diff --git a/.gitignore b/.gitignore
index 91c17a7..7de4232 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/samba-4.1.1.tar.xz
+SOURCES/samba-4.1.12.tar.xz
diff --git a/.samba.metadata b/.samba.metadata
index e66477a..21b6607 100644
--- a/.samba.metadata
+++ b/.samba.metadata
@@ -1 +1 @@
-7858cf2570eb436e7b50ddfc4acf23844cf83179 SOURCES/samba-4.1.1.tar.xz
+f3d5fafd51b016355328609f70dc4007a750177e SOURCES/samba-4.1.12.tar.xz
diff --git a/SOURCES/samba-4.1.0-upn.patch b/SOURCES/samba-4.1.0-upn.patch
deleted file mode 100644
index b5caa31..0000000
--- a/SOURCES/samba-4.1.0-upn.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From d161c173088ce82ea11a914ce62c5b77af9f4f9f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 6 Nov 2013 18:21:32 +0100
-Subject: [PATCH] s3-libnetjoin: use upper-case realm when composing default
- upn.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In case we are about to generate a keytab during the join make sure the default
-upn we create is usable with kinit -k.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
----
- source3/libnet/libnet_join.c | 17 ++++++++++++++++-
- 1 file changed, 16 insertions(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 2dcb920..b84fcd6 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -449,10 +449,25 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
- }
-
- if (!r->in.upn) {
-+ char *realm = r->out.dns_domain_name;
-+
-+ /* in case we are about to generate a keytab during the join
-+ * make sure the default upn we create is usable with kinit -k.
-+ * gd */
-+
-+ if (USE_KERBEROS_KEYTAB) {
-+ realm = talloc_strdup_upper(mem_ctx,
-+ r->out.dns_domain_name);
-+ }
-+
-+ if (!realm) {
-+ return ADS_ERROR(LDAP_NO_MEMORY);
-+ }
-+
- r->in.upn = talloc_asprintf(mem_ctx,
- "host/%s@%s",
- r->in.machine_name,
-- r->out.dns_domain_name);
-+ realm);
- if (!r->in.upn) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
---
-1.8.3.1
-
diff --git a/SOURCES/samba-4.1.1-Fix-memset-in-ntdb.patch b/SOURCES/samba-4.1.1-Fix-memset-in-ntdb.patch
deleted file mode 100644
index 85362d1..0000000
--- a/SOURCES/samba-4.1.1-Fix-memset-in-ntdb.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-commit 45a1cbb7514f9db5fe2d7c2207d7723092aa164d
-Author: Volker Lendecke <vl@samba.org>
-AuthorDate: Thu Jul 11 14:57:53 2013 +0200
-Commit: Karolin Seeger <kseeger@samba.org>
-CommitDate: Mon Oct 14 10:11:48 2013 +0200
-
- ccan: Fix calling memset with zero length parameter
-
- Signed-off-by: Volker Lendecke <vl@samba.org>
- Reviewed-by: Andreas Schneider <asn@samba.org>
-
- Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
- Autobuild-Date(master): Thu Jul 11 16:55:49 CEST 2013 on sn-devel-104
-
- Signed-off-by: Andreas Schneider <asn@samba.org>
-
- Fix bug #10190 - Fix memset used with constant zero length parameter.
----
- lib/ccan/tally/tally.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/ccan/tally/tally.c b/lib/ccan/tally/tally.c
-index 774373c..29f0555 100644
---- a/lib/ccan/tally/tally.c
-+++ b/lib/ccan/tally/tally.c
-@@ -506,11 +506,11 @@ char *tally_histogram(const struct tally *tally,
-
- if (count > covered) {
- count -= covered;
-+ memset(p, '*', count);
- } else {
- count = 0;
- }
-
-- memset(p, '*', count);
- p += count;
- *p = '\n';
- p++;
diff --git a/SOURCES/samba-4.1.13-Add_precreated_spns_from_AD_during_keytab_generation.patch b/SOURCES/samba-4.1.13-Add_precreated_spns_from_AD_during_keytab_generation.patch
new file mode 100644
index 0000000..2174e15
--- /dev/null
+++ b/SOURCES/samba-4.1.13-Add_precreated_spns_from_AD_during_keytab_generation.patch
@@ -0,0 +1,159 @@
+From 3516236ec6eb42f29eda42542b109fa10217e68c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 24 Sep 2014 10:51:33 +0200
+Subject: [PATCH] s3-libads: Add all machine account principals to the keytab.
+
+This adds all SPNs defined in the DC for the computer account to the
+keytab using 'net ads keytab create -P'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=9985
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 5d58b92f8fcbc509f4fe2bd3617bcaeada1806b6)
+---
+ source3/libads/kerberos_keytab.c | 74 ++++++++++++++++++++++++++++------------
+ 1 file changed, 52 insertions(+), 22 deletions(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index 83df088..d13625b 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -507,20 +507,57 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ krb5_kt_cursor cursor;
+ krb5_keytab_entry kt_entry;
+ krb5_kvno kvno;
+- int i, found = 0;
++ size_t found = 0;
+ char *sam_account_name, *upn;
+ char **oldEntries = NULL, *princ_s[26];
+- TALLOC_CTX *tmpctx = NULL;
++ TALLOC_CTX *frame;
+ char *machine_name;
++ char **spn_array;
++ size_t num_spns;
++ size_t i;
++ ADS_STATUS status;
+
+- /* these are the main ones we need */
+- ret = ads_keytab_add_entry(ads, "host");
+- if (ret != 0) {
+- DEBUG(1, (__location__ ": ads_keytab_add_entry failed while "
+- "adding 'host' principal.\n"));
+- return ret;
++ frame = talloc_stackframe();
++ if (frame == NULL) {
++ ret = -1;
++ goto done;
++ }
++
++ status = ads_get_service_principal_names(frame,
++ ads,
++ lp_netbios_name(),
++ &spn_array,
++ &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ ret = -1;
++ goto done;
+ }
+
++ for (i = 0; i < num_spns; i++) {
++ char *srv_princ;
++ char *p;
++
++ srv_princ = strlower_talloc(frame, spn_array[i]);
++ if (srv_princ == NULL) {
++ ret = -1;
++ goto done;
++ }
++
++ p = strchr_m(srv_princ, '/');
++ if (p == NULL) {
++ continue;
++ }
++ p[0] = '\0';
++
++ /* Add the SPNs found on the DC */
++ ret = ads_keytab_add_entry(ads, srv_princ);
++ if (ret != 0) {
++ DEBUG(1, ("ads_keytab_add_entry failed while "
++ "adding '%s' principal.\n",
++ spn_array[i]));
++ goto done;
++ }
++ }
+
+ #if 0 /* don't create the CIFS/... keytab entries since no one except smbd
+ really needs them and we will fall back to verifying against
+@@ -543,24 +580,17 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ if (ret) {
+ DEBUG(1, (__location__ ": could not krb5_init_context: %s\n",
+ error_message(ret)));
+- return ret;
+- }
+-
+- tmpctx = talloc_init(__location__);
+- if (!tmpctx) {
+- DEBUG(0, (__location__ ": talloc_init() failed!\n"));
+- ret = -1;
+ goto done;
+ }
+
+- machine_name = talloc_strdup(tmpctx, lp_netbios_name());
++ machine_name = talloc_strdup(frame, lp_netbios_name());
+ if (!machine_name) {
+ ret = -1;
+ goto done;
+ }
+
+ /* now add the userPrincipalName and sAMAccountName entries */
+- sam_account_name = ads_get_samaccountname(ads, tmpctx, machine_name);
++ sam_account_name = ads_get_samaccountname(ads, frame, machine_name);
+ if (!sam_account_name) {
+ DEBUG(0, (__location__ ": unable to determine machine "
+ "account's name in AD!\n"));
+@@ -584,7 +614,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ }
+
+ /* remember that not every machine account will have a upn */
+- upn = ads_get_upn(ads, tmpctx, machine_name);
++ upn = ads_get_upn(ads, frame, machine_name);
+ if (upn) {
+ ret = ads_keytab_add_entry(ads, upn);
+ if (ret != 0) {
+@@ -596,7 +626,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+
+ /* Now loop through the keytab and update any other existing entries */
+ kvno = (krb5_kvno)ads_get_machine_kvno(ads, machine_name);
+- if (kvno == -1) {
++ if (kvno == (krb5_kvno)-1) {
+ DEBUG(1, (__location__ ": ads_get_machine_kvno() failed to "
+ "determine the system's kvno.\n"));
+ goto done;
+@@ -629,12 +659,12 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ * have a race condition where someone else could add entries after
+ * we've counted them. Re-open asap to minimise the race. JRA.
+ */
+- DEBUG(3, (__location__ ": Found %d entries in the keytab.\n", found));
++ DEBUG(3, (__location__ ": Found %zd entries in the keytab.\n", found));
+ if (!found) {
+ goto done;
+ }
+
+- oldEntries = talloc_array(tmpctx, char *, found);
++ oldEntries = talloc_array(frame, char *, found);
+ if (!oldEntries) {
+ DEBUG(1, (__location__ ": Failed to allocate space to store "
+ "the old keytab entries (talloc failed?).\n"));
+@@ -708,7 +738,7 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+
+ done:
+ TALLOC_FREE(oldEntries);
+- TALLOC_FREE(tmpctx);
++ TALLOC_FREE(frame);
+
+ {
+ krb5_keytab_entry zero_kt_entry;
+--
+2.1.0
+
diff --git a/SOURCES/samba-4.1.13-Fix_aes_enctypes.patch b/SOURCES/samba-4.1.13-Fix_aes_enctypes.patch
new file mode 100644
index 0000000..a939e70
--- /dev/null
+++ b/SOURCES/samba-4.1.13-Fix_aes_enctypes.patch
@@ -0,0 +1,988 @@
+From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 24 Sep 2014 22:16:20 +0200
+Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}".
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 308 insertions(+)
+
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 8b8e719..5f18bf4 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv)
+ return net_run_function(c, argc, argv, "net ads kerberos", func);
+ }
+
++static int net_ads_enctype_lookup_account(struct net_context *c,
++ ADS_STRUCT *ads,
++ const char *account,
++ LDAPMessage **res,
++ const char **enctype_str)
++{
++ const char *filter;
++ const char *attrs[] = {
++ "msDS-SupportedEncryptionTypes",
++ NULL
++ };
++ int count;
++ int ret = -1;
++ ADS_STATUS status;
++
++ filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))",
++ account);
++ if (filter == NULL) {
++ goto done;
++ }
++
++ status = ads_search(ads, res, filter, attrs);
++ if (!ADS_ERR_OK(status)) {
++ d_printf(_("no account found with filter: %s\n"), filter);
++ goto done;
++ }
++
++ count = ads_count_replies(ads, *res);
++ switch (count) {
++ case 1:
++ break;
++ case 0:
++ d_printf(_("no account found with filter: %s\n"), filter);
++ goto done;
++ default:
++ d_printf(_("multiple accounts found with filter: %s\n"), filter);
++ goto done;
++ }
++
++ if (enctype_str) {
++ *enctype_str = ads_pull_string(ads, c, *res,
++ "msDS-SupportedEncryptionTypes");
++ if (*enctype_str == NULL) {
++ d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n"));
++ goto done;
++ }
++ }
++
++ ret = 0;
++ done:
++ return ret;
++}
++
++static void net_ads_enctype_dump_enctypes(const char *username,
++ const char *enctype_str)
++{
++ int enctypes;
++
++ d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username);
++
++ enctypes = atoi(enctype_str);
++
++ printf("[%s] 0x%08x DES-CBC-CRC\n",
++ enctypes & ENC_CRC32 ? "X" : " ",
++ ENC_CRC32);
++ printf("[%s] 0x%08x DES-CBC-MD5\n",
++ enctypes & ENC_RSA_MD5 ? "X" : " ",
++ ENC_RSA_MD5);
++ printf("[%s] 0x%08x RC4-HMAC\n",
++ enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ",
++ ENC_RC4_HMAC_MD5);
++ printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n",
++ enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ",
++ ENC_HMAC_SHA1_96_AES128);
++ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
++ enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
++ ENC_HMAC_SHA1_96_AES256);
++}
++
++static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
++{
++ int ret = -1;
++ ADS_STATUS status;
++ ADS_STRUCT *ads = NULL;
++ LDAPMessage *res = NULL;
++ const char *str = NULL;
++
++ if (c->display_usage || (argc < 1)) {
++ d_printf( "%s\n"
++ "net ads enctypes list\n"
++ " %s\n",
++ _("Usage:"),
++ _("List supported enctypes"));
++ return 0;
++ }
++
++ status = ads_startup(c, false, &ads);
++ if (!ADS_ERR_OK(status)) {
++ printf("startup failed\n");
++ return ret;
++ }
++
++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
++ if (ret) {
++ goto done;
++ }
++
++ net_ads_enctype_dump_enctypes(argv[0], str);
++
++ ret = 0;
++ done:
++ ads_msgfree(ads, res);
++ ads_destroy(&ads);
++
++ return ret;
++}
++
++static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv)
++{
++ int ret = -1;
++ ADS_STATUS status;
++ ADS_STRUCT *ads;
++ LDAPMessage *res = NULL;
++ const char *etype_list_str;
++ const char *dn;
++ ADS_MODLIST mods;
++ uint32_t etype_list;
++ const char *str;
++
++ if (c->display_usage || argc < 1) {
++ d_printf( "%s\n"
++ "net ads enctypes set <sAMAccountName> [enctypes]\n"
++ " %s\n",
++ _("Usage:"),
++ _("Set supported enctypes"));
++ return 0;
++ }
++
++ status = ads_startup(c, false, &ads);
++ if (!ADS_ERR_OK(status)) {
++ printf("startup failed\n");
++ return ret;
++ }
++
++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
++ if (ret) {
++ goto done;
++ }
++
++ dn = ads_get_dn(ads, c, res);
++ if (dn == NULL) {
++ goto done;
++ }
++
++ etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES128;
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES256;
++#endif
++
++ if (argv[1] != NULL) {
++ sscanf(argv[1], "%i", &etype_list);
++ }
++
++ etype_list_str = talloc_asprintf(c, "%d", etype_list);
++ if (!etype_list_str) {
++ goto done;
++ }
++
++ mods = ads_init_mods(c);
++ if (!mods) {
++ goto done;
++ }
++
++ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes",
++ etype_list_str);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
++ }
++
++ status = ads_gen_mod(ads, dn, mods);
++ if (!ADS_ERR_OK(status)) {
++ d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"),
++ ads_errstr(status));
++ goto done;
++ }
++
++ ads_msgfree(ads, res);
++
++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str);
++ if (ret) {
++ goto done;
++ }
++
++ net_ads_enctype_dump_enctypes(argv[0], str);
++
++ ret = 0;
++ done:
++ ads_msgfree(ads, res);
++ ads_destroy(&ads);
++
++ return ret;
++}
++
++static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv)
++{
++ int ret = -1;
++ ADS_STATUS status;
++ ADS_STRUCT *ads;
++ LDAPMessage *res = NULL;
++ const char *dn;
++ ADS_MODLIST mods;
++
++ if (c->display_usage || argc < 1) {
++ d_printf( "%s\n"
++ "net ads enctypes delete <sAMAccountName>\n"
++ " %s\n",
++ _("Usage:"),
++ _("Delete supported enctypes"));
++ return 0;
++ }
++
++ status = ads_startup(c, false, &ads);
++ if (!ADS_ERR_OK(status)) {
++ printf("startup failed\n");
++ return ret;
++ }
++
++ ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL);
++ if (ret) {
++ goto done;
++ }
++
++ dn = ads_get_dn(ads, c, res);
++ if (dn == NULL) {
++ goto done;
++ }
++
++ mods = ads_init_mods(c);
++ if (!mods) {
++ goto done;
++ }
++
++ status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL);
++ if (!ADS_ERR_OK(status)) {
++ goto done;
++ }
++
++ status = ads_gen_mod(ads, dn, mods);
++ if (!ADS_ERR_OK(status)) {
++ d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"),
++ ads_errstr(status));
++ goto done;
++ }
++
++ ret = 0;
++
++ done:
++ ads_msgfree(ads, res);
++ ads_destroy(&ads);
++ return ret;
++}
++
++static int net_ads_enctypes(struct net_context *c, int argc, const char **argv)
++{
++ struct functable func[] = {
++ {
++ "list",
++ net_ads_enctypes_list,
++ NET_TRANSPORT_ADS,
++ N_("List the supported encryption types"),
++ N_("net ads enctypes list\n"
++ " List the supported encryption types")
++ },
++ {
++ "set",
++ net_ads_enctypes_set,
++ NET_TRANSPORT_ADS,
++ N_("Set the supported encryption types"),
++ N_("net ads enctypes set\n"
++ " Set the supported encryption types")
++ },
++ {
++ "delete",
++ net_ads_enctypes_delete,
++ NET_TRANSPORT_ADS,
++ N_("Delete the supported encryption types"),
++ N_("net ads enctypes delete\n"
++ " Delete the supported encryption types")
++ },
++
++ {NULL, NULL, 0, NULL, NULL}
++ };
++
++ return net_run_function(c, argc, argv, "net ads enctypes", func);
++}
++
++
+ int net_ads(struct net_context *c, int argc, const char **argv)
+ {
+ struct functable func[] = {
+@@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv)
+ N_("net ads kerberos\n"
+ " Manage kerberos keytab")
+ },
++ {
++ "enctypes",
++ net_ads_enctypes,
++ NET_TRANSPORT_ADS,
++ N_("List/modify supported encryption types"),
++ N_("net ads enctypes\n"
++ " List/modify enctypes")
++ },
+ {NULL, NULL, 0, NULL, NULL}
+ };
+
+--
+1.9.3
+
+
+From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 24 Sep 2014 23:36:19 +0200
+Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes".
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
+index f39b420..9e982e3 100644
+--- a/docs-xml/manpages/net.8.xml
++++ b/docs-xml/manpages/net.8.xml
+@@ -1339,6 +1339,59 @@ to show in the result.
+ </refsect2>
+
+ <refsect2>
++ <title>ADS ENCTYPES</title>
++
++<para>
++ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
++</para>
++
++<para>
++ This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
++</para>
++
++<para>0x00000001 DES-CBC-CRC</para>
++<para>0x00000002 DES-CBC-MD5</para>
++<para>0x00000004 RC4-HMAC</para>
++<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
++<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
++
++</refsect2>
++
++<refsect2>
++ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
++
++<para>
++ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
++</para>
++
++<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
++
++</refsect2>
++
++<refsect2>
++ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
++
++<para>
++ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types.
++</para>
++
++<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
++
++</refsect2>
++
++<refsect2>
++ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
++
++<para>
++ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
++</para>
++
++<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
++
++</refsect2>
++
++
++<refsect2>
+ <title>SAM CREATEBUILTINGROUP <NAME></title>
+
+ <para>
+--
+1.9.3
+
+
+From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 23 Nov 2012 12:34:27 +0100
+Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in
+ AD >= 2008.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 65 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 381a59c..e70e11a 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx,
+ /****************************************************************
+ ****************************************************************/
+
++static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx,
++ struct libnet_JoinCtx *r)
++{
++ ADS_STATUS status;
++ ADS_MODLIST mods;
++ uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
++ const char *etype_list_str;
++
++#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES128;
++#endif
++#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
++ etype_list |= ENC_HMAC_SHA1_96_AES256;
++#endif
++
++ etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list);
++ if (!etype_list_str) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
++
++ /* Find our DN */
++
++ status = libnet_join_find_machine_acct(mem_ctx, r);
++ if (!ADS_ERR_OK(status)) {
++ return status;
++ }
++
++ /* now do the mods */
++
++ mods = ads_init_mods(mem_ctx);
++ if (!mods) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
++
++ status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes",
++ etype_list_str);
++ if (!ADS_ERR_OK(status)) {
++ return status;
++ }
++
++ return ads_gen_mod(r->in.ads, r->out.dn, mods);
++}
++
++/****************************************************************
++****************************************************************/
++
+ static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+@@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r)
+ {
+ ADS_STATUS status;
++ uint32_t func_level = 0;
+
+ if (!r->in.ads) {
+ status = libnet_join_connect_ads(mem_ctx, r);
+@@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++ status = ads_domain_func_level(r->in.ads, &func_level);
++ if (!ADS_ERR_OK(status)) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "failed to query domain controller functional level: %s",
++ ads_errstr(status));
++ return status;
++ }
++
++ if (func_level >= DS_DOMAIN_FUNCTION_2008) {
++ status = libnet_join_set_etypes(mem_ctx, r);
++ if (!ADS_ERR_OK(status)) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "failed to set machine kerberos encryption types: %s",
++ ads_errstr(status));
++ return status;
++ }
++ }
++
+ if (!libnet_join_derive_salting_principal(mem_ctx, r)) {
+ return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL);
+ }
+--
+1.9.3
+
+
+From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 26 Sep 2014 21:06:38 +0200
+Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure
+ hostname is lowercase.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found at MS interop event while working on AES kerberos key support.
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/auth/kerberos/srv_keytab.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c
+index d81e27d..3baba14 100644
+--- a/source4/auth/kerberos/srv_keytab.c
++++ b/source4/auth/kerberos/srv_keytab.c
+@@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx,
+ return ENOMEM;
+ }
+
+- machine_username = talloc_strdup(tmp_ctx, samAccountName);
++ machine_username = strlower_talloc(tmp_ctx, samAccountName);
+ if (!machine_username) {
+ *error_string = "Cannot duplicate samAccountName";
+ talloc_free(tmp_ctx);
+--
+1.9.3
+
+From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 22:49:29 -0700
+Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
+ arguments of copy_netr_SamInfo3() and make_server_info_info3()
+
+Both functions only read from the struct netr_SamInfo3 * argument.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+
+Conflicts:
+ source3/auth/proto.h
+ source3/auth/server_info.c
+---
+ source3/auth/auth_util.c | 2 +-
+ source3/auth/proto.h | 4 ++--
+ source3/auth/server_info.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index ceaa706..afa78ec 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ const char *sent_nt_username,
+ const char *domain,
+ struct auth_serversupplied_info **server_info,
+- struct netr_SamInfo3 *info3)
++ const struct netr_SamInfo3 *info3)
+ {
+ static const char zeros[16] = {0, };
+
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index 76661fc..6ec206e 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ const char *sent_nt_username,
+ const char *domain,
+ struct auth_serversupplied_info **server_info,
+- struct netr_SamInfo3 *info3);
++ const struct netr_SamInfo3 *info3);
+ struct wbcAuthUserInfo;
+ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
+ const char *sent_nt_username,
+@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct passwd *pwd,
+ struct netr_SamInfo3 **pinfo3);
+ struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+- struct netr_SamInfo3 *orig);
++ const struct netr_SamInfo3 *orig);
+ struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct wbcAuthUserInfo *info);
+
+diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
+index d2b7d6e..066b9a8 100644
+--- a/source3/auth/server_info.c
++++ b/source3/auth/server_info.c
+@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ } } while(0)
+
+ struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+- struct netr_SamInfo3 *orig)
++ const struct netr_SamInfo3 *orig)
+ {
+ struct netr_SamInfo3 *info3;
+ unsigned int i;
+--
+1.9.3
+
+
+From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 22:54:45 -0700
+Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
+ struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
+
+make_server_info_info3() only reads from the info3 pointer.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/auth/auth_generic.c | 2 +-
+ source3/auth/proto.h | 2 +-
+ source3/auth/user_krb5.c | 8 ++++----
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index a2ba4e3..2880bc9 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+
+ status = make_session_info_krb5(mem_ctx,
+ ntuser, ntdomain, username, pw,
+- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
++ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+ session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index 6ec206e..75d1097 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- struct PAC_LOGON_INFO *logon_info,
++ const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest, bool username_was_mapped,
+ DATA_BLOB *session_key,
+ struct auth_session_info **session_info);
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index 974a8aa..0a538b4 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- struct PAC_LOGON_INFO *logon_info,
++ const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest, bool username_was_mapped,
+ DATA_BLOB *session_key,
+ struct auth_session_info **session_info)
+@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- } else if (logon_info) {
++ } else if (info3) {
+ /* pass the unmapped username here since map_username()
+ will be called again in make_server_info_info3() */
+
+ status = make_server_info_info3(mem_ctx,
+ ntuser, ntdomain,
+ &server_info,
+- &logon_info->info3);
++ info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("make_server_info_info3 failed: %s!\n",
+ nt_errstr(status)));
+@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- struct PAC_LOGON_INFO *logon_info,
++ const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest, bool username_was_mapped,
+ DATA_BLOB *session_key,
+ struct auth_session_info **session_info)
+--
+1.9.3
+
+
+From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 23:11:58 -0700
+Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
+ create a new info3 and merge resource group SIDs into it.
