROS_DESIRED) {

-		cli_credentials_set_kerberos_state(profile->credentials, use_krb);

+		cli_credentials_set_kerberos_state(profile->credentials, use_krb, CRED_SPECIFIED);

 	}

 	return MAPI_E_SUCCESS;

diff -up openchange-openchange-2.3-VULCAN/ndr_mapi.c.samba-4.15 openchange-openchange-2.3-VULCAN/ndr_mapi.c

--- openchange-openchange-2.3-VULCAN/ndr_mapi.c.samba-4.15	2021-07-19 12:59:29.801210983 +0200

+++ openchange-openchange-2.3-VULCAN/ndr_mapi.c	2021-07-19 13:07:49.382594567 +0200

@@ -1235,15 +1235,18 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EcDo

 	TALLOC_CTX	*_mem_save_rgbAuxOut_1;

 	if (flags & NDR_IN) {

+		uint32_t array_length = 0, array_size = 0;

 		OC_ZERO_STRUCT(r->out);

 		NDR_CHECK(ndr_pull_array_size(ndr, &r->in.szUserDN));

 		NDR_CHECK(ndr_pull_array_length(ndr, &r->in.szUserDN));

-		if (ndr_get_array_length(ndr, &r->in.szUserDN) > ndr_get_array_size(ndr, &r->in.szUserDN)) {

-			return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->in.szUserDN), ndr_get_array_length(ndr, &r->in.szUserDN));

+		NDR_CHECK(ndr_get_array_length(ndr, &r->in.szUserDN, &array_length));

+		NDR_CHECK(ndr_get_array_size(ndr, &r->in.szUserDN, &array_size));

+		if (array_length > array_size) {

+			return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", array_size, array_length);

 		}

-		NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, &r->in.szUserDN), sizeof(uint8_t)));

-		NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.szUserDN, ndr_get_array_length(ndr, &r->in.szUserDN), sizeof(uint8_t), CH_DOS));

+		NDR_CHECK(ndr_check_string_terminator(ndr, array_length, sizeof(uint8_t)));

+		NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, &r->in.szUserDN, array_length, sizeof(uint8_t), CH_DOS));

 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ulFlags));

 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.ulConMod));

 		NDR_CHECK(ndr_pull_uint32(ndr, NDR_SCALARS, &r->in.cbLimit));

@@ -1317,6 +1320,7 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EcDo

 	}

 	if (flags & NDR_OUT) {

+		uint32_t array_length = 0, array_size = 0;

 		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {

 			NDR_PULL_ALLOC(ndr, r->out.handle);

 		}

@@ -1366,11 +1370,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EcDo

 			NDR_PULL_SET_MEM_CTX(ndr, *r->out.szDNPrefix, 0);

 			NDR_CHECK(ndr_pull_array_size(ndr, r->out.szDNPrefix));

 			NDR_CHECK(ndr_pull_array_length(ndr, r->out.szDNPrefix));

-			if (ndr_get_array_length(ndr, r->out.szDNPrefix) > ndr_get_array_size(ndr, r->out.szDNPrefix)) {

-				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.szDNPrefix), ndr_get_array_length(ndr, r->out.szDNPrefix));

+			NDR_CHECK(ndr_get_array_length(ndr, r->out.szDNPrefix, &array_length));

+			NDR_CHECK(ndr_get_array_size(ndr, r->out.szDNPrefix, &array_size));

+			if (array_length > array_size) {

+				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", array_size, array_length);

 			}

-			NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.szDNPrefix), sizeof(uint8_t)));

-			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.szDNPrefix, ndr_get_array_length(ndr, r->out.szDNPrefix), sizeof(uint8_t), CH_DOS));

+			NDR_CHECK(ndr_check_string_terminator(ndr, array_length, sizeof(uint8_t)));

+			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.szDNPrefix, array_length, sizeof(uint8_t), CH_DOS));

 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_szDNPrefix_1, 0);

 		}

 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_szDNPrefix_0, LIBNDR_FLAG_REF_ALLOC);

@@ -1391,11 +1397,13 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EcDo

 			NDR_PULL_SET_MEM_CTX(ndr, *r->out.szDisplayName, 0);

 			NDR_CHECK(ndr_pull_array_size(ndr, r->out.szDisplayName));

 			NDR_CHECK(ndr_pull_array_length(ndr, r->out.szDisplayName));

-			if (ndr_get_array_length(ndr, r->out.szDisplayName) > ndr_get_array_size(ndr, r->out.szDisplayName)) {

-				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, r->out.szDisplayName), ndr_get_array_length(ndr, r->out.szDisplayName));

+			NDR_CHECK(ndr_get_array_length(ndr, r->out.szDisplayName, &array_length));

+			NDR_CHECK(ndr_get_array_size(ndr, r->out.szDisplayName, &array_size));

+			if (array_length > array_size) {

+				return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", array_size, array_length);

 			}

-			NDR_CHECK(ndr_check_string_terminator(ndr, ndr_get_array_length(ndr, r->out.szDisplayName), sizeof(uint8_t)));

-			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.szDisplayName, ndr_get_array_length(ndr, r->out.szDisplayName), sizeof(uint8_t), CH_DOS));

+			NDR_CHECK(ndr_check_string_terminator(ndr, array_length, sizeof(uint8_t)));

+			NDR_CHECK(ndr_pull_charset(ndr, NDR_SCALARS, r->out.szDisplayName, array_length, sizeof(uint8_t), CH_DOS));

 			NDR_PULL_SET_MEM_CTX(ndr, _mem_save_szDisplayName_1, 0);

 		}

 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_szDisplayName_0, LIBNDR_FLAG_REF_ALLOC);

@@ -1415,14 +1423,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_EcDo

 		NDR_PULL_SET_MEM_CTX(ndr, _mem_save_pulTimeStamp_0, LIBNDR_FLAG_REF_ALLOC);

 		NDR_CHECK(ndr_pull_array_size(ndr, &r->out.rgbAuxOut));

 		NDR_CHECK(ndr_pull_array_length(ndr, &r->out.rgbAuxOut));

-		if (ndr_get_array_length(ndr, &r->out.rgbAuxOut) > ndr_get_array_size(ndr, &r->out.rgbAuxOut)) {

-			return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", ndr_get_array_size(ndr, &r->out.rgbAuxOut), ndr_get_array_length(ndr, &r->out.rgbAuxOut));

+		NDR_CHECK(ndr_get_array_length(ndr, &r->out.rgbAuxOut, &array_length));

+		NDR_CHECK(ndr_get_array_size(ndr, &r->out.rgbAuxOut, &array_size));

+		if (array_length > array_size) {

+			return ndr_pull_error(ndr, NDR_ERR_ARRAY_SIZE, "Bad array size %u should exceed array length %u", array_size, array_length);

 		}

 		if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {

-			NDR_PULL_ALLOC_N(ndr, r->out.rgbAuxOut, ndr_get_array_size(ndr, &r->out.rgbAuxOut));

+			NDR_PULL_ALLOC_N(ndr, r->out.rgbAuxOut, array_size);

 		}

 		/* Only try to pull rgbAuxOut if the fake array size is > 0 */

-		if (ndr_get_array_size(ndr, &r->out.rgbAuxOut)) {

+		if (array_size) {

 			_mem_save_rgbAuxOut_1 = NDR_PULL_GET_MEM_CTX(ndr);

 			NDR_PULL_SET_MEM_CTX(ndr, r->out.rgbAuxOut, 0);

 			NDR_CHECK(ndr_pull_mapi2k7_AuxInfo(ndr, NDR_SCALARS, r->out.rgbAuxOut));