+
+Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/auth/proto.h | 3 ++
+ source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 80 insertions(+)
+
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index 75d1097..cc51698 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
+ struct netr_SamInfo3 *sam3);
+ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
+ struct netr_SamInfo6 *sam6);
++NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
++ const struct PAC_LOGON_INFO *logon_info,
++ struct netr_SamInfo3 **pp_info3);
+ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ struct samu *samu,
+ const char *login_server,
+diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
+index 066b9a8..dc84794 100644
+--- a/source3/auth/server_info.c
++++ b/source3/auth/server_info.c
+@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
+ return NT_STATUS_OK;
+ }
+
++/*
++ * Merge resource SIDs, if any, into the passed in info3 structure.
++ */
++
++static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
++ struct netr_SamInfo3 *info3)
++{
++ uint32_t i = 0;
++
++ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
++ return NT_STATUS_OK;
++ }
++
++ /*
++ * If there are any resource groups (SID Compression) add
++ * them to the extra sids portion of the info3 in the PAC.
++ *
++ * This makes the info3 look like it would if we got the info
++ * from the DC rather than the PAC.
++ */
++
++ /*
++ * Construct a SID for each RID in the list and then append it
++ * to the info3.
++ */
++ for (i = 0; i < logon_info->res_groups.count; i++) {
++ NTSTATUS status;
++ struct dom_sid new_sid;
++ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
++
++ sid_compose(&new_sid,
++ logon_info->res_group_dom_sid,
++ logon_info->res_groups.rids[i].rid);
++
++ DEBUG(10, ("Adding SID %s to extra SIDS\n",
++ sid_string_dbg(&new_sid)));
++
++ status = append_netr_SidAttr(info3, &info3->sids,
++ &info3->sidcount,
++ &new_sid,
++ attributes);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
++ sid_string_dbg(&new_sid),
++ nt_errstr(status)));
++ return status;
++ }
++ }
++
++ return NT_STATUS_OK;
++}
++
++/*
++ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
++ * then merge resource SIDs, if any, into it. If successful return
++ * the created info3 struct.
++ */
++
++NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
++ const struct PAC_LOGON_INFO *logon_info,
++ struct netr_SamInfo3 **pp_info3)
++{
++ NTSTATUS status;
++ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
++ &logon_info->info3);
++ if (info3 == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ status = merge_resource_sids(logon_info, info3);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(info3);
++ return status;
++ }
++ *pp_info3 = info3;
++ return NT_STATUS_OK;
++}
++
+ #define RET_NOMEM(ptr) do { \
+ if (!ptr) { \
+ TALLOC_FREE(info3); \
+--
+1.9.3
+
+
+From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 23:15:21 -0700
+Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
+ a copy of the info3 struct from the struct PAC_LOGON_INFO.
+
+Call create_info3_from_pac_logon_info() to add in any resource SIDs
+from the struct PAC_LOGON_INFO to the info3.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/auth/auth_generic.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index 2880bc9..f841f0c 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ {
+ TALLOC_CTX *tmp_ctx;
+ struct PAC_LOGON_INFO *logon_info = NULL;
++ struct netr_SamInfo3 *info3_copy = NULL;
+ bool is_mapped;
+ bool is_guest;
+ char *ntuser;
+@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+
+ /* save the PAC data if we have it */
+ if (logon_info) {
+- netsamlogon_cache_store(ntuser, &logon_info->info3);
++ status = create_info3_from_pac_logon_info(tmp_ctx,
++ logon_info,
++ &info3_copy);
++ if (!NT_STATUS_IS_OK(status)) {
++ goto done;
++ }
++ netsamlogon_cache_store(ntuser, info3_copy);
+ }
+
+ /* setup the string used by %U */
+@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+
+ status = make_session_info_krb5(mem_ctx,
+ ntuser, ntdomain, username, pw,
+- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
++ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+ session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
+--
+1.9.3
+
+
+From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 23:27:35 -0700
+Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
+ new info3 and merge in resource groups from a trusted PAC.
+
+Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
+---
+ source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
+ 1 file changed, 22 insertions(+), 2 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index c356686..0f1ca28 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
+ struct winbindd_request *req = state->request;
+ DATA_BLOB pac_blob;
+ struct PAC_LOGON_INFO *logon_info = NULL;
++ struct netr_SamInfo3 *info3_copy = NULL;
+ NTSTATUS result;
+
+ pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
+@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
+
+ if (logon_info) {
+ /* Signature verification succeeded, trust the PAC */
+- netsamlogon_cache_store(NULL, &logon_info->info3);
++ result = create_info3_from_pac_logon_info(state->mem_ctx,
++ logon_info,
++ &info3_copy);
++ if (!NT_STATUS_IS_OK(result)) {
++ return result;
++ }
++ netsamlogon_cache_store(NULL, info3_copy);
+
+ } else {
+ /* Try without signature verification */
+@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
+ nt_errstr(result)));
+ return result;
+ }
++ if (logon_info) {
++ /*
++ * Don't strictly need to copy here,
++ * but it makes it explicit we're
++ * returning a copy talloc'ed off
++ * the state->mem_ctx.
++ */
++ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
++ &logon_info->info3);
++ if (info3_copy == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
+ }
+
+- *info3 = &logon_info->info3;
++ *info3 = info3_copy;
+
+ return NT_STATUS_OK;
+ }
+--
+1.9.3
+
diff --git a/SOURCES/samba-4.1.13-Fix_dnsupdate.patch b/SOURCES/samba-4.1.13-Fix_dnsupdate.patch
new file mode 100644
index 0000000..071069b
--- /dev/null
+++ b/SOURCES/samba-4.1.13-Fix_dnsupdate.patch
@@ -0,0 +1,51 @@
+From 3bf805a38a1b901a55b08118ec04097d9787497c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Mon, 29 Sep 2014 17:16:15 +0200
+Subject: [PATCH] s3-net: Force libkrb5 locator to use the same KDC for join
+ and DNS update.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+---
+ source3/utils/net_ads.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index e96377f..efbc3d2 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -1566,6 +1566,27 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
+ * If the dns update fails, we still consider the join
+ * operation as succeeded if we came this far.
+ */
++
++ if (r->out.dns_domain_name != NULL) {
++
++ /* Avoid potential libkrb5 issues finding a good KDC when we
++ * already found one during the join. When the locator plugin is
++ * installed (but winbind is not yet running) make sure we can
++ * force libkrb5 to reuse that KDC. - gd */
++
++ char *env;
++
++ env = talloc_asprintf_strupper_m(r,
++ "WINBINDD_LOCATOR_KDC_ADDRESS_%s",
++ r->out.dns_domain_name);
++ if (env == NULL) {
++ return -1;
++ }
++
++ setenv(env, r->in.ads->auth.kdc_server, 0);
++ setenv("_NO_WINBINDD", "1", 0);
++ }
++
+ _net_ads_join_dns_updates(c, ctx, r);
+
+ TALLOC_FREE(r);
+--
+1.9.3
+
diff --git a/SOURCES/samba-4.1.13-Fix_overwriting_of_spns_during_net_ads_join.patch b/SOURCES/samba-4.1.13-Fix_overwriting_of_spns_during_net_ads_join.patch
new file mode 100644
index 0000000..5d309f1
--- /dev/null
+++ b/SOURCES/samba-4.1.13-Fix_overwriting_of_spns_during_net_ads_join.patch
@@ -0,0 +1,329 @@
+From 1925edc67e223d73d672af48c2ebd3e5865e01d9 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 24 Sep 2014 09:22:03 +0200
+Subject: [PATCH 1/4] s3-libads: Add a function to retrieve the SPNs of a
+ computer account.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 4eaa4ccbdf279f1ff6d8218b36d92aeea0114cd8)
+---
+ source3/libads/ads_proto.h | 6 +++++
+ source3/libads/ldap.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 66 insertions(+)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 17a84d1..6a22807 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -87,6 +87,12 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ const char *name, const char **vals);
+ uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
+ uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
++
++ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
++ ADS_STRUCT *ads,
++ const char *machine_name,
++ char ***spn_array,
++ size_t *num_spns);
+ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machine_name);
+ ADS_STATUS ads_add_service_principal_name(ADS_STRUCT *ads, const char *machine_name,
+ const char *my_fqdn, const char *spn);
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index fb99132..51a0883 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1927,6 +1927,66 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
+ }
+
+ /**
++ * @brief This gets the service principal names of an existing computer account.
++ *
++ * @param[in] mem_ctx The memory context to use to allocate the spn array.
++ *
++ * @param[in] ads The ADS context to use.
++ *
++ * @param[in] machine_name The NetBIOS name of the computer, which is used to
++ * identify the computer account.
++ *
++ * @param[in] spn_array A pointer to store the array for SPNs.
++ *
++ * @param[in] num_spns The number of principals stored in the array.
++ *
++ * @return 0 on success, or a ADS error if a failure occured.
++ */
++ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
++ ADS_STRUCT *ads,
++ const char *machine_name,
++ char ***spn_array,
++ size_t *num_spns)
++{
++ ADS_STATUS status;
++ LDAPMessage *res = NULL;
++ char *dn;
++ int count;
++
++ status = ads_find_machine_acct(ads,
++ &res,
++ machine_name);
++ if (!ADS_ERR_OK(status)) {
++ DEBUG(1,("Host Account for %s not found... skipping operation.\n",
++ machine_name));
++ return status;
++ }
++
++ count = ads_count_replies(ads, res);
++ if (count != 1) {
++ status = ADS_ERROR(LDAP_NO_SUCH_OBJECT);
++ goto done;
++ }
++
++ dn = ads_get_dn(ads, mem_ctx, res);
++ if (dn == NULL) {
++ status = ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ goto done;
++ }
++
++ *spn_array = ads_pull_strings(ads,
++ mem_ctx,
++ res,
++ "servicePrincipalName",
++ num_spns);
++
++done:
++ ads_msgfree(ads, res);
++
++ return status;
++}
++
++/**
+ * This adds a service principal name to an existing computer account
+ * (found by hostname) in AD.
+ * @param ads An initialized ADS_STRUCT
+--
+2.1.0
+
+
+From ed3b6536e1027a26d7983942f62677aa2bc0e93c Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 24 Sep 2014 09:23:58 +0200
+Subject: [PATCH 2/4] s3-libads: Add function to search for an element in an
+ array.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit e1ee4c8bc7018db7787dd9a0be6d3aa40a477ee2)
+---
+ source3/libads/ads_proto.h | 2 ++
+ source3/libads/ldap.c | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/source3/libads/ads_proto.h b/source3/libads/ads_proto.h
+index 6a22807..1e34247 100644
+--- a/source3/libads/ads_proto.h
++++ b/source3/libads/ads_proto.h
+@@ -88,6 +88,8 @@ ADS_STATUS ads_add_strlist(TALLOC_CTX *ctx, ADS_MODLIST *mods,
+ uint32 ads_get_kvno(ADS_STRUCT *ads, const char *account_name);
+ uint32_t ads_get_machine_kvno(ADS_STRUCT *ads, const char *machine_name);
+
++bool ads_element_in_array(const char **el_array, size_t num_el, const char *el);
++
+ ADS_STATUS ads_get_service_principal_names(TALLOC_CTX *mem_ctx,
+ ADS_STRUCT *ads,
+ const char *machine_name,
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 51a0883..8d104c2 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -1927,6 +1927,37 @@ ADS_STATUS ads_clear_service_principal_names(ADS_STRUCT *ads, const char *machin
+ }
+
+ /**
++ * @brief Search for an element in a string array.
++ *
++ * @param[in] el_array The string array to search.
++ *
++ * @param[in] num_el The number of elements in the string array.
++ *
++ * @param[in] el The string to search.
++ *
++ * @return True if found, false if not.
++ */
++bool ads_element_in_array(const char **el_array, size_t num_el, const char *el)
++{
++ size_t i;
++
++ if (el_array == NULL || num_el == 0 || el == NULL) {
++ return false;
++ }
++
++ for (i = 0; i < num_el && el_array[i] != NULL; i++) {
++ int cmp;
++
++ cmp = strcasecmp_m(el_array[i], el);
++ if (cmp == 0) {
++ return true;
++ }
++ }
++
++ return false;
++}
++
++/**
+ * @brief This gets the service principal names of an existing computer account.
+ *
+ * @param[in] mem_ctx The memory context to use to allocate the spn array.
+--
+2.1.0
+
+
+From 11700f1398d6197a99c686f1a43b45d6305ceae8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 26 Sep 2014 03:09:08 +0200
+Subject: [PATCH 3/4] s3-libnet: Add libnet_join_get_machine_spns().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 7e0b8fcce5572c88d50993a1dbd90f65638ba90f)
+---
+ source3/libnet/libnet_join.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 1418385..3611cc7 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -358,6 +358,26 @@ static ADS_STATUS libnet_join_find_machine_acct(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++static ADS_STATUS libnet_join_get_machine_spns(TALLOC_CTX *mem_ctx,
++ struct libnet_JoinCtx *r,
++ char ***spn_array,
++ size_t *num_spns)
++{
++ ADS_STATUS status;
++
++ if (r->in.machine_name == NULL) {
++ return ADS_ERROR_SYSTEM(EINVAL);
++ }
++
++ status = ads_get_service_principal_names(mem_ctx,
++ r->in.ads,
++ r->in.machine_name,
++ spn_array,
++ num_spns);
++
++ return status;
++}
++
+ /****************************************************************
+ Set a machines dNSHostName and servicePrincipalName attributes
+ ****************************************************************/
+--
+2.1.0
+
+
+From 472256e27ad5cb5e7657efaece71744269ca8d16 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 26 Sep 2014 03:35:43 +0200
+Subject: [PATCH 4/4] s3-libnet: Make sure we do not overwrite precreated SPNs.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=9984
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Fri Sep 26 08:22:45 CEST 2014 on sn-devel-104
+
+(cherry picked from commit 0aacbe78bb40d76b65087c2a197c92b0101e625e)
+---
+ source3/libnet/libnet_join.c | 39 ++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 36 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 3611cc7..aa7b5cb 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -388,8 +388,10 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ ADS_STATUS status;
+ ADS_MODLIST mods;
+ fstring my_fqdn;
+- const char *spn_array[3] = {NULL, NULL, NULL};
++ const char **spn_array = NULL;
++ size_t num_spns = 0;
+ char *spn = NULL;
++ bool ok;
+
+ /* Find our DN */
+
+@@ -398,6 +400,14 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
++ status = libnet_join_get_machine_spns(mem_ctx,
++ r,
++ discard_const_p(char **, &spn_array),
++ &num_spns);
++ if (!ADS_ERR_OK(status)) {
++ DEBUG(5, ("Retrieving the servicePrincipalNames failed.\n"));
++ }
++
+ /* Windows only creates HOST/shortname & HOST/fqdn. */
+
+ spn = talloc_asprintf(mem_ctx, "HOST/%s", r->in.machine_name);
+@@ -407,7 +417,15 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ if (!strupper_m(spn)) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+- spn_array[0] = spn;
++
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (!ok) {
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, (int *)&num_spns);
++ if (!ok) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ }
+
+ if (!name_to_fqdn(my_fqdn, r->in.machine_name)
+ || (strchr(my_fqdn, '.') == NULL)) {
+@@ -424,8 +442,23 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ if (!spn) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+- spn_array[1] = spn;
++
++ ok = ads_element_in_array(spn_array, num_spns, spn);
++ if (!ok) {
++ ok = add_string_to_array(spn_array, spn,
++ &spn_array, (int *)&num_spns);
++ if (!ok) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
++ }
++ }
++ }
++
++ /* make sure to NULL terminate the array */
++ spn_array = talloc_realloc(mem_ctx, spn_array, const char *, num_spns + 1);
++ if (spn_array == NULL) {
++ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
++ spn_array[num_spns] = NULL;
+
+ mods = ads_init_mods(mem_ctx);
+ if (!mods) {
+--
+2.1.0
+
diff --git a/SOURCES/samba-4.1.13-fix_idmap_ad_getgroups_without_gid.patch b/SOURCES/samba-4.1.13-fix_idmap_ad_getgroups_without_gid.patch
new file mode 100644
index 0000000..3215f2c
--- /dev/null
+++ b/SOURCES/samba-4.1.13-fix_idmap_ad_getgroups_without_gid.patch
@@ -0,0 +1,42 @@
+From 23dfa2e35bec9c0f6c3d579e7dc2e1d0ce636aa2 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 19 Sep 2014 13:33:10 +0200
+Subject: [PATCH] nsswitch: Skip groups we were not able to map.
+
+If we have configured the idmap_ad backend it is possible that the user
+is in a group without a gid set. This will result in (uid_t)-1 as the
+gid. We return this invalid gid to NSS which is wrong.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10824
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+
+Autobuild-User(master): David Disseldorp <ddiss@samba.org>
+Autobuild-Date(master): Fri Sep 19 17:57:14 CEST 2014 on sn-devel-104
+
+(cherry picked from commit 7f59711f076e98ece099f6b38ff6da8c80fa6d5e)
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ nsswitch/winbind_nss_linux.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/nsswitch/winbind_nss_linux.c b/nsswitch/winbind_nss_linux.c
+index 8d66a74..70ede3e 100644
+--- a/nsswitch/winbind_nss_linux.c
++++ b/nsswitch/winbind_nss_linux.c
+@@ -1101,6 +1101,11 @@ _nss_winbind_initgroups_dyn(char *user, gid_t group, long int *start,
+ continue;
+ }
+
++ /* Skip groups without a mapping */
++ if (gid_list[i] == (uid_t)-1) {
++ continue;
++ }
++
+ /* Filled buffer ? If so, resize. */
+
+ if (*start == *size) {
+--
+2.1.0
+
diff --git a/SOURCES/samba-4.1.13-fix_idmap_ad_sfu_with_trusted_domains.patch b/SOURCES/samba-4.1.13-fix_idmap_ad_sfu_with_trusted_domains.patch
new file mode 100644
index 0000000..394a640
--- /dev/null
+++ b/SOURCES/samba-4.1.13-fix_idmap_ad_sfu_with_trusted_domains.patch
@@ -0,0 +1,44 @@
+From dc6b86b93c8f059b0cc96c364ffad05c88b7d92e Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <cs@samba.org>
+Date: Fri, 22 Aug 2014 09:15:59 -0700
+Subject: [PATCH] s3-winbindd: Use correct realm for trusted domains in idmap child
+
+When authenticating users in a trusted domain, the idmap_ad module
+always connects to a local DC instead of one in the trusted domain.
+
+Fix this by passing the correct realm to connect to.
+
+Also Comment parameters passed to ads_cached_connection_connect
+
+Signed-off-by: Christof Schmitt <cs@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit c203c722e7e22f9146f2ecf6f42452c0e82042e4)
+---
+ source3/winbindd/winbindd_ads.c | 11 +++++++++--
+ 1 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 4c26389..e47613e 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -187,8 +187,15 @@ ADS_STATUS ads_idmap_cached_connection(ADS_STRUCT **adsp, const char *dom_name)
+ }
+ }
+
+- status = ads_cached_connection_connect(adsp, realm, dom_name, ldap_server,
+- password, realm, 0);
++ status = ads_cached_connection_connect(
++ adsp, /* Returns ads struct. */
++ wb_dom->alt_name, /* realm to connect to. */
++ dom_name, /* 'workgroup' name for ads_init */
++ ldap_server, /* DNS name to connect to. */
++ password, /* password for auth realm. */
++ realm, /* realm used for krb5 ticket. */
++ 0); /* renewable ticket time. */
++
+ SAFE_FREE(realm);
+
+ return status;
+--
+1.7.1
+
diff --git a/SOURCES/samba-4.1.13-fix_nmbd_systemd_status_update.patch b/SOURCES/samba-4.1.13-fix_nmbd_systemd_status_update.patch
new file mode 100644
index 0000000..7a7bdf5
--- /dev/null
+++ b/SOURCES/samba-4.1.13-fix_nmbd_systemd_status_update.patch
@@ -0,0 +1,97 @@
+From f73c906237aa0c9d45900d69d31c9b39261f062a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 16 Sep 2014 18:02:30 +0200
+Subject: [PATCH 1/2] lib: Add daemon_status() to util library.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+(cherry picked from commit 9f5f5fa8ebf845c53b7a92557d7aec56ed820320)
+---
+ lib/util/become_daemon.c | 11 +++++++++++
+ lib/util/samba_util.h | 6 ++++++
+ 2 files changed, 17 insertions(+)
+
+diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
+index 35c8b32..688bedd 100644
+--- a/lib/util/become_daemon.c
++++ b/lib/util/become_daemon.c
+@@ -135,3 +135,14 @@ _PUBLIC_ void daemon_ready(const char *daemon)
+ #endif
+ DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
+ }
++
++_PUBLIC_ void daemon_status(const char *name, const char *msg)
++{
++ if (name == NULL) {
++ name = "Samba";
++ }
++#ifdef HAVE_SYSTEMD
++ sd_notifyf(0, "\nSTATUS=%s: %s", name, msg);
++#endif
++ DEBUG(0, ("STATUS=daemon '%s' : %s", name, msg));
++}
+diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
+index e3fe6a6..f4216d8 100644
+--- a/lib/util/samba_util.h
++++ b/lib/util/samba_util.h
+@@ -853,6 +853,12 @@ _PUBLIC_ void exit_daemon(const char *msg, int error);
+ **/
+ _PUBLIC_ void daemon_ready(const char *daemon);
+
++/*
++ * Report the daemon status. For example if it is not ready to serve connections
++ * and is waiting for some event to happen.
++ */
++_PUBLIC_ void daemon_status(const char *name, const char *msg);
++
+ /**
+ * @brief Get a password from the console.
+ *
+--
+2.1.0
+
+
+From 7fcd74039961fa0fb02934bc87ce41fd98234f1a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 16 Sep 2014 18:03:51 +0200
+Subject: [PATCH 2/2] nmbd: Send waiting status to systemd.
+
+This tells the Administrator what's going on and we should log that IPv6
+is not supported.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10816
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Wed Sep 17 13:16:43 CEST 2014 on sn-devel-104
+
+(cherry picked from commit 2df601bff0d949e66c79366b8248b9d950c0b430)
+---
+ source3/nmbd/nmbd_subnetdb.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/source3/nmbd/nmbd_subnetdb.c b/source3/nmbd/nmbd_subnetdb.c
+index 311a240..6c483af 100644
+--- a/source3/nmbd/nmbd_subnetdb.c
++++ b/source3/nmbd/nmbd_subnetdb.c
+@@ -247,8 +247,11 @@ bool create_subnets(void)
+
+ /* Only count IPv4, non-loopback interfaces. */
+ if (iface_count_v4_nl() == 0) {
+- DEBUG(0,("create_subnets: No local IPv4 non-loopback interfaces !\n"));
+- DEBUG(0,("create_subnets: Waiting for an interface to appear ...\n"));
++ daemon_status("nmbd",
++ "No local IPv4 non-loopback interfaces "
++ "available, waiting for interface ...");
++ DEBUG(0,("NOTE: NetBIOS name resolution is not supported for "
++ "Internet Protocol Version 6 (IPv6).\n"));
+ }
+
+ /* We only count IPv4, non-loopback interfaces here. */
+--
+2.1.0
+
diff --git a/SOURCES/samba-4.1.13-fix_smbclient_echo_cmd_segfault.patch b/SOURCES/samba-4.1.13-fix_smbclient_echo_cmd_segfault.patch
new file mode 100644
index 0000000..a1b05b8
--- /dev/null
+++ b/SOURCES/samba-4.1.13-fix_smbclient_echo_cmd_segfault.patch
@@ -0,0 +1,35 @@
+From 0aab8ae3c137e5900d22160555bcef57cd62ca21 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 17 Sep 2014 15:17:50 +0200
+Subject: [PATCH 2/2] libcli: Fix a segfault calling smbXcli_req_set_pending()
+ on NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10817
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Tue Sep 23 04:23:05 CEST 2014 on sn-devel-104
+
+(cherry picked from commit f92086f4a347dcc8fa948aa2614a2c12f1115e5a)
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ libcli/smb/smb1cli_echo.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/libcli/smb/smb1cli_echo.c b/libcli/smb/smb1cli_echo.c
+index 4fb7c60..10dff2d 100644
+--- a/libcli/smb/smb1cli_echo.c
++++ b/libcli/smb/smb1cli_echo.c
+@@ -96,7 +96,6 @@ static void smb1cli_echo_done(struct tevent_req *subreq)
+ NULL, /* pbytes_offset */
+ NULL, /* pinbuf */
+ expected, ARRAY_SIZE(expected));
+- TALLOC_FREE(subreq);
+ if (!NT_STATUS_IS_OK(status)) {
+ tevent_req_nterror(req, status);
+ return;
+--
+2.1.0
+
diff --git a/SOURCES/samba-4.1.13-improve_service_principal_guessing_in_net.patch b/SOURCES/samba-4.1.13-improve_service_principal_guessing_in_net.patch
new file mode 100644
index 0000000..35f4d8c
--- /dev/null
+++ b/SOURCES/samba-4.1.13-improve_service_principal_guessing_in_net.patch
@@ -0,0 +1,180 @@
+From 579901faf787d8d787c978324bdec87c349e3d9b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 23 Sep 2014 14:09:41 +0200
+Subject: [PATCH] s3-libads: Improve service principle guessing.
+
+If the name passed to the net command with the -S options is the long
+hostname of the domaincontroller and not the 15 char NetBIOS name we
+should construct a FQDN with the realm to get a Kerberos ticket.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10829
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 83c62bd3f5945bbe295cbfbd153736d4c709b3a6)
+---
+ source3/libads/sasl.c | 124 +++++++++++++++++++++++++++-----------------------
+ 1 file changed, 66 insertions(+), 58 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 33f4e24..1450ff1 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -714,88 +714,96 @@ static void ads_free_service_principal(struct ads_service_principal *p)
+ static ADS_STATUS ads_guess_service_principal(ADS_STRUCT *ads,
+ char **returned_principal)
+ {
++ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
+ char *princ = NULL;
++ TALLOC_CTX *frame;
++ char *server = NULL;
++ char *realm = NULL;
++ int rc;
+
+- if (ads->server.realm && ads->server.ldap_server) {
+- char *server, *server_realm;
+-
+- server = SMB_STRDUP(ads->server.ldap_server);
+- server_realm = SMB_STRDUP(ads->server.realm);
+-
+- if (!server || !server_realm) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
+- }
++ frame = talloc_stackframe();
++ if (frame == NULL) {
++ return ADS_ERROR(LDAP_NO_MEMORY);
++ }
+
+- if (!strlower_m(server)) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
++ if (ads->server.realm && ads->server.ldap_server) {
++ server = strlower_talloc(frame, ads->server.ldap_server);
++ if (server == NULL) {
++ goto out;
+ }
+
+- if (!strupper_m(server_realm)) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
++ realm = strupper_talloc(frame, ads->server.realm);
++ if (realm == NULL) {
++ goto out;
+ }
+
+- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
+- }
++ /*
++ * If we got a name which is bigger than a NetBIOS name,
++ * but isn't a FQDN, create one.
++ */
++ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
++ char *dnsdomain;
+
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
++ dnsdomain = strlower_talloc(frame, ads->server.realm);
++ if (dnsdomain == NULL) {
++ goto out;
++ }
+
+- if (!princ) {
+- return ADS_ERROR(LDAP_NO_MEMORY);
++ server = talloc_asprintf(frame,
++ "%s.%s",
++ server, dnsdomain);
++ if (server == NULL) {
++ goto out;
++ }
+ }
+ } else if (ads->config.realm && ads->config.ldap_server_name) {
+- char *server, *server_realm;
+-
+- server = SMB_STRDUP(ads->config.ldap_server_name);
+- server_realm = SMB_STRDUP(ads->config.realm);
+-
+- if (!server || !server_realm) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
++ server = strlower_talloc(frame, ads->config.ldap_server_name);
++ if (server == NULL) {
++ goto out;
+ }
+
+- if (!strlower_m(server)) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
++ realm = strupper_talloc(frame, ads->config.realm);
++ if (realm == NULL) {
++ goto out;
+ }
+
+- if (!strupper_m(server_realm)) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
+- }
+- if (asprintf(&princ, "ldap/%s@%s", server, server_realm) == -1) {
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
+- return ADS_ERROR(LDAP_NO_MEMORY);
+- }
++ /*
++ * If we got a name which is bigger than a NetBIOS name,
++ * but isn't a FQDN, create one.
++ */
++ if (strlen(server) > 15 && strstr(server, ".") == NULL) {
++ char *dnsdomain;
+
+- SAFE_FREE(server);
+- SAFE_FREE(server_realm);
++ dnsdomain = strlower_talloc(frame, ads->server.realm);
++ if (dnsdomain == NULL) {
++ goto out;
++ }
+
+- if (!princ) {
+- return ADS_ERROR(LDAP_NO_MEMORY);
++ server = talloc_asprintf(frame,
++ "%s.%s",
++ server, dnsdomain);
++ if (server == NULL) {
++ goto out;
++ }
+ }
+ }
+
+- if (!princ) {
+- return ADS_ERROR(LDAP_PARAM_ERROR);
++ if (server == NULL || realm == NULL) {
++ goto out;
++ }
++
++ rc = asprintf(&princ, "ldap/%s@%s", server, realm);
++ if (rc == -1 || princ == NULL) {
++ status = ADS_ERROR(LDAP_PARAM_ERROR);
++ goto out;
+ }
+
+ *returned_principal = princ;
+
+- return ADS_SUCCESS;
++ status = ADS_SUCCESS;
++out:
++ TALLOC_FREE(frame);
++ return status;
+ }
+
+ static ADS_STATUS ads_generate_service_principal(ADS_STRUCT *ads,
+--
+2.1.0
+
diff --git a/SOURCES/samba-4.1.14-fix_net_ads_join_keytab_segfault.patch b/SOURCES/samba-4.1.14-fix_net_ads_join_keytab_segfault.patch
new file mode 100644
index 0000000..1b8d444
--- /dev/null
+++ b/SOURCES/samba-4.1.14-fix_net_ads_join_keytab_segfault.patch
@@ -0,0 +1,34 @@
+From f1bde6a617471740e895aacc2e679b0f2d0c07a5 Mon Sep 17 00:00:00 2001
+From: Matt Rogers <mrogers@redhat.com>
+Date: Wed, 12 Nov 2014 17:21:05 +0100
+Subject: [PATCH] s3-keytab: fix keytab array NULL termination.
+
+Signed-off-by: Matt Rogers <mrogers@redhat.com>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source3/libads/kerberos_keytab.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
+index 43c755c..ae3d80e39 100644
+--- a/source3/libads/kerberos_keytab.c
++++ b/source3/libads/kerberos_keytab.c
+@@ -667,14 +667,13 @@ int ads_keytab_create_default(ADS_STRUCT *ads)
+ goto done;
+ }
+
+- oldEntries = talloc_array(frame, char *, found);
++ oldEntries = talloc_zero_array(frame, char *, found + 1);
+ if (!oldEntries) {
+ DEBUG(1, (__location__ ": Failed to allocate space to store "
+ "the old keytab entries (talloc failed?).\n"));
+ ret = -1;
+ goto done;
+ }
+- memset(oldEntries, '\0', found * sizeof(char *));
+
+ ret = krb5_kt_start_seq_get(context, keytab, &cursor);
+ if (ret == KRB5_KT_END || ret == ENOENT) {
+--
+1.9.3
+
diff --git a/SOURCES/samba-4.1.14-fix_netbios_name_truncation.patch b/SOURCES/samba-4.1.14-fix_netbios_name_truncation.patch
new file mode 100644
index 0000000..9721afa
--- /dev/null
+++ b/SOURCES/samba-4.1.14-fix_netbios_name_truncation.patch
@@ -0,0 +1,154 @@
+From 170166b8a0076089c6a8505f53a22f5b72c15786 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 28 Oct 2014 11:55:30 -0700
+Subject: [PATCH] s3-nmbd: Fix netbios name truncation.
+
+Try and cope with truncation more intelligently.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10896
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 6adcc7bffd5e1474ecba04d2328955c0b208cabc)
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/nmbd/nmbd_nameregister.c | 76 +++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 68 insertions(+), 8 deletions(-)
+
+diff --git a/source3/nmbd/nmbd_nameregister.c b/source3/nmbd/nmbd_nameregister.c
+index 71c4751..8b078e6 100644
+--- a/source3/nmbd/nmbd_nameregister.c
++++ b/source3/nmbd/nmbd_nameregister.c
+@@ -482,17 +482,77 @@ void register_name(struct subnet_record *subrec,
+ {
+ struct nmb_name nmbname;
+ nstring nname;
++ size_t converted_size;
+
+ errno = 0;
+- push_ascii_nstring(nname, name);
+- if (errno == E2BIG) {
+- unstring tname;
+- pull_ascii_nstring(tname, sizeof(tname), nname);
+- DEBUG(0,("register_name: NetBIOS name %s is too long. Truncating to %s\n",
+- name, tname));
+- make_nmb_name(&nmbname, tname, type);
+- } else {
++ converted_size = push_ascii_nstring(nname, name);
++ if (converted_size != (size_t)-1) {
++ /* Success. */
+ make_nmb_name(&nmbname, name, type);
++ } else if (errno == E2BIG) {
++ /*
++ * Name converted to CH_DOS is too large.
++ * try to truncate.
++ */
++ char *converted_str_dos = NULL;
++ char *converted_str_unix = NULL;
++ bool ok;
++
++ converted_size = 0;
++
++ ok = convert_string_talloc(talloc_tos(),
++ CH_UNIX,
++ CH_DOS,
++ name,
++ strlen(name)+1,
++ &converted_str_dos,
++ &converted_size);
++ if (!ok) {
++ DEBUG(0,("register_name: NetBIOS name %s cannot be "
++ "converted. Failing to register name.\n",
++ name));
++ return;
++ }
++
++ /*
++ * As it's now CH_DOS codepage
++ * we truncate by writing '\0' at
++ * MAX_NETBIOSNAME_LEN-1 and then
++ * convert back to CH_UNIX which we
++ * need for the make_nmb_name() call.
++ */
++ if (converted_size >= MAX_NETBIOSNAME_LEN) {
++ converted_str_dos[MAX_NETBIOSNAME_LEN-1] = '\0';
++ }
++
++ ok = convert_string_talloc(talloc_tos(),
++ CH_DOS,
++ CH_UNIX,
++ converted_str_dos,
++ strlen(converted_str_dos)+1,
++ &converted_str_unix,
++ &converted_size);
++ if (!ok) {
++ DEBUG(0,("register_name: NetBIOS name %s cannot be "
++ "converted back to CH_UNIX. "
++ "Failing to register name.\n",
++ converted_str_dos));
++ TALLOC_FREE(converted_str_dos);
++ return;
++ }
++
++ make_nmb_name(&nmbname, converted_str_unix, type);
++
++ TALLOC_FREE(converted_str_dos);
++ TALLOC_FREE(converted_str_unix);
++ } else {
++ /*
++ * Generic conversion error. Fail to register.
++ */
++ DEBUG(0,("register_name: NetBIOS name %s cannot be "
++ "converted (%s). Failing to register name.\n",
++ name, strerror(errno)));
++ return;
+ }
+
+ /* Always set the NB_ACTIVE flag on the name we are
+--
+2.1.2
+
+From 653a1c312e6b85f1d8113beec52a27e0ba71ef79 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 31 Oct 2014 11:01:26 -0700
+Subject: [PATCH] s3: nmbd: Ensure NetBIOS names are only 15 characters stored.
+
+This screws up if the name is greater than MAX_NETBIOSNAME_LEN-1 in the
+unix charset, but less than or equal to MAX_NETBIOSNAME_LEN-1 in the DOS
+charset, but this is so old we have to live with that.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10920
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+(cherry picked from commit 7467f6e72cba214eeca75c34e9d9fba354c7ef31)
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/lib/util_names.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/lib/util_names.c b/source3/lib/util_names.c
+index cf54a0e..1392b48 100644
+--- a/source3/lib/util_names.c
++++ b/source3/lib/util_names.c
+@@ -60,7 +60,15 @@ static bool set_my_netbios_names(const char *name, int i)
+ {
+ SAFE_FREE(smb_my_netbios_names[i]);
+
+- smb_my_netbios_names[i] = SMB_STRDUP(name);
++ /*
++ * Don't include space for terminating '\0' in strndup,
++ * it is automatically added. This screws up if the name
++ * is greater than MAX_NETBIOSNAME_LEN-1 in the unix
++ * charset, but less than or equal to MAX_NETBIOSNAME_LEN-1
++ * in the DOS charset, but this is so old we have to live
++ * with that.
++ */
++ smb_my_netbios_names[i] = SMB_STRNDUP(name, MAX_NETBIOSNAME_LEN-1);
+ if (!smb_my_netbios_names[i])
+ return False;
+ return strupper_m(smb_my_netbios_names[i]);
+--
+2.1.2
+
diff --git a/SOURCES/samba-4.1.14-net_ads_join_segfault_on_bigendian.patch b/SOURCES/samba-4.1.14-net_ads_join_segfault_on_bigendian.patch
new file mode 100644
index 0000000..9b087e9
--- /dev/null
+++ b/SOURCES/samba-4.1.14-net_ads_join_segfault_on_bigendian.patch
@@ -0,0 +1,351 @@
+From d9eb1359d86b47f3d1ef9f20523aeabd844befc8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 14 Nov 2014 13:47:16 +0100
+Subject: [PATCH 1/3] s3-proto: remove duplicate proto for
+ add_string_to_array().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/include/proto.h | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 255948f..ce23289 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -702,9 +702,6 @@ int ipstr_list_parse(const char *ipstr_list, struct ip_service **ip_list);
+ void ipstr_list_free(char* ipstr_list);
+ uint64_t STR_TO_SMB_BIG_UINT(const char *nptr, const char **entptr);
+ uint64_t conv_str_size(const char * str);
+-bool add_string_to_array(TALLOC_CTX *mem_ctx,
+- const char *str, const char ***strings,
+- int *num);
+ void sprintf_append(TALLOC_CTX *mem_ctx, char **string, ssize_t *len,
+ size_t *bufsize, const char *fmt, ...);
+ int asprintf_strupper_m(char **strp, const char *fmt, ...);
+--
+1.9.3
+
+
+From ee8ddb8e02f70e9d6050490d96a87e4fd2297a05 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 14 Nov 2014 13:27:45 +0100
+Subject: [PATCH 2/3] lib/util: use size_t for add_string_to_array().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ lib/util/samba_util.h | 2 +-
+ lib/util/util_strlist.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
+index 2f762ac..1c7ae79 100644
+--- a/lib/util/samba_util.h
++++ b/lib/util/samba_util.h
+@@ -253,7 +253,7 @@ _PUBLIC_ char *rfc1738_escape_part(TALLOC_CTX *mem_ctx, const char *url);
+ * number of elements in strings. It will be updated by this function.
+ */
+ _PUBLIC_ bool add_string_to_array(TALLOC_CTX *mem_ctx,
+- const char *str, const char ***strings, int *num);
++ const char *str, const char ***strings, size_t *num);
+
+ /**
+ varient of strcmp() that handles NULL ptrs
+diff --git a/lib/util/util_strlist.c b/lib/util/util_strlist.c
+index 9dd4ab3..987fdfb 100644
+--- a/lib/util/util_strlist.c
++++ b/lib/util/util_strlist.c
+@@ -453,7 +453,7 @@ _PUBLIC_ const char **str_list_append_const(const char **list1,
+ * number of elements in strings. It will be updated by this function.
+ */
+ _PUBLIC_ bool add_string_to_array(TALLOC_CTX *mem_ctx,
+- const char *str, const char ***strings, int *num)
++ const char *str, const char ***strings, size_t *num)
+ {
+ char *dup_str = talloc_strdup(mem_ctx, str);
+
+--
+1.9.3
+
+
+From a62cc2ce447870b4f4ab6ebf9c8d999af054d06f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 14 Nov 2014 14:12:26 +0100
+Subject: [PATCH 3/3] samba: pass down size_t instead of int to
+ add_string_to_array().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Mon Nov 17 19:53:22 CET 2014 on sn-devel-104
+---
+ libcli/ldap/ldap_message.h | 2 +-
+ libgpo/gpext/gpext.c | 2 +-
+ source3/lib/eventlog/eventlog.c | 2 +-
+ source3/libads/ldap.c | 2 +-
+ source3/libnet/libnet_join.c | 4 ++--
+ source3/rpc_server/lsa/srv_lsa_nt.c | 2 +-
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
+ source3/rpc_server/spoolss/srv_spoolss_nt.c | 3 ++-
+ source3/rpcclient/cmd_spoolss.c | 5 +++--
+ source3/winbindd/winbindd_cm.c | 2 +-
+ source4/torture/rpc/samba3rpc.c | 4 ++--
+ source4/torture/rpc/samr.c | 2 +-
+ source4/torture/rpc/wkssvc.c | 10 +++++-----
+ 13 files changed, 22 insertions(+), 20 deletions(-)
+
+diff --git a/libcli/ldap/ldap_message.h b/libcli/ldap/ldap_message.h
+index 4385fe6..2f64881 100644
+--- a/libcli/ldap/ldap_message.h
++++ b/libcli/ldap/ldap_message.h
+@@ -104,7 +104,7 @@ struct ldap_SearchRequest {
+ uint32_t sizelimit;
+ bool attributesonly;
+ struct ldb_parse_tree *tree;
+- int num_attributes;
++ size_t num_attributes;
+ const char * const *attributes;
+ };
+
+diff --git a/libgpo/gpext/gpext.c b/libgpo/gpext/gpext.c
+index 2afcfec..1320dad 100644
+--- a/libgpo/gpext/gpext.c
++++ b/libgpo/gpext/gpext.c
+@@ -524,7 +524,7 @@ static NTSTATUS gp_glob_ext_list(TALLOC_CTX *mem_ctx,
+ name[PTR_DIFF(p, dirent->d_name)] = 0;
+
+ if (!add_string_to_array(mem_ctx, name, ext_list,
+- (int *)ext_list_len)) {
++ ext_list_len)) {
+ closedir(dir);
+ return NT_STATUS_NO_MEMORY;
+ }
+diff --git a/source3/lib/eventlog/eventlog.c b/source3/lib/eventlog/eventlog.c
+index 81957b1..34752fd 100644
+--- a/source3/lib/eventlog/eventlog.c
++++ b/source3/lib/eventlog/eventlog.c
+@@ -586,7 +586,7 @@ bool parse_logentry( TALLOC_CTX *mem_ctx, char *line, struct eventlog_Record_tdb
+ }
+ } else if ( 0 == strncmp( start, "STR", stop - start ) ) {
+ size_t tmp_len;
+- int num_of_strings;
++ size_t num_of_strings;
+ /* skip past initial ":" */
+ stop++;
+ /* now skip any other leading whitespace */
+diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
+index 06b4895..b46f510 100644
+--- a/source3/libads/ldap.c
++++ b/source3/libads/ldap.c
+@@ -3288,7 +3288,7 @@ ADS_STATUS ads_get_joinable_ous(ADS_STRUCT *ads,
+
+ if (!add_string_to_array(mem_ctx, dn,
+ (const char ***)ous,
+- (int *)num_ous)) {
++ num_ous)) {
+ TALLOC_FREE(dn);
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index be953ae..7c70d35 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -423,7 +423,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+ ok = add_string_to_array(spn_array, spn,
+- &spn_array, (int *)&num_spns);
++ &spn_array, &num_spns);
+ if (!ok) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+@@ -448,7 +448,7 @@ static ADS_STATUS libnet_join_set_machine_spn(TALLOC_CTX *mem_ctx,
+ ok = ads_element_in_array(spn_array, num_spns, spn);
+ if (!ok) {
+ ok = add_string_to_array(spn_array, spn,
+- &spn_array, (int *)&num_spns);
++ &spn_array, &num_spns);
+ if (!ok) {
+ return ADS_ERROR_LDAP(LDAP_NO_MEMORY);
+ }
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index 67909aa..039206b 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
++++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -3335,7 +3335,7 @@ static NTSTATUS init_lsa_right_set(TALLOC_CTX *mem_ctx,
+ uint32 i;
+ const char *privname;
+ const char **privname_array = NULL;
+- int num_priv = 0;
++ size_t num_priv = 0;
+
+ for (i=0; i<privileges->count; i++) {
+ if (privileges->set[i].luid.high) {
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index de30106..fdcc847 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -397,7 +397,7 @@ NTSTATUS _netr_NetrEnumerateTrustedDomains(struct pipes_struct *p,
+ NTSTATUS status;
+ NTSTATUS result = NT_STATUS_OK;
+ DATA_BLOB blob;
+- int num_domains = 0;
++ size_t num_domains = 0;
+ const char **trusted_domains = NULL;
+ struct lsa_DomainList domain_list;
+ struct dcerpc_binding_handle *h = NULL;
+diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+index f6fbfda..1226ec1 100644
+--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+@@ -4902,7 +4902,8 @@ static WERROR string_array_from_driver_info(TALLOC_CTX *mem_ctx,
+ const char *arch,
+ int version)
+ {
+- int i, num_strings = 0;
++ int i;
++ size_t num_strings = 0;
+ const char **array = NULL;
+
+ if (string_array == NULL) {
+diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
+index fb011f8..c2b1e3d 100644
+--- a/source3/rpcclient/cmd_spoolss.c
++++ b/source3/rpcclient/cmd_spoolss.c
+@@ -1659,7 +1659,7 @@ static bool init_drv_info_3_members(TALLOC_CTX *mem_ctx, struct spoolss_AddDrive
+ char *args)
+ {
+ char *str, *str2;
+- int count = 0;
++ size_t count = 0;
+ char *saveptr = NULL;
+ struct spoolss_StringArray *deps;
+ const char **file_array = NULL;
+@@ -2636,7 +2636,8 @@ static WERROR cmd_spoolss_setprinterdata(struct rpc_pipe_client *cli,
+ data.binary = strhex_to_data_blob(mem_ctx, argv[4]);
+ break;
+ case REG_MULTI_SZ: {
+- int i, num_strings;
++ int i;
++ size_t num_strings;
+ const char **strings = NULL;
+
+ num_strings = 0;
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 5071e02..52e3fa1 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -1631,7 +1631,7 @@ static bool find_new_dc(TALLOC_CTX *mem_ctx,
+ int num_dcs = 0;
+
+ const char **dcnames = NULL;
+- int num_dcnames = 0;
++ size_t num_dcnames = 0;
+
+ struct sockaddr_storage *addrs = NULL;
+ int num_addrs = 0;
+diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
+index 406eb9a..ff1a53c 100644
+--- a/source4/torture/rpc/samba3rpc.c
++++ b/source4/torture/rpc/samba3rpc.c
+@@ -2634,7 +2634,7 @@ static bool rap_get_servername(struct torture_context *tctx,
+ static bool find_printers(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ const char ***printers,
+- int *num_printers)
++ size_t *num_printers)
+ {
+ struct srvsvc_NetShareEnum r;
+ struct srvsvc_NetShareInfoCtr info_ctr;
+@@ -2771,7 +2771,7 @@ static bool torture_samba3_rpc_spoolss(struct torture_context *torture)
+ struct dcerpc_binding_handle *b;
+ struct policy_handle server_handle, printer_handle;
+ const char **printers;
+- int num_printers;
++ size_t num_printers;
+ struct spoolss_UserLevel1 userlevel1;
+ char *servername;
+
+diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
+index 7dfd183..293b672 100644
+--- a/source4/torture/rpc/samr.c
++++ b/source4/torture/rpc/samr.c
+@@ -7258,7 +7258,7 @@ static bool test_GroupList(struct dcerpc_binding_handle *b,
+ uint32_t returned_size;
+ union samr_DispInfo info;
+
+- int num_names = 0;
++ size_t num_names = 0;
+ const char **names = NULL;
+
+ bool builtin_domain = dom_sid_compare(domain_sid,
+diff --git a/source4/torture/rpc/wkssvc.c b/source4/torture/rpc/wkssvc.c
+index 5bf64af..0927200 100644
+--- a/source4/torture/rpc/wkssvc.c
++++ b/source4/torture/rpc/wkssvc.c
+@@ -530,7 +530,7 @@ static bool test_NetrEnumerateComputerNames_level(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
+ uint16_t level,
+ const char ***names,
+- int *num_names)
++ size_t *num_names)
+ {
+ NTSTATUS status;
+ struct wkssvc_NetrEnumerateComputerNames r;
+@@ -666,7 +666,7 @@ static bool test_NetrAddAlternateComputerName(struct torture_context *tctx,
+ NTSTATUS status;
+ struct wkssvc_NetrAddAlternateComputerName r;
+ const char **names = NULL;
+- int num_names = 0;
++ size_t num_names = 0;
+ int i;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+@@ -708,7 +708,7 @@ static bool test_NetrRemoveAlternateComputerName(struct torture_context *tctx,
+ NTSTATUS status;
+ struct wkssvc_NetrRemoveAlternateComputerName r;
+ const char **names = NULL;
+- int num_names = 0;
++ size_t num_names = 0;
+ int i;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+@@ -781,7 +781,7 @@ static bool test_NetrSetPrimaryComputername(struct torture_context *tctx,
+ */
+
+ const char **names_o = NULL, **names = NULL;
+- int num_names_o = 0, num_names = 0;
++ size_t num_names_o = 0, num_names = 0;
+
+ torture_comment(tctx, "Testing NetrSetPrimaryComputername\n");
+
+@@ -887,7 +887,7 @@ static bool test_NetrRenameMachineInDomain2(struct torture_context *tctx,
+ struct dcerpc_pipe *p)
+ {
+ const char **names_o = NULL, **names = NULL;
+- int num_names_o = 0, num_names = 0;
++ size_t num_names_o = 0, num_names = 0;
+
+ torture_comment(tctx, "Testing NetrRenameMachineInDomain2\n");
+
+--
+1.9.3
+
diff --git a/SOURCES/samba-4.1.14-smbclinet_fix_return_of_tcb_browsing.patch b/SOURCES/samba-4.1.14-smbclinet_fix_return_of_tcb_browsing.patch
new file mode 100644
index 0000000..957a162
--- /dev/null
+++ b/SOURCES/samba-4.1.14-smbclinet_fix_return_of_tcb_browsing.patch
@@ -0,0 +1,29 @@
+From 01da57ebc9d5434b2d406c1d9405ec958443d78e Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 24 Nov 2014 16:26:13 +0100
+Subject: [PATCH 1/2] s3-smbclient: Return success if we listed the shares.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10960
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ source3/client/client.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/client/client.c b/source3/client/client.c
+index ab46cb8..20932cc 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -5307,7 +5307,7 @@ static int do_host_query(const char *query_host)
+
+ if (cli == NULL) {
+ d_printf("NetBIOS over TCP disabled -- no workgroup available\n");
+- return 1;
++ return 0;
+ }
+
+ cli_set_timeout(cli, io_timeout*1000);
+--
+2.1.2
+
diff --git a/SOURCES/samba-4.1.14-smbstatus_fix_profiles_exit_code.patch b/SOURCES/samba-4.1.14-smbstatus_fix_profiles_exit_code.patch
new file mode 100644
index 0000000..a486789
--- /dev/null
+++ b/SOURCES/samba-4.1.14-smbstatus_fix_profiles_exit_code.patch
@@ -0,0 +1,43 @@
+From a01d4b38b1095c498fd0dedbbfe09ce42d6207e3 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 24 Nov 2014 17:46:27 +0100
+Subject: [PATCH 2/2] s3-smbstatus: Fix exit code of profile output.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10961
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+---
+ source3/utils/status.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/status.c b/source3/utils/status.c
+index 9cb4d8b..2c21ee4 100644
+--- a/source3/utils/status.c
++++ b/source3/utils/status.c
+@@ -365,6 +365,7 @@ int main(int argc, const char *argv[])
+ TALLOC_CTX *frame = talloc_stackframe();
+ int ret = 0;
+ struct messaging_context *msg_ctx;
++ bool ok;
+
+ sec_init();
+ load_case_tables();
+@@ -464,10 +465,12 @@ int main(int argc, const char *argv[])
+ switch (profile_only) {
+ case 'P':
+ /* Dump profile data */
+- return status_profile_dump(verbose);
++ ok = status_profile_dump(verbose);
++ return ok ? 0 : 1;
+ case 'R':
+ /* Continuously display rate-converted data */
+- return status_profile_rates(verbose);
++ ok = status_profile_rates(verbose);
++ return ok ? 0 : 1;
+ default:
+ break;
+ }
+--
+2.1.2
+
diff --git a/SOURCES/samba-4.1.14-smbstatus_print_root_only_message.patch b/SOURCES/samba-4.1.14-smbstatus_print_root_only_message.patch
new file mode 100644
index 0000000..50f6a1c
--- /dev/null
+++ b/SOURCES/samba-4.1.14-smbstatus_print_root_only_message.patch
@@ -0,0 +1,40 @@
+From 6f12155432a5769e69b4b8794e332c2d0e48a9de Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 16 Dec 2014 15:52:43 +0100
+Subject: [PATCH] smbstatus: Tell the user that smbstatus can only be run as
+ root.
+
+In the meantime smbstatus tries to collection information from tdb's
+which are only accessible by root as they contain sensitive information
+like session keys and other secrets. This means smbstatus can no longer
+be executed as a user.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11012
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+(cherry picked from commit c079ae65f45e6c19b9549084b09b83ae9118a276)
+---
+ source3/utils/status.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/utils/status.c b/source3/utils/status.c
+index 9ce92aa..18f2749 100644
+--- a/source3/utils/status.c
++++ b/source3/utils/status.c
+@@ -376,6 +376,12 @@ static void print_notify_recs(const char *path,
+ goto done;
+ }
+
++ if (getuid() != 0) {
++ d_printf("smbstatus only works as root!\n");
++ ret = 1;
++ goto done;
++ }
++
+ pc = poptGetContext(NULL, argc, (const char **) argv, long_options,
+ POPT_CONTEXT_KEEP_FIRST);
+
+--
+2.2.0
+
diff --git a/SOURCES/samba-4.1.15-fix_authentication_with_long_netbios_name_set.patch b/SOURCES/samba-4.1.15-fix_authentication_with_long_netbios_name_set.patch
new file mode 100644
index 0000000..86885a4
--- /dev/null
+++ b/SOURCES/samba-4.1.15-fix_authentication_with_long_netbios_name_set.patch
@@ -0,0 +1,37 @@
+From 128ab365f7ee075d87640d96c4b6c2170ce9bca7 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Mon, 12 Jan 2015 18:12:13 +0100
+Subject: [PATCH] s3-util: Fix authentication with long hostnames.
+
+If the hostname is longer than MAX_NETBIOSNAME_LEN we fail to correctly
+check the hostname.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11008
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+(cherry picked from commit da2611adef32107f5a0eec97501c01232ab72efc)
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ source3/lib/util.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/lib/util.c b/source3/lib/util.c
+index f64e2a3..9e6ac9c 100644
+--- a/source3/lib/util.c
++++ b/source3/lib/util.c
+@@ -1192,7 +1192,9 @@ bool is_myname(const char *s)
+ bool ret = False;
+
+ for (n=0; my_netbios_names(n); n++) {
+- if (strequal(my_netbios_names(n), s)) {
++ const char *nbt_name = my_netbios_names(n);
++
++ if (strncasecmp_m(nbt_name, s, strlen(nbt_name)) == 0) {
+ ret=True;
+ break;
+ }
+--
+2.2.1
+
diff --git a/SOURCES/samba-4.1.15-fix_kerberos_fetch_pac_segfault.patch b/SOURCES/samba-4.1.15-fix_kerberos_fetch_pac_segfault.patch
new file mode 100644
index 0000000..a2783c8
--- /dev/null
+++ b/SOURCES/samba-4.1.15-fix_kerberos_fetch_pac_segfault.patch
@@ -0,0 +1,65 @@
+From de7f0d81a33803f4f24b587dc00f9dc16689b059 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Wed, 7 Jan 2015 17:12:54 +0100
+Subject: [PATCH] s3-libads: Fix a possible segfault in kerberos_fetch_pac().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11037
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit a13e29cc4345d85ab6fe4482119386b87e4e8673)
+---
+ source3/libads/authdata.c | 26 +++++++++++++-------------
+ 1 file changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index 18a2e4f..d3a0992 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -61,7 +61,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- if (pac_blob) {
++ if (pac_blob != NULL) {
+ status = kerberos_decode_pac(tmp_ctx,
+ *pac_blob,
+ NULL,
+@@ -73,22 +73,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+- }
+
+- pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
+- if (pac_data_ctr == NULL) {
+- status = NT_STATUS_NO_MEMORY;
+- goto done;
+- }
++ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
++ if (pac_data_ctr == NULL) {
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
++ }
+
+- talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
++ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
+
+- pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
+- pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+- pac_blob->data,
+- pac_blob->length);
++ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
++ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
++ pac_blob->data,
++ pac_blob->length);
+
+- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
++ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
++ }
+
+ *session_info = talloc_zero(mem_ctx, struct auth_session_info);
+ if (!*session_info) {
+--
+2.2.1
+
diff --git a/SOURCES/samba-4.1.15-fix_net_time_segfault.patch b/SOURCES/samba-4.1.15-fix_net_time_segfault.patch
new file mode 100644
index 0000000..085a1b7
--- /dev/null
+++ b/SOURCES/samba-4.1.15-fix_net_time_segfault.patch
@@ -0,0 +1,125 @@
+From 389170e609310395cb77edafdd7298cdfdfdc235 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Fri, 16 Jan 2015 16:18:45 +0100
+Subject: [PATCH 1/2] cli_connect_nb_send: don't segfault on host == NULL.
+
+The functions called futher down can cope with host == NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058
+
+This is part one of the bugfix:
+This ensures that it is enough to pass one of host or address to the function.
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit a0a254f74234bed6c9a0c71a5bda8254fa6f633f)
+---
+ source3/libsmb/cliconnect.c | 22 +++++++++++++++-------
+ 1 file changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 13e7704..5255e8a 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -2995,21 +2995,29 @@ static struct tevent_req *cli_connect_nb_send(
+ {
+ struct tevent_req *req, *subreq;
+ struct cli_connect_nb_state *state;
+- char *p;
+
+ req = tevent_req_create(mem_ctx, &state, struct cli_connect_nb_state);
+ if (req == NULL) {
+ return NULL;
+ }
+- state->desthost = host;
+ state->signing_state = signing_state;
+ state->flags = flags;
+
+- p = strchr(host, '#');
+- if (p != NULL) {
+- name_type = strtol(p+1, NULL, 16);
+- host = talloc_strndup(state, host, p - host);
+- if (tevent_req_nomem(host, req)) {
++ if (host != NULL) {
++ char *p = strchr(host, '#');
++
++ if (p != NULL) {
++ name_type = strtol(p+1, NULL, 16);
++ host = talloc_strndup(state, host, p - host);
++ if (tevent_req_nomem(host, req)) {
++ return tevent_req_post(req, ev);
++ }
++ }
++
++ state->desthost = host;
++ } else {
++ state->desthost = print_canonical_sockaddr(state, dest_ss);
++ if (tevent_req_nomem(state->desthost, req)) {
+ return tevent_req_post(req, ev);
+ }
+ }
+--
+2.2.2
+
+
+From ff6f3e175262d802fa64ef78e7047dbf136b2722 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Tue, 13 Jan 2015 17:04:26 +0100
+Subject: [PATCH 2/2] utils: Fix 'net time' segfault.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11058
+
+This is part two of the bugfix. Make sure we pass the IP we found to
+cli_servertime(). Hence we always pass at least one of name or IP.
+
+Pair-Programmed-With: Michael Adam <obnox@samba.org>
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 45829800eb3f3a8aeccfe7c1114dcf9df60371d5)
+---
+ source3/utils/net_time.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/source3/utils/net_time.c b/source3/utils/net_time.c
+index 56ce8f7..595d903 100644
+--- a/source3/utils/net_time.c
++++ b/source3/utils/net_time.c
+@@ -226,16 +226,23 @@ int net_time(struct net_context *c, int argc, const char **argv)
+ return 0;
+ }
+
+- if (!c->opt_host && !c->opt_have_ip &&
+- !find_master_ip(c->opt_target_workgroup, &c->opt_dest_ip)) {
+- d_fprintf(stderr, _("Could not locate a time server. Try "
+- "specifying a target host.\n"));
+- net_time_usage(c, argc,argv);
+- return -1;
++ if (c->opt_host == NULL && !c->opt_have_ip) {
++ bool ok;
++
++ ok = find_master_ip(c->opt_target_workgroup, &c->opt_dest_ip);
++ if (!ok) {
++ d_fprintf(stderr,
++ _("Could not locate a time server. "
++ "Try specifying a target host.\n"));
++ net_time_usage(c, argc, argv);
++ return -1;
++ }
++ c->opt_have_ip = true;
+ }
+
+ /* default - print the time */
+- t = cli_servertime(c->opt_host, c->opt_have_ip? &c->opt_dest_ip : NULL,
++ t = cli_servertime(c->opt_host,
++ c->opt_have_ip? &c->opt_dest_ip : NULL,
+ NULL);
+ if (t == 0) return -1;
+
+--
+2.2.2
+
diff --git a/SOURCES/samba-4.1.2-doc.patch b/SOURCES/samba-4.1.2-doc.patch
index 93aa45c..c94bc31 100644
--- a/SOURCES/samba-4.1.2-doc.patch
+++ b/SOURCES/samba-4.1.2-doc.patch
@@ -21,4226 +21,88 @@ Autobuild-Date(master): Wed Jul 10 16:45:07 CEST 2013 on sn-devel-104
docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
-diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
-index e2b2cee..a1a2f97 100644
---- a/docs-xml/manpages/dbwrap_tool.1.xml
-+++ b/docs-xml/manpages/dbwrap_tool.1.xml
-@@ -49,7 +49,7 @@
- <listitem><para>fetch: fetch a record</para></listitem>
- <listitem><para>store: create or modify a record</para></listitem>
- <listitem><para>delete: remove a record</para></listitem>
-- <listitem><para>exists: test for existance of a record</para></listitem>
-+ <listitem><para>exists: test for existence of a record</para></listitem>
- <listitem><para>erase: remove all records</para></listitem>
- <listitem><para>listkeys: list all available records</para></listitem>
- <listitem><para>listwatchers: list processes, which are waiting for changes in a record</para></listitem>
-diff --git a/docs-xml/manpages/idmap_autorid.8.xml b/docs-xml/manpages/idmap_autorid.8.xml
-index c35f903..7446d53 100644
---- a/docs-xml/manpages/idmap_autorid.8.xml
-+++ b/docs-xml/manpages/idmap_autorid.8.xml
-@@ -109,7 +109,7 @@
- <title>EXAMPLES</title>
- <para>
- This example shows you the minimal configuration that will
-- work for the principial domain and 19 trusted domains / range
-+ work for the principal domain and 19 trusted domains / range
- extensions.
- </para>
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index dd5b3ab..0df2e07 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -1671,7 +1671,7 @@ shares created by other users.
-
- <para>Starting with version 3.2.0, a Samba server can be configured by data
- stored in registry. This configuration data can be edited with the new "net
--conf" commands. There is also the possiblity to configure a remote Samba server
-+conf" commands. There is also the possibility to configure a remote Samba server
- by enabling the RPC conf mode and specifying the the address of the remote server.
- </para>
-
-diff --git a/docs-xml/manpages/pdbedit.8.xml b/docs-xml/manpages/pdbedit.8.xml
-index 4bb3751..c5d6b23 100644
---- a/docs-xml/manpages/pdbedit.8.xml
-+++ b/docs-xml/manpages/pdbedit.8.xml
-@@ -289,7 +289,7 @@ retype new password
- </programlisting>
- </para>
-
-- <note><para>pdbedit does not call the unix password syncronisation
-+ <note><para>pdbedit does not call the unix password synchronization
- script if <smbconfoption name="unix password sync"/>
- has been set. It only updates the data in the Samba
- user database.
-diff --git a/docs-xml/manpages/samba.7.xml b/docs-xml/manpages/samba.7.xml
-index 9299660..cedb4e4 100644
---- a/docs-xml/manpages/samba.7.xml
-+++ b/docs-xml/manpages/samba.7.xml
-@@ -91,7 +91,7 @@
- <manvolnum>8</manvolnum></citerefentry></term>
- <listitem><para>The <command>samba-tool</command>
- is the main Samba Administration tool regarding
-- Acitive Directory services.</para>
-+ Active Directory services.</para>
+Index: samba-4.1.11/docs-xml/manpages/smbstatus.1.xml
+===================================================================
+--- samba-4.1.11.orig/docs-xml/manpages/smbstatus.1.xml
++++ samba-4.1.11/docs-xml/manpages/smbstatus.1.xml
+@@ -137,6 +137,13 @@
</listitem>
</varlistentry>
-diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
-index 328fd50..b222c56 100644
---- a/docs-xml/manpages/smbclient.1.xml
-+++ b/docs-xml/manpages/smbclient.1.xml
-@@ -564,7 +564,7 @@
- sent to the server on directory listings and file opens. If
- the "backup intent" flag is true, the server will try and
- bypass some file system checks if the user has been granted
-- SE_BACKUP or SE_RESTORE privilages. This state is useful when
-+ SE_BACKUP or SE_RESTORE privileges. This state is useful when
- performing a backup or restore operation.
- </para></listitem>
- </varlistentry>
-diff --git a/docs-xml/manpages/smbpasswd.5.xml b/docs-xml/manpages/smbpasswd.5.xml
-index fc512b8..986dedb 100644
---- a/docs-xml/manpages/smbpasswd.5.xml
-+++ b/docs-xml/manpages/smbpasswd.5.xml
-@@ -39,7 +39,7 @@
- <para>The format of the smbpasswd file used by Samba 2.2
- is very similar to the familiar Unix <filename>passwd(5)</filename>
- file. It is an ASCII file containing one line for each user. Each field
-- ithin each line is separated from the next by a colon. Any entry
-+ within each line is separated from the next by a colon. Any entry
- beginning with '#' is ignored. The smbpasswd file contains the
- following information for each user: </para>
-
-diff --git a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
-index 0daafc6..38644e7 100644
---- a/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
-+++ b/docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml
-@@ -139,7 +139,7 @@
- The module now can identify itself against the receiver with a sub-release number, where
- the receiver may run with a different sub-release number than the module. However, as
- long as both run on the V2.x protocol, the receiver will not crash, even if the module
-- uses features only implemented in the newer subrelease. Ultimatively, if the module uses
-+ uses features only implemented in the newer subrelease. Ultimately, if the module uses
- a new feature from a newer subrelease, and the receiver runs an older protocol, it is just
- ignoring the functionality. Of course it is best to have both the receiver and the module
- running the same subrelease of the protocol.
---
-1.8.3.1
-
-From 16a873bf7c5c3d236e4bc107953dc6f3159764a2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:42:06 +0200
-Subject: [PATCH 01/83] docs: remove duplicate word "the" in idmap_ad manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/idmap_ad.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/idmap_ad.8.xml b/docs-xml/manpages/idmap_ad.8.xml
-index 2ae490b..56378c1 100644
---- a/docs-xml/manpages/idmap_ad.8.xml
-+++ b/docs-xml/manpages/idmap_ad.8.xml
-@@ -31,7 +31,7 @@
-
- <para>
- Currently, the <parameter>ad</parameter> backend
-- does not work as the the default idmap backend, but one has
-+ does not work as the default idmap backend, but one has
- to configure it separately for each domain for which one wants
- to use it, using disjoint ranges. One usually needs to configure
- a writeable default idmap range, using for example the
---
-1.8.3.1
-
-
-From f17f61a4c0d5c13a273eae0b72521e464b1d3d8f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:44:12 +0200
-Subject: [PATCH 02/83] docs: remove duplicate word "name" in nmblookup
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmblookup.1.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/nmblookup.1.xml b/docs-xml/manpages/nmblookup.1.xml
-index bb4bd96..12c707f 100644
---- a/docs-xml/manpages/nmblookup.1.xml
-+++ b/docs-xml/manpages/nmblookup.1.xml
-@@ -57,7 +57,7 @@
- <varlistentry>
- <term>-M</term>
- <listitem><para>Searches for a master browser by looking
-- up the NetBIOS name <replaceable>name</replaceable> with a
-+ up the NetBIOS <replaceable>name</replaceable> with a
- type of <constant>0x1d</constant>. If <replaceable>
- name</replaceable> is "-" then it does a lookup on the special name
- <constant>__MSBROWSE__</constant>. Please note that in order to
---
-1.8.3.1
-
-
-From 4112eb0529780113716c6032561504196be8235f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:45:21 +0200
-Subject: [PATCH 03/83] docs: remove duplicate word "name" in nmblookup4
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- libcli/nbt/man/nmblookup4.1.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libcli/nbt/man/nmblookup4.1.xml b/libcli/nbt/man/nmblookup4.1.xml
-index 198afec..b6fe48c 100644
---- a/libcli/nbt/man/nmblookup4.1.xml
-+++ b/libcli/nbt/man/nmblookup4.1.xml
-@@ -57,7 +57,7 @@
- <varlistentry>
- <term>-M</term>
- <listitem><para>Searches for a master browser by looking
-- up the NetBIOS name <replaceable>name</replaceable> with a
-+ up the NetBIOS <replaceable>name</replaceable> with a
- type of <constant>0x1d</constant>. If <replaceable>
- name</replaceable> is "-" then it does a lookup on the special name
- <constant>__MSBROWSE__</constant>. Please note that in order to
---
-1.8.3.1
-
-
-From e320d57ed6a4d732980656eb01a5f777357f9715 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:50:28 +0200
-Subject: [PATCH 04/83] docs: remove duplicate arguments listing in regdiff
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source4/lib/registry/man/regdiff.1.xml | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/source4/lib/registry/man/regdiff.1.xml b/source4/lib/registry/man/regdiff.1.xml
-index 3fe965c..23aae34 100644
---- a/source4/lib/registry/man/regdiff.1.xml
-+++ b/source4/lib/registry/man/regdiff.1.xml
-@@ -21,11 +21,8 @@
- <command>regdiff</command>
- <arg choice="opt">--help</arg>
- <arg choice="opt">--backend=BACKEND</arg>
-- <arg choice="opt">--backend=BACKEND</arg>
-- <arg choice="opt">--credentials=CREDENTIALS</arg>
- <arg choice="opt">--credentials=CREDENTIALS</arg>
- <arg choice="opt">location</arg>
-- <arg choice="opt">location</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
---
-1.8.3.1
-
-
-From d33ca796071a2a6f8bf65d6eed2fe159a75de8c5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:55:03 +0200
-Subject: [PATCH 05/83] docs: remove duplicate word "the" in winbindd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/winbindd.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
-index 5100493..1cb49ca 100644
---- a/docs-xml/manpages/winbindd.8.xml
-+++ b/docs-xml/manpages/winbindd.8.xml
-@@ -364,7 +364,7 @@ auth required /lib/security/pam_unix.so \
- be the same. The user and group ids will only be valid for the local
- machine, unless a shared <smbconfoption name="idmap config * : backend"/> is configured.</para>
-
-- <para>If the the Windows NT SID to UNIX user and group id mapping
-+ <para>If the Windows NT SID to UNIX user and group id mapping
- file is damaged or destroyed then the mappings will be lost. </para>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 6a0b75f901052234f35d4ba596754e7714af7e87 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:58:45 +0200
-Subject: [PATCH 06/83] docs: remove duplicate mention of "smbtorture" in
- smbtorture manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source4/torture/man/smbtorture.1.xml | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/source4/torture/man/smbtorture.1.xml b/source4/torture/man/smbtorture.1.xml
-index 9b70b9b..09e19ed 100644
---- a/source4/torture/man/smbtorture.1.xml
-+++ b/source4/torture/man/smbtorture.1.xml
-@@ -19,10 +19,6 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>smbtorture</command>
-- </cmdsynopsis>
--
-- <cmdsynopsis>
-- <command>smbtorture</command>
- <arg choice="req">//server/share</arg>
- <arg choice="opt">-d debuglevel</arg>
- <arg choice="opt">-U user%pass</arg>
---
-1.8.3.1
-
-
-From e003650f5cf0b9581da00ad39b0784aab074119b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 17:59:22 +0200
-Subject: [PATCH 07/83] docs: remove duplicate mention of "ntdbtool" in
- ntdbtool manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- lib/ntdb/man/ntdbtool.8.xml | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/lib/ntdb/man/ntdbtool.8.xml b/lib/ntdb/man/ntdbtool.8.xml
-index a23a48e..7e6530c 100644
---- a/lib/ntdb/man/ntdbtool.8.xml
-+++ b/lib/ntdb/man/ntdbtool.8.xml
-@@ -20,10 +20,6 @@
-
- <cmdsynopsis>
- <command>ntdbtool</command>
-- </cmdsynopsis>
--
-- <cmdsynopsis>
-- <command>ntdbtool</command>
- <arg choice="plain">
- <replaceable>NTDBFILE</replaceable>
- </arg>
---
-1.8.3.1
-
-
-From 56cff0b3f40b98c0d00323eb94a2204af6c48fed Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 18:00:02 +0200
-Subject: [PATCH 08/83] docs: remove duplicate mention of "smbta-util" in
- smbta-util manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbta-util.8.xml | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/docs-xml/manpages/smbta-util.8.xml b/docs-xml/manpages/smbta-util.8.xml
-index ef38926..3925e87 100644
---- a/docs-xml/manpages/smbta-util.8.xml
-+++ b/docs-xml/manpages/smbta-util.8.xml
-@@ -20,10 +20,6 @@
-
- <cmdsynopsis>
- <command>smbta-util</command>
-- </cmdsynopsis>
--
-- <cmdsynopsis>
-- <command>smbta-util</command>
- <arg rep="repeat" choice="opt">
- <replaceable>COMMANDS</replaceable>
- </arg>
---
-1.8.3.1
-
-
-From a2a7991624fa273b01898a26c86f951b928525e6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 18:02:47 +0200
-Subject: [PATCH 09/83] docs: remove duplicate word "trust" from net manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 2f04deb..aad5fb5 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -877,7 +877,7 @@ net rpc trust create \
- <refsect3>
- <title>RPC TRUST DELETE</title>
-
--<para>Delete a trust trust object by calling lsaDeleteTrustedDomain.
-+<para>Delete a trust object by calling lsaDeleteTrustedDomain.
- The can be done on a single server or on two servers at once.</para>
-
- <variablelist><title>Options:</title>
---
-1.8.3.1
-
-
-From 93f32c777c1a36d9d4dc91b6aa1e9e14ee13fb91 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 14 Oct 2013 18:03:14 +0200
-Subject: [PATCH 10/83] docs: remove duplicate word "the" from net manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index aad5fb5..5fa042e 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -1737,7 +1737,7 @@ shares created by other users.
- <para>Starting with version 3.2.0, a Samba server can be configured by data
- stored in registry. This configuration data can be edited with the new "net
- conf" commands. There is also the possibility to configure a remote Samba server
--by enabling the RPC conf mode and specifying the the address of the remote server.
-+by enabling the RPC conf mode and specifying the address of the remote server.
- </para>
-
- <para>
---
-1.8.3.1
-
-
-From 05db55af943e50bd8f7b29f8210f32350239ea59 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 15 Oct 2013 15:11:33 +0200
-Subject: [PATCH 11/83] docs: mention more options in winbindd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/winbindd.8.xml | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
-index 1cb49ca..f6aad3f 100644
---- a/docs-xml/manpages/winbindd.8.xml
-+++ b/docs-xml/manpages/winbindd.8.xml
-@@ -20,13 +20,13 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>winbindd</command>
-- <arg choice="opt">-D</arg>
-- <arg choice="opt">-F</arg>
-- <arg choice="opt">-S</arg>
-- <arg choice="opt">-i</arg>
-+ <arg choice="opt">-D|--daemon</arg>
-+ <arg choice="opt">-F|--foreground</arg>
-+ <arg choice="opt">-S|--stdout</arg>
-+ <arg choice="opt">-i|--interactive</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-s <smb config file></arg>
-- <arg choice="opt">-n</arg>
-+ <arg choice="opt">-n|--no-caching</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -135,7 +135,7 @@ hosts: files wins
-
- <variablelist>
- <varlistentry>
-- <term>-D</term>
-+ <term>-D|--daemon</term>
- <listitem><para>If specified, this parameter causes
- the server to operate as a daemon. That is, it detaches
- itself and runs in the background on the appropriate port.
-@@ -145,7 +145,7 @@ hosts: files wins
- </varlistentry>
-
- <varlistentry>
-- <term>-F</term>
-+ <term>-F|--foreground</term>
- <listitem><para>If specified, this parameter causes
- the main <command>winbindd</command> process to not daemonize,
- i.e. double-fork and disassociate with the terminal.
-@@ -160,7 +160,7 @@ hosts: files wins
- </varlistentry>
-
- <varlistentry>
-- <term>-S</term>
-+ <term>-S|--stdout</term>
- <listitem><para>If specified, this parameter causes
- <command>winbindd</command> to log to standard output rather
- than a file.</para></listitem>
-@@ -171,7 +171,7 @@ hosts: files wins
- &stdarg.help;
-
- <varlistentry>
-- <term>-i</term>
-+ <term>-i|--interactive</term>
- <listitem><para>Tells <command>winbindd</command> to not
- become a daemon and detach from the current terminal. This
- option is used by developers when interactive debugging
-@@ -182,7 +182,7 @@ hosts: files wins
- </varlistentry>
-
- <varlistentry>
-- <term>-n</term>
-+ <term>-n|--no-caching</term>
- <listitem><para>Disable some caching. This means winbindd will
- often have to wait for a response from the domain controller
- before it can respond to a client and this thus makes things
---
-1.8.3.1
-
-
-From b5fa1139a4e9ef7bd79ace6efe7bf06af595daa4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 15:19:59 +0100
-Subject: [PATCH 12/83] docs: mention --no-process-group in winbindd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/winbindd.8.xml | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
-index f6aad3f..fd644c3 100644
---- a/docs-xml/manpages/winbindd.8.xml
-+++ b/docs-xml/manpages/winbindd.8.xml
-@@ -27,6 +27,7 @@
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-s <smb config file></arg>
- <arg choice="opt">-n|--no-caching</arg>
-+ <arg choice="opt">--no-process-group</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -194,6 +195,12 @@ hosts: files wins
- </para></listitem>
- </varlistentry>
-
+ <varlistentry>
-+ <term>--no-process-group</term>
-+ <listitem><para>Do not create a new process group for winbindd.
-+ </para></listitem>
++ <term>-n|--numeric</term>
++ <listitem><para>causes smbstatus to display numeric UIDs and GIDs instead of
++ resolving them to names.</para>
++ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
---
-1.8.3.1
-
-
-From 4f790b10d5a6737f1b5978fca27d78a0b27aa75d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:23:03 +0100
-Subject: [PATCH 13/83] docs: mention --dc-info in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index f970a5e..2df86ca 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -27,6 +27,7 @@
- <arg choice="opt">--ccache-save</arg>
- <arg choice="opt">--change-user-password</arg>
- <arg choice="opt">-D domain</arg>
-+ <arg choice="opt">--dc-info domain</arg>
- <arg choice="opt">--domain domain</arg>
- <arg choice="opt">--dsgetdcname domain</arg>
- <arg choice="opt">-g</arg>
-@@ -142,6 +143,12 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--dc-info <replaceable>domain</replaceable></term>
-+ <listitem><para>Displays information about the current domain controller for a domain.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>--domain <replaceable>name</replaceable></term>
- <listitem><para>This parameter sets the domain on which any specified
- operations will performed. If special domain name '.' is used to represent
---
-1.8.3.1
-
-
-From 824c468261a3d61732fea88a5d6cfb9aa5c7ed94 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:23:20 +0100
-Subject: [PATCH 14/83] docs: mention --krb5ccname option in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index 2df86ca..4de3c81 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -40,6 +40,7 @@
- <arg choice="opt">-i user</arg>
- <arg choice="opt">-I ip</arg>
- <arg choice="opt">-K user%password</arg>
-+ <arg choice="opt">--krb5ccname cctype</arg>
- <arg choice="opt">--lanman</arg>
- <arg choice="opt">-m</arg>
- <arg choice="opt">-n name</arg>
-@@ -246,6 +247,13 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--krb5ccname <replaceable>KRB5CCNAME</replaceable></term>
-+ <listitem><para>Allows to request a sepcific kerberos credential
-+ cache type used for authentication.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>--lanman</term>
- <listitem><para>Use lanman cryptography for user authentication.
+Index: samba-4.1.11/docs-xml/manpages/sharesec.1.xml
+===================================================================
+--- samba-4.1.11.orig/docs-xml/manpages/sharesec.1.xml
++++ samba-4.1.11/docs-xml/manpages/sharesec.1.xml
+@@ -129,6 +129,13 @@
</para></listitem>
---
-1.8.3.1
-
-
-From fa47e425132f6022cd41118e2c6ac34181adc4a6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:29:10 +0100
-Subject: [PATCH 15/83] docs: mention logoff options in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 21 +++++++++++++++++++++
- 1 file changed, 21 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index 4de3c81..cb1812f 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -42,6 +42,9 @@
- <arg choice="opt">-K user%password</arg>
- <arg choice="opt">--krb5ccname cctype</arg>
- <arg choice="opt">--lanman</arg>
-+ <arg choice="opt">--logoff</arg>
-+ <arg choice="opt">--logoff-uid uid</arg>
-+ <arg choice="opt">--logoff-user username</arg>
- <arg choice="opt">-m</arg>
- <arg choice="opt">-n name</arg>
- <arg choice="opt">-N netbios-name</arg>
-@@ -260,6 +263,24 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--logoff</term>
-+ <listitem><para>Logoff a user.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--logoff-uid <replaceable>UID</replaceable></term>
-+ <listitem><para>Define user uid used during logoff request.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--logoff-user <replaceable>USERNAME</replaceable></term>
-+ <listitem><para>Define username used during logoff request.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-m|--trusted-domains</term>
- <listitem><para>Produce a list of domains trusted by the
- Windows NT server <citerefentry><refentrytitle>winbindd</refentrytitle>
---
-1.8.3.1
-
-
-From 7c4c66853f4f0fa426d11d01bc4732186501d6ec Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:33:19 +0100
-Subject: [PATCH 16/83] docs: mention --lookup-sids in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index cb1812f..a3d4d5f 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -45,6 +45,7 @@
- <arg choice="opt">--logoff</arg>
- <arg choice="opt">--logoff-uid uid</arg>
- <arg choice="opt">--logoff-user username</arg>
-+ <arg choice="opt">--lookup-sids</arg>
- <arg choice="opt">-m</arg>
- <arg choice="opt">-n name</arg>
- <arg choice="opt">-N netbios-name</arg>
-@@ -281,6 +282,13 @@
</varlistentry>
- <varlistentry>
-+ <term>--lookup-sids <replaceable>SID1,SID2...</replaceable></term>
-+ <listitem><para>Looks up SIDs. SIDs must be specified as ASCII strings in the traditional Microsoft
-+ format. For example, S-1-5-21-1455342024-3071081365-2475485837-500.
-+ </para></listitem>
-+ </varlistentry>
-+
+ <varlistentry>
- <term>-m|--trusted-domains</term>
- <listitem><para>Produce a list of domains trusted by the
- Windows NT server <citerefentry><refentrytitle>winbindd</refentrytitle>
---
-1.8.3.1
-
-
-From 7d41f1c4d30eef9fa20a7741be1cb50e566b40cb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:36:21 +0100
-Subject: [PATCH 17/83] docs: mention --pam-logon in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index a3d4d5f..a091e94 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -54,6 +54,7 @@
- <arg choice="opt">--own-domain</arg>
- <arg choice="opt">-p</arg>
- <arg choice="opt">-P|--ping-dc</arg>
-+ <arg choice="opt">--pam-logon user%password</arg>
- <arg choice="opt">-r user</arg>
- <arg choice="opt">-R|--lookup-rids</arg>
- <arg choice="opt">-s sid</arg>
-@@ -343,6 +344,13 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--pam-logon <replaceable>username%password</replaceable></term>
-+ <listitem><para>Attempt to authenticate a user in the same way
-+ pam_winbind would do.
++ <term>-S|--setsddl=STRING</term>
++ <listitem><para>
++ Set security descriptor by providing ACL in SDDL format.
+ </para></listitem>
+ </varlistentry>
+
-+ <varlistentry>
- <term>-p|--ping</term>
- <listitem><para>Check whether <citerefentry><refentrytitle>winbindd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> is still alive.
---
-1.8.3.1
-
-
-From 27d49babb19759e0d3ef93a2290c049e1ba6aaa3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:40:56 +0100
-Subject: [PATCH 18/83] docs: mention --remove-gid-mapping/--remove-uid-mapping
- in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index a091e94..31362ac 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -57,6 +57,8 @@
- <arg choice="opt">--pam-logon user%password</arg>
- <arg choice="opt">-r user</arg>
- <arg choice="opt">-R|--lookup-rids</arg>
-+ <arg choice="opt">--remove-gid-mapping gid,sid</arg>
-+ <arg choice="opt">--remove-uid-mapping uid,sid</arg>
- <arg choice="opt">-s sid</arg>
- <arg choice="opt">--separator</arg>
- <arg choice="opt">--set-auth-user user%password</arg>
-@@ -383,6 +385,18 @@
- </varlistentry>
+ &stdarg.help;
+ &stdarg.server.debug;
+ &popt.common.samba;
+Index: samba-4.1.11/docs-xml/build/DTD/samba.entities
+===================================================================
+--- samba-4.1.11.orig/docs-xml/build/DTD/samba.entities
++++ samba-4.1.11/docs-xml/build/DTD/samba.entities
+@@ -270,6 +270,44 @@ file.
+ &popt.common.samba;
+ '>
- <varlistentry>
-+ <term>--remove-gid-mapping <replaceable>GID,SID</replaceable></term>
-+ <listitem><para>Removes an existing GID to SID mapping from the database.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--remove-uid-mapping <replaceable>UID,SID</replaceable></term>
-+ <listitem><para>Removes an existing UID to SID mapping from the database.
-+ </para></listitem>
-+ </varlistentry>
++<!ENTITY stdarg.signing '
++<varlistentry>
++<term>-S|--signing on|off|required</term>
++<listitem><para>Set the client signing state.
++</para></listitem>
++</varlistentry>
++'>
+
-+ <varlistentry>
- <term>-s|--sid-to-name <replaceable>sid</replaceable></term>
- <listitem><para>Use <parameter>-s</parameter> to resolve
- a SID to a name. This is the inverse of the <parameter>-n
---
-1.8.3.1
-
-
-From 80ab6eaa973df8874567306d1488a813801ab39c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 16:42:56 +0100
-Subject: [PATCH 19/83] docs: mention --set-gid-mapping/--set-uid-mapping in
- wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index 31362ac..3dbcfc1 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -62,6 +62,8 @@
- <arg choice="opt">-s sid</arg>
- <arg choice="opt">--separator</arg>
- <arg choice="opt">--set-auth-user user%password</arg>
-+ <arg choice="opt">--set-gid-mapping gid,sid</arg>
-+ <arg choice="opt">--set-uid-mapping uid,sid</arg>
- <arg choice="opt">-S sid</arg>
- <arg choice="opt">--sid-aliases sid</arg>
- <arg choice="opt">--sid-to-fullname sid</arg>
-@@ -423,6 +425,18 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--set-gid-mapping <replaceable>GID,SID</replaceable></term>
-+ <listitem><para>Create a GID to SID mapping in the database.
-+ </para></listitem>
-+ </varlistentry>
++<!ENTITY stdarg.machinepass '
++<varlistentry>
++<term>-P|--machine-pass</term>
++<listitem><para>Use stored machine account password.
++</para></listitem>
++</varlistentry>
++'>
+
-+ <varlistentry>
-+ <term>--set-uid-mapping <replaceable>UID,SID</replaceable></term>
-+ <listitem><para>Create a UID to SID mapping in the database.
-+ </para></listitem>
-+ </varlistentry>
++<!ENTITY stdarg.encrypt '
++<varlistentry>
++<term>-e|--encrypt</term>
++<listitem><para>
++This command line parameter requires the remote
++server support the UNIX extensions or that the SMB3 protocol has been selected.
++Requests that the connection be encrypted. Negotiates SMB encryption using either
++SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for
++the encryption negotiation (either kerberos or NTLMv1/v2 if given
++domain/username/password triple. Fails the connection if encryption
++cannot be negotiated.
++</para></listitem>
++</varlistentry>
++'>
+
-+ <varlistentry>
- <term>-S|--sid-to-uid <replaceable>sid</replaceable></term>
- <listitem><para>Convert a SID to a UNIX user id. If the SID
- does not correspond to a UNIX user mapped by <citerefentry>
---
-1.8.3.1
-
-
-From 87e6b5b7fb22c8cf26ae00a315b3e73987f49d55 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:13:38 +0100
-Subject: [PATCH 20/83] docs: mention --sequence in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index 3dbcfc1..1a871c2 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -61,6 +61,7 @@
- <arg choice="opt">--remove-uid-mapping uid,sid</arg>
- <arg choice="opt">-s sid</arg>
- <arg choice="opt">--separator</arg>
-+ <arg choice="opt">--sequence</arg>
- <arg choice="opt">--set-auth-user user%password</arg>
- <arg choice="opt">--set-gid-mapping gid,sid</arg>
- <arg choice="opt">--set-uid-mapping uid,sid</arg>
-@@ -414,6 +415,13 @@
- </varlistentry>
++<!ENTITY stdarg.pwnthash '
++<varlistentry>
++<term>--pw-nt-hash</term>
++<listitem><para>The supplied password is the NT hash.
++</para></listitem>
++</varlistentry>
++'>
- <varlistentry>
-+ <term>--sequence</term>
-+ <listitem><para>This command has been deprecated. Please use
-+ the --online-status option instead.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>--set-auth-user <replaceable>username%password</replaceable></term>
- <listitem><para>Store username and password used by <citerefentry>
- <refentrytitle>winbindd</refentrytitle><manvolnum>8</manvolnum>
---
-1.8.3.1
-
-
-From c55315a3a26ced194e553b5aa8e97f3a41a308ca Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:18:40 +0100
-Subject: [PATCH 21/83] docs: mention --sids-to-unix-ids in wbinfo manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/wbinfo.1.xml | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/docs-xml/manpages/wbinfo.1.xml b/docs-xml/manpages/wbinfo.1.xml
-index 1a871c2..9907dc6 100644
---- a/docs-xml/manpages/wbinfo.1.xml
-+++ b/docs-xml/manpages/wbinfo.1.xml
-@@ -68,6 +68,7 @@
- <arg choice="opt">-S sid</arg>
- <arg choice="opt">--sid-aliases sid</arg>
- <arg choice="opt">--sid-to-fullname sid</arg>
-+ <arg choice="opt">--sids-to-unix-ids sidlist</arg>
- <arg choice="opt">-t</arg>
- <arg choice="opt">-u</arg>
- <arg choice="opt">--uid-info uid</arg>
-@@ -466,6 +467,14 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--sids-to-unix-ids <replaceable>sid1,sid2,sid3...</replaceable></term>
-+ <listitem><para>Resolve SIDs to Unix IDs.
-+ SIDs must be specified as ASCII strings
-+ in the traditional Microsoft format. For example,
-+ S-1-5-21-1455342024-3071081365-2475485837-500. </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-t|--check-secret</term>
- <listitem><para>Verify that the workstation trust account
- created when the Samba server is added to the Windows NT
---
-1.8.3.1
-
-
-From dac78176f3e28a1cbc513bb77a3454570f7de4e1 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:23:23 +0100
-Subject: [PATCH 22/83] docs: remove unsupported options from nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index f1ab3e3..7aabfa6 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -23,10 +23,7 @@
- <arg choice="opt">-D</arg>
- <arg choice="opt">-F</arg>
- <arg choice="opt">-S</arg>
-- <arg choice="opt">-a</arg>
- <arg choice="opt">-i</arg>
-- <arg choice="opt">-o</arg>
-- <arg choice="opt">-h</arg>
- <arg choice="opt">-V</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-H <lmhosts file></arg>
---
-1.8.3.1
-
-
-From 77eae60bd9a6b7e1d5248b5b0984d38a54de9c3e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:25:04 +0100
-Subject: [PATCH 23/83] docs: mention --daemon in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index 7aabfa6..cc5f83d 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -20,7 +20,7 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>nmbd</command>
-- <arg choice="opt">-D</arg>
-+ <arg choice="opt">-D|--daemon</arg>
- <arg choice="opt">-F</arg>
- <arg choice="opt">-S</arg>
- <arg choice="opt">-i</arg>
-@@ -78,7 +78,7 @@
-
- <variablelist>
- <varlistentry>
-- <term>-D</term>
-+ <term>-D|--daemon</term>
- <listitem><para>If specified, this parameter causes
- <command>nmbd</command> to operate as a daemon. That is,
- it detaches itself and runs in the background, fielding
---
-1.8.3.1
-
-
-From 28758deda94f28bd0bd188f8277807b8d2ccf829 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:25:52 +0100
-Subject: [PATCH 24/83] docs: mention --foreground in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index cc5f83d..9f607ab 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -21,7 +21,7 @@
- <cmdsynopsis>
- <command>nmbd</command>
- <arg choice="opt">-D|--daemon</arg>
-- <arg choice="opt">-F</arg>
-+ <arg choice="opt">-F|--foreground</arg>
- <arg choice="opt">-S</arg>
- <arg choice="opt">-i</arg>
- <arg choice="opt">-V</arg>
-@@ -90,7 +90,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-F</term>
-+ <term>-F|--foreground</term>
- <listitem><para>If specified, this parameter causes
- the main <command>nmbd</command> process to not daemonize,
- i.e. double-fork and disassociate with the terminal.
---
-1.8.3.1
-
-
-From fd8d8b95f8b5b21b4e46836dc6becef480737dc2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:27:28 +0100
-Subject: [PATCH 25/83] docs: mention --hosts in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index 9f607ab..283ebc2 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -26,7 +26,7 @@
- <arg choice="opt">-i</arg>
- <arg choice="opt">-V</arg>
- <arg choice="opt">-d <debug level></arg>
-- <arg choice="opt">-H <lmhosts file></arg>
-+ <arg choice="opt">-H|--hosts <lmhosts file></arg>
- <arg choice="opt">-l <log directory></arg>
- <arg choice="opt">-p <port number></arg>
- <arg choice="opt">-s <configuration file></arg>
-@@ -125,7 +125,7 @@
- &stdarg.help;
-
- <varlistentry>
-- <term>-H <filename></term>
-+ <term>-H|--hosts <filename></term>
- <listitem><para>NetBIOS lmhosts file. The lmhosts
- file is a list of NetBIOS names to IP addresses that
- is loaded by the nmbd server and used via the name
---
-1.8.3.1
-
-
-From ea99d8a256df7faaedc5b8903fe183f4dcbde296 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:28:15 +0100
-Subject: [PATCH 26/83] docs: mention --interactive in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index 283ebc2..62f3380 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -23,7 +23,7 @@
- <arg choice="opt">-D|--daemon</arg>
- <arg choice="opt">-F|--foreground</arg>
- <arg choice="opt">-S</arg>
-- <arg choice="opt">-i</arg>
-+ <arg choice="opt">-i|--interactive</arg>
- <arg choice="opt">-V</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-H|--hosts <lmhosts file></arg>
-@@ -112,7 +112,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-i</term>
-+ <term>-i|--interactive</term>
- <listitem><para>If this parameter is specified it causes the
- server to run "interactively", not as a daemon, even if the
- server is executed on the command line of a shell. Setting this
---
-1.8.3.1
-
-
-From a624426d86cf2da69ba2e03506b5f252d32adb11 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:29:37 +0100
-Subject: [PATCH 27/83] docs: mention --log-stdout in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index 62f3380..715796d 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -22,7 +22,7 @@
- <command>nmbd</command>
- <arg choice="opt">-D|--daemon</arg>
- <arg choice="opt">-F|--foreground</arg>
-- <arg choice="opt">-S</arg>
-+ <arg choice="opt">-S|--log-stdout</arg>
- <arg choice="opt">-i|--interactive</arg>
- <arg choice="opt">-V</arg>
- <arg choice="opt">-d <debug level></arg>
-@@ -105,7 +105,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-S</term>
-+ <term>-S|--log-stdout</term>
- <listitem><para>If specified, this parameter causes
- <command>nmbd</command> to log to standard output rather
- than a file.</para></listitem>
---
-1.8.3.1
-
-
-From 548d9daeffc83191ea1e6ea51ce63aacffe98c41 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:31:10 +0100
-Subject: [PATCH 28/83] docs: mention --no-process-group in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index 715796d..8540a09 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -30,6 +30,7 @@
- <arg choice="opt">-l <log directory></arg>
- <arg choice="opt">-p <port number></arg>
- <arg choice="opt">-s <configuration file></arg>
-+ <arg choice="opt">--no-process-group</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -157,6 +158,12 @@
- won't need help!</para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>--no-process-group</term>
-+ <listitem><para>Do not create a new process group for nmbd.
-+ </para></listitem>
-+ </varlistentry>
-+
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From d6a07717a7f2febdd4591fc0c3c1fe8b719963e9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:31:50 +0100
-Subject: [PATCH 29/83] docs: mention --port in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index 8540a09..b7ead70 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -28,7 +28,7 @@
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-H|--hosts <lmhosts file></arg>
- <arg choice="opt">-l <log directory></arg>
-- <arg choice="opt">-p <port number></arg>
-+ <arg choice="opt">-p|--port <port number></arg>
- <arg choice="opt">-s <configuration file></arg>
- <arg choice="opt">--no-process-group</arg>
- </cmdsynopsis>
-@@ -150,7 +150,7 @@
- &popt.common.samba;
-
- <varlistentry>
-- <term>-p <UDP port number></term>
-+ <term>-p|--port <UDP port number></term>
- <listitem><para>UDP port number is a positive integer value.
- This option changes the default UDP port number (normally 137)
- that <command>nmbd</command> responds to name queries on. Don't
---
-1.8.3.1
-
-
-From 792ff0029c790fe8b225134b19d320e8392c5895 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:37:05 +0100
-Subject: [PATCH 30/83] docs: remove unsupported options from smbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbd.8.xml | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/docs-xml/manpages/smbd.8.xml b/docs-xml/manpages/smbd.8.xml
-index 0d0c387..cc6e400 100644
---- a/docs-xml/manpages/smbd.8.xml
-+++ b/docs-xml/manpages/smbd.8.xml
-@@ -23,14 +23,12 @@
- <arg choice="opt">-F</arg>
- <arg choice="opt">-S</arg>
- <arg choice="opt">-i</arg>
-- <arg choice="opt">-h</arg>
- <arg choice="opt">-V</arg>
- <arg choice="opt">-b</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-l <log directory></arg>
- <arg choice="opt">-p <port number(s)></arg>
- <arg choice="opt">-P <profiling level></arg>
-- <arg choice="opt">-O <socket option></arg>
- <arg choice="opt">-s <configuration file></arg>
- </cmdsynopsis>
- </refsynopsisdiv>
---
-1.8.3.1
-
-
-From ad46b6689d999651732894968e5e49d045591203 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Thu, 14 Nov 2013 17:49:58 +0100
-Subject: [PATCH 31/83] docs: mention many more options in smbd options.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbd.8.xml | 29 ++++++++++++++++++-----------
- 1 file changed, 18 insertions(+), 11 deletions(-)
-
-diff --git a/docs-xml/manpages/smbd.8.xml b/docs-xml/manpages/smbd.8.xml
-index cc6e400..d73f1db 100644
---- a/docs-xml/manpages/smbd.8.xml
-+++ b/docs-xml/manpages/smbd.8.xml
-@@ -19,17 +19,18 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>smbd</command>
-- <arg choice="opt">-D</arg>
-- <arg choice="opt">-F</arg>
-- <arg choice="opt">-S</arg>
-- <arg choice="opt">-i</arg>
-+ <arg choice="opt">-D|--daemon</arg>
-+ <arg choice="opt">-F|--foreground</arg>
-+ <arg choice="opt">-S|--log-stdout</arg>
-+ <arg choice="opt">-i|--interactive</arg>
- <arg choice="opt">-V</arg>
-- <arg choice="opt">-b</arg>
-+ <arg choice="opt">-b|--build-options</arg>
- <arg choice="opt">-d <debug level></arg>
-- <arg choice="opt">-l <log directory></arg>
-+ <arg choice="opt">-l|--log-basename <log directory></arg>
- <arg choice="opt">-p <port number(s)></arg>
- <arg choice="opt">-P <profiling level></arg>
- <arg choice="opt">-s <configuration file></arg>
-+ <arg choice="opt">--no-process-group</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -79,7 +80,7 @@
-
- <variablelist>
- <varlistentry>
-- <term>-D</term>
-+ <term>-D|--daemon</term>
- <listitem><para>If specified, this parameter causes
- the server to operate as a daemon. That is, it detaches
- itself and runs in the background, fielding requests
-@@ -92,7 +93,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-F</term>
-+ <term>-F|--foreground</term>
- <listitem><para>If specified, this parameter causes
- the main <command>smbd</command> process to not daemonize,
- i.e. double-fork and disassociate with the terminal.
-@@ -107,14 +108,14 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-S</term>
-+ <term>-S|--log-stdout</term>
- <listitem><para>If specified, this parameter causes
- <command>smbd</command> to log to standard output rather
- than a file.</para></listitem>
- </varlistentry>
-
- <varlistentry>
-- <term>-i</term>
-+ <term>-i|--interactive</term>
- <listitem><para>If this parameter is specified it causes the
- server to run "interactively", not as a daemon, even if the
- server is executed on the command line of a shell. Setting this
-@@ -130,7 +131,13 @@
- &stdarg.help;
-
- <varlistentry>
-- <term>-b</term>
-+ <term>--no-process-group</term>
-+ <listitem><para>Do not create a new process group for smbd.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-b|--build-options</term>
- <listitem><para>Prints information about how
- Samba was built.</para></listitem>
- </varlistentry>
---
-1.8.3.1
-
-
-From 7c473ac293a44896181d9d2619b922815433c77d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 12:07:48 +0100
-Subject: [PATCH 32/83] docs: mention --numeric in smbstatus manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbstatus.1.xml | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/docs-xml/manpages/smbstatus.1.xml b/docs-xml/manpages/smbstatus.1.xml
-index b0d07d2..126d0b2 100644
---- a/docs-xml/manpages/smbstatus.1.xml
-+++ b/docs-xml/manpages/smbstatus.1.xml
-@@ -31,6 +31,7 @@
- <arg choice="opt">-f</arg>
- <arg choice="opt">-s <configuration file></arg>
- <arg choice="opt">-u <username></arg>
-+ <arg choice="opt">-n|--numeric</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -121,6 +122,13 @@
- </listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>-n|--numeric</term>
-+ <listitem><para>causes smbstatus to display numeric UIDs and GIDs instead of
-+ resolving them to names.</para>
-+ </listitem>
-+ </varlistentry>
-+
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 5f606e7e9ccd11949ae78a0a44f47be578116f89 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 12:11:21 +0100
-Subject: [PATCH 33/83] docs: mention -R|--profile-rates in smbstatus manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbstatus.1.xml | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/smbstatus.1.xml b/docs-xml/manpages/smbstatus.1.xml
-index 126d0b2..d4213b6 100644
---- a/docs-xml/manpages/smbstatus.1.xml
-+++ b/docs-xml/manpages/smbstatus.1.xml
-@@ -32,6 +32,7 @@
- <arg choice="opt">-s <configuration file></arg>
- <arg choice="opt">-u <username></arg>
- <arg choice="opt">-n|--numeric</arg>
-+ <arg choice="opt">-R|--profile-rates</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -51,12 +52,19 @@
- <variablelist>
- <varlistentry>
- <term>-P|--profile</term>
-- <listitem><para>If samba has been compiled with the
-- profiling option, print only the contents of the profiling
-+ <listitem><para>If samba has been compiled with the
-+ profiling option, print only the contents of the profiling
- shared memory area.</para></listitem>
- </varlistentry>
-
- <varlistentry>
-+ <term>-R|--profile-rates</term>
-+ <listitem><para>If samba has been compiled with the
-+ profiling option, print the contents of the profiling
-+ shared memory area and the call rates.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>-b|--brief</term>
- <listitem><para>gives brief output.</para></listitem>
- </varlistentry>
---
-1.8.3.1
-
-
-From 9dcbc77f5a79d148a7346c361ad2790ab8a40555 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 12:57:06 +0100
-Subject: [PATCH 34/83] docs: mention -S|--setsddl in sharesec manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/sharesec.1.xml | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/docs-xml/manpages/sharesec.1.xml b/docs-xml/manpages/sharesec.1.xml
-index e83e6b3..8f29cba 100644
---- a/docs-xml/manpages/sharesec.1.xml
-+++ b/docs-xml/manpages/sharesec.1.xml
-@@ -35,6 +35,7 @@
- <arg choice="opt">-V, --version</arg>
- <arg choice="opt">-?, --help</arg>
- <arg choice="opt">--usage</arg>
-+ <arg choice="opt">-S, --setsddl=STRING</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -113,6 +114,13 @@
- </para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>-S|--setsddl=STRING</term>
-+ <listitem><para>
-+ Set security descriptor by providing ACL in SDDL format.
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.help;
- &stdarg.server.debug;
- &popt.common.samba;
---
-1.8.3.1
-
-
-From d692389ea57724bd71caadb62e0231993188d34f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 12:59:49 +0100
-Subject: [PATCH 35/83] docs: mention -V|--viewsddl in sharesec manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/sharesec.1.xml | 10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/sharesec.1.xml b/docs-xml/manpages/sharesec.1.xml
-index 8f29cba..f73fba2 100644
---- a/docs-xml/manpages/sharesec.1.xml
-+++ b/docs-xml/manpages/sharesec.1.xml
-@@ -32,10 +32,11 @@
- <arg choice="opt">-d, --debuglevel=DEBUGLEVEL</arg>
- <arg choice="opt">-s, --configfile=CONFIGFILE</arg>
- <arg choice="opt">-l, --log-basename=LOGFILEBASE</arg>
-- <arg choice="opt">-V, --version</arg>
-+ <arg choice="opt">--version</arg>
- <arg choice="opt">-?, --help</arg>
- <arg choice="opt">--usage</arg>
- <arg choice="opt">-S, --setsddl=STRING</arg>
-+ <arg choice="opt">-V, --viewsddl</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -121,6 +122,13 @@
- </para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>-V|--viewsddl</term>
-+ <listitem><para>
-+ List a share acl in SDDL format.
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.help;
- &stdarg.server.debug;
- &popt.common.samba;
---
-1.8.3.1
-
-
-From ffe94e363375aa47cd72d715309f6568067482fe Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 13:03:20 +0100
-Subject: [PATCH 36/83] docs: mention -p in dbwrap-tool manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
-index 07d42be..b8280ac 100644
---- a/docs-xml/manpages/dbwrap_tool.1.xml
-+++ b/docs-xml/manpages/dbwrap_tool.1.xml
-@@ -19,7 +19,7 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>dbwrap_tool</command>
-- <arg choice="opt">--persistent</arg>
-+ <arg choice="opt">-p|--persistent</arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-s <config file></arg>
- <arg choice="opt">-l <log file base></arg>
-@@ -70,7 +70,7 @@
-
- <variablelist>
- <varlistentry>
-- <term>--persistent</term>
-+ <term>-p|--persistent</term>
- <listitem><para>Open the database as a persistent database.
- If this option is not specified, the database is opened as
- non-persistent.
---
-1.8.3.1
-
-
-From 22fcc536a568283b0d2c8b1772399fef7bc63406 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 15:15:41 +0100
-Subject: [PATCH 37/83] docs: bring samba entity popt.common.credentials in
- line with popt_common_credentials.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This adds documentation of the following parameters to all manpages of binaries that
-actually use popt_common_credentials:
-
--S|--signing
--e|--encrypt
--P|--machinepass
---pw-nt-hash
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/build/DTD/samba.entities | 35 +++++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
-
-diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities
-index c9c6744..8ddae70 100644
---- a/docs-xml/build/DTD/samba.entities
-+++ b/docs-xml/build/DTD/samba.entities
-@@ -464,6 +464,37 @@ Try to use the credentials cached by winbind.
- </varlistentry>
- '>
-
-+<!ENTITY stdarg.signing '
-+<varlistentry>
-+<term>-S|--signing on|off|required</term>
-+<listitem><para>Set the client signing state.
-+</para></listitem>
-+</varlistentry>
-+'>
-+
-+<!ENTITY stdarg.machinepass '
-+<varlistentry>
-+<term>-P|--machine-pass</term>
-+<listitem><para>Use stored machine account password.
-+</para></listitem>
-+</varlistentry>
-+'>
-+
-+<!ENTITY stdarg.encrypt '
-+<varlistentry>
-+<term>-e|--encrypt</term>
-+<listitem><para>Encrypt SMB transport (UNIX extended servers only).
-+</para></listitem>
-+</varlistentry>
-+'>
-+
-+<!ENTITY stdarg.pwnthash '
-+<varlistentry>
-+<term>--pw-nt-hash</term>
-+<listitem><para>The supplied password is the NT hash.
-+</para></listitem>
-+</varlistentry>
-+'>
-
- <!ENTITY stdarg.help '
+ <!ENTITY stdarg.resolve.order '
<varlistentry>
-@@ -478,6 +509,10 @@ Try to use the credentials cached by winbind.
- &stdarg.useccache;
- &stdarg.authfile;
- &stdarg.username;
-+&stdarg.signing;
-+&stdarg.machinepass;
-+&stdarg.encrypt;
-+&stdarg.pwnthash;
- '>
-
- <!-- Entities for the various programs -->
---
-1.8.3.1
-
-
-From 7173604e9e20ee4826622f8f1dd3e3194ee3588f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 16:06:36 +0100
-Subject: [PATCH 38/83] docs: remove now duplicate mention for 4 credential
- options in samba-regedit manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/samba-regedit.8.xml | 18 ------------------
- 1 file changed, 18 deletions(-)
-
-diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml
-index e7ec761..c40b2ec 100644
---- a/docs-xml/manpages/samba-regedit.8.xml
-+++ b/docs-xml/manpages/samba-regedit.8.xml
-@@ -70,25 +70,7 @@
- <listitem><para>Set smb.conf option from command line.</para></listitem>
- </varlistentry>
- &popt.common.connection;
-- <varlistentry>
-- <term>-S|--signing</term>
-- <listitem><para>Set the client signing state.</para></listitem>
-- </varlistentry>
-- <varlistentry>
-- <term>-P|--machine-pass</term>
-- <listitem><para>Use stored machine account password.</para></listitem>
-- </varlistentry>
- &popt.common.credentials;
-- <varlistentry>
-- <term>-e|--encrypt</term>
-- <listitem><para>Encrypt SMB transport (UNIX extended servers only).</para>
-- </listitem>
-- </varlistentry>
-- <varlistentry>
-- <term>--pw-nt-hash</term>
-- <listitem><para>The supplied password is the NT hash.</para>
-- </listitem>
-- </varlistentry>
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 8a4d846f1dca6ecbc7d9411f3e26d79a8622e5c4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 16:07:41 +0100
-Subject: [PATCH 39/83] docs: add missing &popt.common.samba entity to
- smbcontrol manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcontrol.1.xml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/docs-xml/manpages/smbcontrol.1.xml b/docs-xml/manpages/smbcontrol.1.xml
-index e2c7939..be8dd0f 100644
---- a/docs-xml/manpages/smbcontrol.1.xml
-+++ b/docs-xml/manpages/smbcontrol.1.xml
-@@ -51,6 +51,7 @@
- <variablelist>
- &stdarg.help;
- &stdarg.configfile;
-+ &popt.common.samba;
- <varlistentry>
- <term>-i</term>
- <listitem><para>Run interactively. Individual commands
---
-1.8.3.1
-
-
-From 23516cfbdde6d38fc710fd3a47fdc155e657dc47 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 16:08:10 +0100
-Subject: [PATCH 40/83] docs: add missing &popt.common.connection entity to
- smbcacls manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcacls.1.xml | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
-index 7770fa2..e504dd7 100644
---- a/docs-xml/manpages/smbcacls.1.xml
-+++ b/docs-xml/manpages/smbcacls.1.xml
-@@ -178,6 +178,7 @@
- &stdarg.server.debug;
- &popt.common.samba;
- &popt.common.credentials;
-+ &popt.common.connection;
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 743e9a847e1014e2722c650f94d99fa277d7fa9a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 16:40:36 +0100
-Subject: [PATCH 41/83] docs: remove more duplicate options from samba-regedit
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/samba-regedit.8.xml | 9 +--------
- 1 file changed, 1 insertion(+), 8 deletions(-)
-
-diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml
-index c40b2ec..acf8c53 100644
---- a/docs-xml/manpages/samba-regedit.8.xml
-+++ b/docs-xml/manpages/samba-regedit.8.xml
-@@ -56,19 +56,12 @@
- <title>OPTIONS</title>
- <variablelist>
- &stdarg.help;
-+ &stdarg.client.debug;
- <varlistentry>
- <term>--usage</term>
- <listitem><para>Display brief usage message.</para></listitem>
- </varlistentry>
-- <varlistentry>
-- <term>-d|--debuglevel=<debuglevel></term>
-- <listitem><para>Set debug level.</para></listitem>
-- </varlistentry>
- &popt.common.samba;
-- <varlistentry>
-- <term>--option=<parameter>=<value></term>
-- <listitem><para>Set smb.conf option from command line.</para></listitem>
-- </varlistentry>
- &popt.common.connection;
- &popt.common.credentials;
- </variablelist>
---
-1.8.3.1
-
-
-From deacd68cce662d0780eaa255fd51fc4f5f5ee629 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Fri, 15 Nov 2013 16:57:52 +0100
-Subject: [PATCH 42/83] docs: add new popt.autohelp entity.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/build/DTD/samba.entities | 28 +++++++++++++++++++++-------
- 1 file changed, 21 insertions(+), 7 deletions(-)
-
-diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities
-index 8ddae70..cb683d1 100644
---- a/docs-xml/build/DTD/samba.entities
-+++ b/docs-xml/build/DTD/samba.entities
-@@ -496,13 +496,6 @@ Try to use the credentials cached by winbind.
- </varlistentry>
- '>
-
--<!ENTITY stdarg.help '
--<varlistentry>
--<term>-?|--help</term>
--<listitem><para>Print a summary of command line options.
--</para></listitem>
--</varlistentry>'>
--
- <!ENTITY popt.common.credentials '
- &stdarg.nopass;
- &stdarg.kerberos;
-@@ -515,6 +508,27 @@ Try to use the credentials cached by winbind.
- &stdarg.pwnthash;
- '>
-
-+<!ENTITY stdarg.help '
-+<varlistentry>
-+<term>-?|--help</term>
-+<listitem><para>Print a summary of command line options.
-+</para></listitem>
-+</varlistentry>
-+'>
-+
-+<!ENTITY stdarg.usage '
-+<varlistentry>
-+<term>--usage</term>
-+<listitem><para>Display brief usage message.
-+</para></listitem>
-+</varlistentry>
-+'>
-+
-+<!ENTITY popt.autohelp '
-+&stdarg.help;
-+&stdarg.usage;
-+'>
-+
- <!-- Entities for the various programs -->
- <!ENTITY OL '<application>OpenLDAP</application>'>
- <!ENTITY smbd '<application>smbd</application>'>
---
-1.8.3.1
-
-
-From c71fd4a9f49bf5cf2cef7874789e95b0603bbaa4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 11:40:35 +0100
-Subject: [PATCH 43/83] docs: mention --change-sid|--new-sid in profiles
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/profiles.1.xml | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/profiles.1.xml b/docs-xml/manpages/profiles.1.xml
-index 311c8ff..83358a8 100644
---- a/docs-xml/manpages/profiles.1.xml
-+++ b/docs-xml/manpages/profiles.1.xml
-@@ -21,8 +21,8 @@
- <cmdsynopsis>
- <command>profiles</command>
- <arg choice="opt">-v</arg>
-- <arg choice="opt">-c SID</arg>
-- <arg choice="opt">-n SID</arg>
-+ <arg choice="opt">-c|--change-sid SID</arg>
-+ <arg choice="opt">-n|--new-sid SID</arg>
- <arg choice="req">file</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-@@ -58,6 +58,7 @@
-
- <varlistentry>
- <term>-c SID1 -n SID2</term>
-+ <term>--change-sid SID1 --new-sid SID2</term>
- <listitem><para>Change all occurrences of SID1 in <filename>file</filename> by SID2.
- </para></listitem>
- </varlistentry>
---
-1.8.3.1
-
-
-From ca6776d341a5e98b30a9c544c91e89ad062291b3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 11:41:00 +0100
-Subject: [PATCH 44/83] docs: use popt.samba.common entity in profiles manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/profiles.1.xml | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/profiles.1.xml b/docs-xml/manpages/profiles.1.xml
-index 83358a8..c448eb5 100644
---- a/docs-xml/manpages/profiles.1.xml
-+++ b/docs-xml/manpages/profiles.1.xml
-@@ -63,8 +63,9 @@
- </para></listitem>
- </varlistentry>
-
-- &stdarg.help;
--
-+ &popt.common.samba.client;
-+ &popt.autohelp;
-+
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 1e4fb44c97eddb28aad903ddbfe0f05229f5802e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 11:44:28 +0100
-Subject: [PATCH 45/83] docs: use popt.autohelp in smbtree manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbtree.1.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/smbtree.1.xml b/docs-xml/manpages/smbtree.1.xml
-index b99c4b1..5e9b639 100644
---- a/docs-xml/manpages/smbtree.1.xml
-+++ b/docs-xml/manpages/smbtree.1.xml
-@@ -70,7 +70,7 @@
- &stdarg.server.debug;
- &popt.common.samba;
- &popt.common.credentials;
-- &stdarg.help;
-+ &popt.autohelp;
-
- </variablelist>
- </refsect1>
---
-1.8.3.1
-
-
-From def43ad250168790fe3db868c0f688ff04f0fefa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 11:51:55 +0100
-Subject: [PATCH 46/83] docs: mention --update and --encrypt in smbget manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbget.1.xml | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/docs-xml/manpages/smbget.1.xml b/docs-xml/manpages/smbget.1.xml
-index b805b4c..a277712 100644
---- a/docs-xml/manpages/smbget.1.xml
-+++ b/docs-xml/manpages/smbget.1.xml
-@@ -35,6 +35,7 @@
- <arg choice="opt">-v, --verbose</arg>
- <arg choice="opt">-b, --blocksize</arg>
- <arg choice="opt">-O, --stdout</arg>
-+ <arg choice="opt">-U, --update</arg>
- <arg choice="opt">-?, --help</arg>
- <arg choice="opt">--usage</arg>
- <arg choice="req">smb://host/share/path/to/file</arg>
-@@ -150,6 +151,14 @@
- <term>--usage</term>
- <listitem><para>Display brief usage message</para></listitem>
- </varlistentry>
-+
-+ <varlistentry>
-+ <term>-U, --update</term>
-+ <listitem><para>Download only when remote file is newer than local file or local file is missing.</para></listitem>
-+ </varlistentry>
-+
-+ &stdarg.encrypt;
-+
- </refsect1>
-
- <refsect1>
---
-1.8.3.1
-
-
-From 51fa7800d3b9f84b962d396270391a8cfd4d5a84 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 11:59:54 +0100
-Subject: [PATCH 47/83] docs: mention more long option names in smbcquotas
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcquotas.1.xml | 32 +++++++++++++++++---------------
- 1 file changed, 17 insertions(+), 15 deletions(-)
-
-diff --git a/docs-xml/manpages/smbcquotas.1.xml b/docs-xml/manpages/smbcquotas.1.xml
-index 23328b4..8c76939 100644
---- a/docs-xml/manpages/smbcquotas.1.xml
-+++ b/docs-xml/manpages/smbcquotas.1.xml
-@@ -20,13 +20,13 @@
- <cmdsynopsis>
- <command>smbcquotas</command>
- <arg choice="req">//server/share</arg>
-- <arg choice="opt">-u user</arg>
-- <arg choice="opt">-L</arg>
-- <arg choice="opt">-F</arg>
-- <arg choice="opt">-S QUOTA_SET_COMMAND</arg>
-- <arg choice="opt">-n</arg>
-- <arg choice="opt">-t</arg>
-- <arg choice="opt">-v</arg>
-+ <arg choice="opt">-u|--user user</arg>
-+ <arg choice="opt">-L|--list</arg>
-+ <arg choice="opt">-F|--fs</arg>
-+ <arg choice="opt">-S|--set QUOTA_SET_COMMAND</arg>
-+ <arg choice="opt">-n|--numeric</arg>
-+ <arg choice="opt">-t|--test-args</arg>
-+ <arg choice="opt">-v|--verbose</arg>
-
- <arg choice="opt">-d debuglevel</arg>
- <arg choice="opt">-s configfile</arg>
-@@ -60,7 +60,7 @@
-
- <variablelist>
- <varlistentry>
-- <term>-u user</term>
-+ <term>-u|--user user</term>
- <listitem><para> Specifies the user of whom the quotas are get or set.
- By default the current user's username will be used.</para></listitem>
- </varlistentry>
-@@ -68,51 +68,53 @@
-
-
- <varlistentry>
-- <term>-L</term>
-+ <term>-L|--list</term>
- <listitem><para>Lists all quota records of the share.</para></listitem>
- </varlistentry>
-
-
-
- <varlistentry>
-- <term>-F</term>
-+ <term>-F|--fs</term>
- <listitem><para>Show the share quota status and default limits.</para></listitem>
- </varlistentry>
-
-
-
- <varlistentry>
-- <term>-S QUOTA_SET_COMMAND</term>
-+ <term>-S|--set QUOTA_SET_COMMAND</term>
- <listitem><para>This command sets/modifies quotas for a user or on the share,
- depending on the QUOTA_SET_COMMAND parameter which is described later.</para></listitem>
- </varlistentry>
-
-
- <varlistentry>
-- <term>-n</term>
-+ <term>-n|--numeric</term>
- <listitem><para>This option displays all QUOTA information in numeric
- format. The default is to convert SIDs to names and QUOTA limits
- to a readable string format.</para></listitem>
- </varlistentry>
-
- <varlistentry>
-- <term>-t</term>
-+ <term>-t|--test-args</term>
- <listitem><para>
- Don't actually do anything, only validate the correctness of the arguments.
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
-- <term>-v</term>
-+ <term>-v|--verbose</term>
- <listitem><para>
- Be verbose.
- </para></listitem>
- </varlistentry>
-
-- &stdarg.help;
-+
- &stdarg.server.debug;
- &popt.common.samba;
- &popt.common.credentials;
-+ &popt.autohelp;
-+
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 0a7eff9cd77516368a1b1b7578bed64c3768b0da Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:10:29 +0100
-Subject: [PATCH 48/83] docs: mention -B|--browse to smbclient manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbclient.1.xml | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
-index b9e55e9..d5a7068 100644
---- a/docs-xml/manpages/smbclient.1.xml
-+++ b/docs-xml/manpages/smbclient.1.xml
-@@ -343,7 +343,13 @@
- cannot be negotiated.
- </para></listitem>
- </varlistentry>
--
-+
-+ <varlistentry>
-+ <term>-B|--browse</term>
-+ <listitem><para>Browse SMB servers using DNS.</para>
-+ </listitem>
-+ </varlistentry>
-+
- &stdarg.client.debug;
- &popt.common.samba;
- &popt.common.credentials;
---
-1.8.3.1
-
-
-From 5cab201a16663e9d91e4501124d6aeeaaa71e189 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:12:23 +0100
-Subject: [PATCH 49/83] docs: better document -e|--encrypt option globally.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is taken from smbclient manpage.
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/build/DTD/samba.entities | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities
-index cb683d1..1e852ec 100644
---- a/docs-xml/build/DTD/samba.entities
-+++ b/docs-xml/build/DTD/samba.entities
-@@ -483,7 +483,14 @@ Try to use the credentials cached by winbind.
- <!ENTITY stdarg.encrypt '
- <varlistentry>
- <term>-e|--encrypt</term>
--<listitem><para>Encrypt SMB transport (UNIX extended servers only).
-+<listitem><para>
-+This command line parameter requires the remote
-+server support the UNIX extensions or that the SMB3 protocol has been selected.
-+Requests that the connection be encrypted. Negotiates SMB encryption using either
-+SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for
-+the encryption negotiation (either kerberos or NTLMv1/v2 if given
-+domain/username/password triple. Fails the connection if encryption
-+cannot be negotiated.
- </para></listitem>
- </varlistentry>
- '>
---
-1.8.3.1
-
-
-From a2899b157f6096fd48e0c9a16a8cb7c848736ea4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:16:00 +0100
-Subject: [PATCH 50/83] docs: use popt.autohelp and remove duplicate -e option
- from smbclient manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbclient.1.xml | 16 +---------------
- 1 file changed, 1 insertion(+), 15 deletions(-)
-
-diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml
-index d5a7068..b4f7896 100644
---- a/docs-xml/manpages/smbclient.1.xml
-+++ b/docs-xml/manpages/smbclient.1.xml
-@@ -276,8 +276,6 @@
- </para></listitem>
- </varlistentry>
-
-- &stdarg.help;
--
- <varlistentry>
- <term>-I|--ip-address IP-address</term>
- <listitem><para><replaceable>IP address</replaceable> is the address of the server to connect to.
-@@ -332,19 +330,6 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-e|--encrypt</term>
-- <listitem><para>
-- This command line parameter requires the remote
-- server support the UNIX extensions or that the SMB3 protocol has been selected.
-- Requests that the connection be encrypted. Negotiates SMB encryption using either
-- SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for
-- the encryption negotiation (either kerberos or NTLMv1/v2 if given
-- domain/username/password triple. Fails the connection if encryption
-- cannot be negotiated.
-- </para></listitem>
-- </varlistentry>
--
-- <varlistentry>
- <term>-B|--browse</term>
- <listitem><para>Browse SMB servers using DNS.</para>
- </listitem>
-@@ -354,6 +339,7 @@
- &popt.common.samba;
- &popt.common.credentials;
- &popt.common.connection;
-+ &popt.autohelp;
-
- <varlistentry>
- <term>-t|--timeout <timeout-seconds></term>
---
-1.8.3.1
-
-
-From 26da51a94ea329aa78e2d69fc8190954e61e0b26 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:17:36 +0100
-Subject: [PATCH 51/83] docs: remove unsupported -h option from smbcacls
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcacls.1.xml | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
-index e504dd7..71e3f50 100644
---- a/docs-xml/manpages/smbcacls.1.xml
-+++ b/docs-xml/manpages/smbcacls.1.xml
-@@ -31,7 +31,6 @@
- <arg choice="opt">--numeric</arg>
- <arg choice="opt">-t</arg>
- <arg choice="opt">-U username</arg>
-- <arg choice="opt">-h</arg>
- <arg choice="opt">-d</arg>
- <arg choice="opt">-e</arg>
- <arg choice="opt">-m|--max-protocol LEVEL</arg>
---
-1.8.3.1
-
-
-From 559073e711cad5f895707385cc355440e21513d5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:18:34 +0100
-Subject: [PATCH 52/83] docs: use popt.autohelp entity in smbcacls manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcacls.1.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
-index 71e3f50..3c00363 100644
---- a/docs-xml/manpages/smbcacls.1.xml
-+++ b/docs-xml/manpages/smbcacls.1.xml
-@@ -173,11 +173,11 @@
- </para></listitem>
- </varlistentry>
-
-- &stdarg.help;
- &stdarg.server.debug;
- &popt.common.samba;
- &popt.common.credentials;
- &popt.common.connection;
-+ &popt.autohelp;
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 019deb1e1acedb6ec522baad85592c17f2f78268 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:21:24 +0100
-Subject: [PATCH 53/83] docs: remove duplicate -e option from smbcacls manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcacls.1.xml | 12 ------------
- 1 file changed, 12 deletions(-)
-
-diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
-index 3c00363..0b8fe94 100644
---- a/docs-xml/manpages/smbcacls.1.xml
-+++ b/docs-xml/manpages/smbcacls.1.xml
-@@ -141,18 +141,6 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-e</term>
-- <listitem><para>This command line parameter requires the remote
-- server support the UNIX extensions or that the SMB3 protocol has been selected.
-- Requests that the connection be encrypted. Negotiates SMB encryption using either
-- SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for
-- the encryption negotiation (either kerberos or NTLMv1/v2 if given
-- domain/username/password triple. Fails the connection if encryption
-- cannot be negotiated.
-- </para></listitem>
-- </varlistentry>
--
-- <varlistentry>
- <term>-m|--max-protocol PROTOCOL_NAME</term>
- <listitem><para>This allows the user to select the
- highest SMB protocol level that smbcacls will use to
---
-1.8.3.1
-
-
-From c7a4feaaf1236dce8de546b5019058efba047e31 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:25:12 +0100
-Subject: [PATCH 54/83] docs: mention --query-security-info|--set-security-info
- in smbcacls manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcacls.1.xml | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
-index 0b8fe94..33b8dbd 100644
---- a/docs-xml/manpages/smbcacls.1.xml
-+++ b/docs-xml/manpages/smbcacls.1.xml
-@@ -34,6 +34,8 @@
- <arg choice="opt">-d</arg>
- <arg choice="opt">-e</arg>
- <arg choice="opt">-m|--max-protocol LEVEL</arg>
-+ <arg choice="opt">--query-security-info FLAGS</arg>
-+ <arg choice="opt">--set-security-info FLAGS</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -160,7 +162,19 @@
- the arguments.
- </para></listitem>
- </varlistentry>
--
-+
-+ <varlistentry>
-+ <term>--query-security-info FLAGS</term>
-+ <listitem><para>The security-info flags for queries.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--set-security-info FLAGS</term>
-+ <listitem><para>The security-info flags for queries.
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.server.debug;
- &popt.common.samba;
- &popt.common.credentials;
---
-1.8.3.1
-
-
-From 94b26e6d7b22396ad220ddd1ed359376fc151458 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:35:16 +0100
-Subject: [PATCH 55/83] docs: mention --sddl and --domain-sid in smbcacls
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcacls.1.xml | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/docs-xml/manpages/smbcacls.1.xml b/docs-xml/manpages/smbcacls.1.xml
-index 33b8dbd..1f7aaf2 100644
---- a/docs-xml/manpages/smbcacls.1.xml
-+++ b/docs-xml/manpages/smbcacls.1.xml
-@@ -36,6 +36,8 @@
- <arg choice="opt">-m|--max-protocol LEVEL</arg>
- <arg choice="opt">--query-security-info FLAGS</arg>
- <arg choice="opt">--set-security-info FLAGS</arg>
-+ <arg choice="opt">--sddl</arg>
-+ <arg choice="opt">--domain-sid SID</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -175,6 +177,18 @@
- </para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>--sddl</term>
-+ <listitem><para>Output and input acls in sddl format.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--domain-sid SID</term>
-+ <listitem><para>SID used for sddl processing.
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.server.debug;
- &popt.common.samba;
- &popt.common.credentials;
---
-1.8.3.1
-
-
-From fb051ee29a55c6d72739bc895f05add50f2054d5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:39:00 +0100
-Subject: [PATCH 56/83] docs: remove unsupported -h option and use
- popt.autohelp entity in rpcclient manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/rpcclient.1.xml | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/docs-xml/manpages/rpcclient.1.xml b/docs-xml/manpages/rpcclient.1.xml
-index 7193a90..76bcbc2 100644
---- a/docs-xml/manpages/rpcclient.1.xml
-+++ b/docs-xml/manpages/rpcclient.1.xml
-@@ -23,7 +23,6 @@
- <arg choice="opt">-A authfile</arg>
- <arg choice="opt">-c <command string></arg>
- <arg choice="opt">-d debuglevel</arg>
-- <arg choice="opt">-h</arg>
- <arg choice="opt">-l logdir</arg>
- <arg choice="opt">-N</arg>
- <arg choice="opt">-s <smb config file></arg>
-@@ -98,7 +97,7 @@
- &popt.common.samba;
- &popt.common.credentials;
- &popt.common.connection;
-- &stdarg.help;
-+ &popt.autohelp;
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From db62a5841a4892dc2d45ff027cac346c0e67c5aa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:51:42 +0100
-Subject: [PATCH 57/83] docs: document all long option names in nmblookup
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmblookup.1.xml | 41 +++++++++++++++++++--------------------
- 1 file changed, 20 insertions(+), 21 deletions(-)
-
-diff --git a/docs-xml/manpages/nmblookup.1.xml b/docs-xml/manpages/nmblookup.1.xml
-index 12c707f..b110b28 100644
---- a/docs-xml/manpages/nmblookup.1.xml
-+++ b/docs-xml/manpages/nmblookup.1.xml
-@@ -20,19 +20,18 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>nmblookup</command>
-- <arg choice="opt">-M</arg>
-- <arg choice="opt">-R</arg>
-- <arg choice="opt">-S</arg>
-- <arg choice="opt">-r</arg>
-- <arg choice="opt">-A</arg>
-- <arg choice="opt">-h</arg>
-- <arg choice="opt">-B <broadcast address></arg>
-- <arg choice="opt">-U <unicast address></arg>
-+ <arg choice="opt">-M|--master-browser</arg>
-+ <arg choice="opt">-R|--recursion</arg>
-+ <arg choice="opt">-S|--status</arg>
-+ <arg choice="opt">-r|--root-port</arg>
-+ <arg choice="opt">-A|--lookup-by-ip</arg>
-+ <arg choice="opt">-B|--broadcast <broadcast address></arg>
-+ <arg choice="opt">-U|--unicast <unicast address></arg>
- <arg choice="opt">-d <debug level></arg>
- <arg choice="opt">-s <smb config file></arg>
- <arg choice="opt">-i <NetBIOS scope></arg>
-- <arg choice="opt">-T</arg>
-- <arg choice="opt">-f</arg>
-+ <arg choice="opt">-T|--translate</arg>
-+ <arg choice="opt">-f|--flags</arg>
- <arg choice="req">name</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-@@ -55,8 +54,8 @@
-
- <variablelist>
- <varlistentry>
-- <term>-M</term>
-- <listitem><para>Searches for a master browser by looking
-+ <term>-M|--master-browser</term>
-+ <listitem><para>Searches for a master browser by looking
- up the NetBIOS <replaceable>name</replaceable> with a
- type of <constant>0x1d</constant>. If <replaceable>
- name</replaceable> is "-" then it does a lookup on the special name
-@@ -67,7 +66,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-R</term>
-+ <term>-R|--recursion</term>
- <listitem><para>Set the recursion desired bit in the packet
- to do a recursive lookup. This is used when sending a name
- query to a machine running a WINS server and the user wishes
-@@ -78,7 +77,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-S</term>
-+ <term>-S|--status</term>
- <listitem><para>Once the name query has returned an IP
- address then do a node status query as well. A node status
- query returns the NetBIOS names registered by a host.
-@@ -87,7 +86,7 @@
-
-
- <varlistentry>
-- <term>-r</term>
-+ <term>-r|--root-port</term>
- <listitem><para>Try and bind to UDP port 137 to send and receive UDP
- datagrams. The reason for this option is a bug in Windows 95
- where it ignores the source port of the requesting packet
-@@ -100,7 +99,7 @@
-
-
- <varlistentry>
-- <term>-A</term>
-+ <term>-A|--lookup-by-ip</term>
- <listitem><para>Interpret <replaceable>name</replaceable> as
- an IP Address and do a node status query on this address.</para>
- </listitem>
-@@ -109,10 +108,10 @@
-
-
- &popt.common.connection;
-- &stdarg.help;
-+ &popt.autohelp;
-
- <varlistentry>
-- <term>-B <broadcast address></term>
-+ <term>-B|--broadcast <broadcast address></term>
- <listitem><para>Send the query to the given broadcast address. Without
- this option the default behavior of nmblookup is to send the
- query to the broadcast address of the network interfaces as
-@@ -126,7 +125,7 @@
-
-
- <varlistentry>
-- <term>-U <unicast address></term>
-+ <term>-U|--unicast <unicast address></term>
- <listitem><para>Do a unicast query to the specified address or
- host <replaceable>unicast address</replaceable>. This option
- (along with the <parameter>-R</parameter> option) is needed to
-@@ -137,7 +136,7 @@
- &popt.common.samba;
-
- <varlistentry>
-- <term>-T</term>
-+ <term>-T|--translate</term>
- <listitem><para>This causes any IP addresses found in the
- lookup to be looked up via a reverse DNS lookup into a
- DNS name, and printed out before each</para>
-@@ -148,7 +147,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-f</term>
-+ <term>-f|--flags</term>
- <listitem><para>
- Show which flags apply to the name that has been looked up. Possible
- answers are zero or more of: Response, Authoritative,
---
-1.8.3.1
-
-
-From f9cdbfb27325d4e84d866fdee2a7bc729c25e24e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 12:55:02 +0100
-Subject: [PATCH 58/83] docs: use popt.autohelp entity in dbwrap-tools manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/dbwrap_tool.1.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
-index b8280ac..8e979f6 100644
---- a/docs-xml/manpages/dbwrap_tool.1.xml
-+++ b/docs-xml/manpages/dbwrap_tool.1.xml
-@@ -77,7 +77,7 @@
- </para></listitem>
- </varlistentry>
- &popt.common.samba.client;
-- &stdarg.help;
-+ &popt.autohelp;
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 0674ef7c5b3551564894ee7b8810ee3c18857922 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 13:45:38 +0100
-Subject: [PATCH 59/83] docs: fix testparm manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/testparm.1.xml | 38 +++++++++++++++++++++++---------------
- 1 file changed, 23 insertions(+), 15 deletions(-)
-
-diff --git a/docs-xml/manpages/testparm.1.xml b/docs-xml/manpages/testparm.1.xml
-index b258c20..ce69dc7 100644
---- a/docs-xml/manpages/testparm.1.xml
-+++ b/docs-xml/manpages/testparm.1.xml
-@@ -20,10 +20,9 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>testparm</command>
-- <arg choice="opt">-s</arg>
-- <arg choice="opt">-h</arg>
-- <arg choice="opt">-v</arg>
-- <arg choice="opt">-t <encoding></arg>
-+ <arg choice="opt">-s|--suppress-prompt</arg>
-+ <arg choice="opt">--help</arg>
-+ <arg choice="opt">-v|--verbose</arg>
- <arg choice="req">config filename</arg>
- <arg choice="opt">hostname hostIP</arg>
- </cmdsynopsis>
-@@ -63,17 +62,19 @@
-
- <variablelist>
- <varlistentry>
-- <term>-s</term>
-+ <term>-s|--suppress-prompt</term>
- <listitem><para>Without this option, <command>testparm</command>
- will prompt for a carriage return after printing the service
- names and before dumping the service definitions.</para></listitem>
- </varlistentry>
-
-- &stdarg.help;
- &stdarg.version;
--
-+ &stdarg.option;
-+ &popt.autohelp;
-+ &stdarg.client.debug;
-+
- <varlistentry>
-- <term>-v</term>
-+ <term>-v|--verbose</term>
- <listitem><para>If this option is specified, testparm
- will also output all options that were not used in <citerefentry>
- <refentrytitle>smb.conf</refentrytitle><manvolnum>5</manvolnum>
-@@ -81,13 +82,6 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-t encoding</term>
-- <listitem><para>
-- Output data in specified encoding.
-- </para></listitem>
-- </varlistentry>
--
-- <varlistentry>
- <term>--parameter-name parametername</term>
- <listitem><para>
- Dumps the named parameter. If no section-name is set the view
-@@ -107,6 +101,20 @@
- </varlistentry>
-
- <varlistentry>
-+ <term>--show-all-parameters</term>
-+ <listitem><para>
-+ Show the parameters, type, possible values.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-l|--skip-logic-checks</term>
-+ <listitem><para>
-+ Skip the global checks.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
- <term>configfilename</term>
- <listitem><para>This is the name of the configuration file
- to check. If this parameter is not present then the
---
-1.8.3.1
-
-
-From a0d8cb8f536620a6dbf1fab0093c715c9efaba65 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 13:46:06 +0100
-Subject: [PATCH 60/83] docs: use &popt.autohelp entity in pdbedit manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/pdbedit.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/pdbedit.8.xml b/docs-xml/manpages/pdbedit.8.xml
-index 5bb12c4..c59a1cf6 100644
---- a/docs-xml/manpages/pdbedit.8.xml
-+++ b/docs-xml/manpages/pdbedit.8.xml
-@@ -503,7 +503,7 @@ account policy value for bad lockout attempt is now 3
- </listitem>
- </varlistentry>
-
-- &stdarg.help;
-+ &popt.autohelp;
- &stdarg.server.debug;
- &popt.common.samba;
-
---
-1.8.3.1
-
-
-From 91d25302b92e01fdba3fa4bc22fea9a8381ae19e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 13:52:59 +0100
-Subject: [PATCH 61/83] docs: fix smbcontrol manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbcontrol.1.xml | 15 +++++++--------
- 1 file changed, 7 insertions(+), 8 deletions(-)
-
-diff --git a/docs-xml/manpages/smbcontrol.1.xml b/docs-xml/manpages/smbcontrol.1.xml
-index be8dd0f..234e02d 100644
---- a/docs-xml/manpages/smbcontrol.1.xml
-+++ b/docs-xml/manpages/smbcontrol.1.xml
-@@ -19,8 +19,8 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>smbcontrol</command>
-- <arg>-i</arg>
- <arg>-s</arg>
-+ <arg>-t|--timeout</arg>
- </cmdsynopsis>
-
- <cmdsynopsis>
-@@ -49,15 +49,14 @@
- <title>OPTIONS</title>
-
- <variablelist>
-- &stdarg.help;
-+ &popt.autohelp;
- &stdarg.configfile;
-- &popt.common.samba;
-+ &popt.common.samba.client;
- <varlistentry>
-- <term>-i</term>
-- <listitem><para>Run interactively. Individual commands
-- of the form destination message-type parameters can be entered
-- on STDIN. An empty command line or a "q" will quit the
-- program.</para></listitem>
-+ <term>-t|--timeout</term>
-+ <listitem><para>
-+ Set timeout to seconds.
-+ </para></listitem>
- </varlistentry>
-
- <varlistentry>
---
-1.8.3.1
-
-
-From 177c2c9c0ffe1ee434afc9d22d4bba12ae55d312 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 14:45:51 +0100
-Subject: [PATCH 62/83] docs: fix ntlm_auth manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/ntlm_auth.1.xml | 42 ++++++++++++++++++++++++++++++++-------
- 1 file changed, 35 insertions(+), 7 deletions(-)
-
-diff --git a/docs-xml/manpages/ntlm_auth.1.xml b/docs-xml/manpages/ntlm_auth.1.xml
-index 4ada951..4ce57a2 100644
---- a/docs-xml/manpages/ntlm_auth.1.xml
-+++ b/docs-xml/manpages/ntlm_auth.1.xml
-@@ -19,9 +19,6 @@
- <refsynopsisdiv>
- <cmdsynopsis>
- <command>ntlm_auth</command>
-- <arg choice="opt">-d debuglevel</arg>
-- <arg choice="opt">-l logdir</arg>
-- <arg choice="opt">-s <smb config file></arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -363,10 +360,41 @@
- </listitem>
- </varlistentry>
-
-- &stdarg.server.debug;
-- &popt.common.samba;
-- &stdarg.help;
--
-+ <varlistentry>
-+ <term>--pam-winbind-conf=FILENAME</term>
-+ <listitem><para>Define the path to the pam_winbind.conf file.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--target-hostname=HOSTNAME</term>
-+ <listitem><para>Define the target hostname.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--target-service=SERVICE</term>
-+ <listitem><para>Define the target service.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--use-cached-creds</term>
-+ <listitem><para>Whether to use credentials cached by winbindd.</para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--configfile=<configuration file></term>
-+ <listitem><para>The file specified contains the
-+ configuration details required by the server. The
-+ information in this file includes server-specific
-+ information such as what printcap file to use, as well
-+ as descriptions of all the services that the server is
-+ to provide. See &smb.conf; for more information.
-+ The default configuration file name is determined at
-+ compile time.</para></listitem>
-+ </varlistentry>
-+
-+ &stdarg.version;
-+ &popt.autohelp;
-+
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From b04375e725edfd419fa65c96d524b9fb351d5efc Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 15:52:35 +0100
-Subject: [PATCH 63/83] docs: use popt.autohelp entity in nmbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/nmbd.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/nmbd.8.xml b/docs-xml/manpages/nmbd.8.xml
-index b7ead70..d83fb8f 100644
---- a/docs-xml/manpages/nmbd.8.xml
-+++ b/docs-xml/manpages/nmbd.8.xml
-@@ -123,7 +123,7 @@
- given. </para></listitem>
- </varlistentry>
-
-- &stdarg.help;
-+ &popt.autohelp;
-
- <varlistentry>
- <term>-H|--hosts <filename></term>
---
-1.8.3.1
-
-
-From 25eace39266edcac85c7d65a68dfbb632453b6f6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 15:53:08 +0100
-Subject: [PATCH 64/83] docs: use popt.autohelp entity in winbindd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/winbindd.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/winbindd.8.xml b/docs-xml/manpages/winbindd.8.xml
-index fd644c3..c16c998 100644
---- a/docs-xml/manpages/winbindd.8.xml
-+++ b/docs-xml/manpages/winbindd.8.xml
-@@ -169,7 +169,7 @@ hosts: files wins
-
- &stdarg.server.debug;
- &popt.common.samba;
-- &stdarg.help;
-+ &popt.autohelp;
-
- <varlistentry>
- <term>-i|--interactive</term>
---
-1.8.3.1
-
-
-From b649d631793bdd83ff1f3935a45f1617c1a4c3e8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 15:53:29 +0100
-Subject: [PATCH 65/83] docs: use popt.autohelp entity in smbd manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/smbd.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/smbd.8.xml b/docs-xml/manpages/smbd.8.xml
-index d73f1db..00e65b3 100644
---- a/docs-xml/manpages/smbd.8.xml
-+++ b/docs-xml/manpages/smbd.8.xml
-@@ -128,7 +128,7 @@
-
- &stdarg.server.debug;
- &popt.common.samba;
-- &stdarg.help;
-+ &popt.autohelp;
-
- <varlistentry>
- <term>--no-process-group</term>
---
-1.8.3.1
-
-
-From 0815f114fbe99144061dc1c8c326fb0ee71f4a76 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 15:53:49 +0100
-Subject: [PATCH 66/83] docs: use popt.autohelp entity in samba.8 manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/samba.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/samba.8.xml b/docs-xml/manpages/samba.8.xml
-index 2b53944..da426bb 100644
---- a/docs-xml/manpages/samba.8.xml
-+++ b/docs-xml/manpages/samba.8.xml
-@@ -148,7 +148,7 @@
- </varlistentry>
-
- &popt.common.samba.server;
-- &stdarg.help;
-+ &popt.autohelp;
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 0b24a4236c2b865a0cf318fcabb3ce64b93d9409 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 16:00:39 +0100
-Subject: [PATCH 67/83] docs: mention more options in net manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 86 +++++++++++++++++++++++++++++++++++----------
- 1 file changed, 68 insertions(+), 18 deletions(-)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 5fa042e..ccc993b 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -22,20 +22,25 @@
- <cmdsynopsis>
- <command>net</command>
- <arg choice="req"><ads|rap|rpc></arg>
-- <arg choice="opt">-h</arg>
-- <arg choice="opt">-w workgroup</arg>
-- <arg choice="opt">-W myworkgroup</arg>
-- <arg choice="opt">-U user</arg>
-- <arg choice="opt">-I ip-address</arg>
-- <arg choice="opt">-p port</arg>
-+ <arg choice="opt">-h|--help</arg>
-+ <arg choice="opt">-w|--workgroup workgroup</arg>
-+ <arg choice="opt">-W|--myworkgroup myworkgroup</arg>
-+ <arg choice="opt">-U|--user user</arg>
-+ <arg choice="opt">-I|--ipaddress ip-address</arg>
-+ <arg choice="opt">-p|--port port</arg>
- <arg choice="opt">-n myname</arg>
- <arg choice="opt">-s conffile</arg>
-- <arg choice="opt">-S server</arg>
-- <arg choice="opt">-l</arg>
-- <arg choice="opt">-P</arg>
-+ <arg choice="opt">-S|--server server</arg>
-+ <arg choice="opt">-l|--long</arg>
-+ <arg choice="opt">-v|--verbose</arg>
-+ <arg choice="opt">-f|--force</arg>
-+ <arg choice="opt">-P|--machine-pass</arg>
- <arg choice="opt">-d debuglevel</arg>
- <arg choice="opt">-V</arg>
- <arg choice="opt">--request-timeout seconds</arg>
-+ <arg choice="opt">-t|--timeout seconds</arg>
-+ <arg choice="opt">-i|--stdin</arg>
-+ <arg choice="opt">--tallocreport</arg>
- </cmdsynopsis>
- </refsynopsisdiv>
-
-@@ -64,7 +69,7 @@
- &stdarg.kerberos;
-
- <varlistentry>
-- <term>-w target-workgroup</term>
-+ <term>-w|--workgroup target-workgroup</term>
- <listitem><para>
- Sets target workgroup or domain. You have to specify
- either this option or the IP address or the name of a server.
-@@ -72,21 +77,21 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-W workgroup</term>
-+ <term>-W|--myworkgroup workgroup</term>
- <listitem><para>
- Sets client workgroup or domain
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
-- <term>-U user</term>
-+ <term>-U|--user user</term>
- <listitem><para>
- User name to use
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
-- <term>-I ip-address</term>
-+ <term>-I|--ipaddress ip-address</term>
- <listitem><para>
- IP address of target server to use. You have to
- specify either this option or a target workgroup or
-@@ -95,7 +100,7 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-p port</term>
-+ <term>-p|--port port</term>
- <listitem><para>
- Port on the target server to connect to (usually 139 or 445).
- Defaults to trying 445 first, then 139.
-@@ -106,7 +111,7 @@
- &stdarg.configfile;
-
- <varlistentry>
-- <term>-S server</term>
-+ <term>-S|--server server</term>
- <listitem><para>
- Name of target server. You should specify either
- this option or a target workgroup or a target IP address.
-@@ -114,14 +119,28 @@
- </varlistentry>
-
- <varlistentry>
-- <term>-l</term>
-+ <term>-l|--long</term>
- <listitem><para>
- When listing data, give more information on each item.
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
-- <term>-P</term>
-+ <term>-v|--verbose</term>
-+ <listitem><para>
-+ When listing data, give more verbose information on each item.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-f|--force</term>
-+ <listitem><para>
-+ Enforcing a net command.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-P|--machine-pass</term>
- <listitem><para>
- Make queries to the external server using the machine account of the local server.
- </para></listitem>
-@@ -135,7 +154,38 @@
- </para></listitem>
- </varlistentry>
-
-- &stdarg.server.debug;
-+ <varlistentry>
-+ <term>-t|--timeout 30</term>
-+ <listitem><para>
-+ Set timeout for client operations to 30 seconds.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--use-ccache</term>
-+ <listitem><para>
-+ Try to use the credentials cached by winbind.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-i|--stdin</term>
-+ <listitem><para>
-+ Take input for net commands from standard input.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--tallocreport</term>
-+ <listitem><para>
-+ Generate a talloc report while processing a net
-+ command.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ &stdarg.encrypt;
-+ &popt.common.samba.client;
-+
- </variablelist>
- </refsect1>
-
---
-1.8.3.1
-
-
-From 7c8dcc5e0f61577becf1954b6abfb72e4689eab2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 16:08:19 +0100
-Subject: [PATCH 68/83] docs: add net rpc vampire specific options in net
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index ccc993b..c9802f8 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -183,6 +183,32 @@
- </para></listitem>
- </varlistentry>
-
-+ <!-- Options for net rpc vampire -->
-+
-+ <varlistentry>
-+ <term>--force-full-repl</term>
-+ <listitem><para>
-+ When calling "net rpc vampire keytab" this option
-+ enforces a full re-creation of the generated keytab file.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--single-obj-repl</term>
-+ <listitem><para>
-+ When calling "net rpc vampire keytab" this option
-+ allows to replicate just a single object to the generated keytab file.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--clean-old-entries</term>
-+ <listitem><para>
-+ When calling "net rpc vampire keytab" this option
-+ allows to cleanup old entries from the generated keytab file.
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
---
-1.8.3.1
-
-
-From f1e03c2bc1bb34d1918b232035c25cc9e0e6811d Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 16:17:32 +0100
-Subject: [PATCH 69/83] docs: add net idmap specific options in net manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 26 ++++++++++++++++++++++++++
- 1 file changed, 26 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index c9802f8..5cc623f9 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -209,6 +209,32 @@
- </para></listitem>
- </varlistentry>
-
-+ <!-- Options for net idmap -->
-+
-+ <varlistentry>
-+ <term>--db</term>
-+ <listitem><para>Define dbfile for "net idmap" commands.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--lock</term>
-+ <listitem><para>Activates locking of the dbfile for "net idmap check" command.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-a|--auto</term>
-+ <listitem><para>Activates noninteractive mode in "net idmap check".
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--repair</term>
-+ <listitem><para>Activates repair mode in "net idmap check".
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
---
-1.8.3.1
-
-
-From e73493c64af9f76fa41b56c154ea973619e97cb0 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 16:22:52 +0100
-Subject: [PATCH 70/83] docs: add net rpc share migrate specific options in net
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 32 ++++++++++++++++++++++++++++++++
- 1 file changed, 32 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 5cc623f9..6fba00b 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -235,6 +235,38 @@
- </para></listitem>
- </varlistentry>
-
-+ <!-- Options for net rpc share migrate -->
-+
-+ <varlistentry>
-+ <term>--acls</term>
-+ <listitem><para>Includes ACLs to be copied in "net rpc share migrate".
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--attrs</term>
-+ <listitem><para>Includes file attributes to be copied in "net rpc share migrate".
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--timestamps</term>
-+ <listitem><para>Includes timestamps to be copied in "net rpc share migrate".
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-X|--exclude DIRECTORY</term>
-+ <listitem><para>Allows to exclude directories when copying with "net rpc share migrate".
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--destination SERVERNAME</term>
-+ <listitem><para>Defines the target servername of migration process (defaults to localhost).
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
---
-1.8.3.1
-
-
-From cb90d1eb8f1ea0fd23f7af4aa1a21447d4772a1e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 16:28:10 +0100
-Subject: [PATCH 71/83] docs: add net groupmap set specific options in net
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 30 ++++++++++++++++++++++++++++++
- 1 file changed, 30 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 6fba00b..fd13f43 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -267,6 +267,36 @@
- </para></listitem>
- </varlistentry>
-
-+ <!-- Options for net groupmap set -->
-+
-+ <varlistentry>
-+ <term>-L|--local</term>
-+ <listitem><para>Sets the type of group mapping to local
-+ (used in "net groupmap set").
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-D|--domain</term>
-+ <listitem><para>Sets the type of group mapping to domain
-+ (used in "net groupmap set").
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-N|--ntname NTNAME</term>
-+ <listitem><para>Sets the ntname of a group mapping
-+ (used in "net groupmap set").
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-R|--rid RID</term>
-+ <listitem><para>Sets the rid of a group mapping
-+ (used in "net groupmap set").
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
---
-1.8.3.1
-
-
-From 57269672d1b52c5a1318619f5b6ccdfb757c161f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 17:11:31 +0100
-Subject: [PATCH 72/83] docs: add net rpc registry check specific options in
- net manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 23 +++++++++++++++++++++++
- 1 file changed, 23 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index fd13f43..4d43625 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -297,6 +297,29 @@
- </para></listitem>
- </varlistentry>
-
-+ <!-- Options for net registry check -->
-+
-+ <varlistentry>
-+ <term>--reg-version REG_VERSION</term>
-+ <listitem><para>Assume database version {n|1,2,3}
-+ (used in "net registry check").
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-o|--output FILENAME</term>
-+ <listitem><para>Output database file
-+ (used in "net registry check").
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>--wipe</term>
-+ <listitem><para>Createa a new database from scratch
-+ (used in "net registry check").
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
---
-1.8.3.1
-
-
-From 49ab592097a235d31355bf4e58d2957ee56c5a3c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 17:15:57 +0100
-Subject: [PATCH 73/83] docs: add net registry import specific options in net
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/net.8.xml | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index 4d43625..ce976b4 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -320,6 +320,15 @@
- </para></listitem>
- </varlistentry>
-
-+ <!-- Options for net registry import -->
-+
-+ <varlistentry>
-+ <term>--precheck PRECHECK_DB_FILENAME</term>
-+ <listitem><para>Defines filename for database prechecking
-+ (used in "net registry import").
-+ </para></listitem>
-+ </varlistentry>
-+
- &stdarg.encrypt;
- &popt.common.samba.client;
-
---
-1.8.3.1
-
-
-From 19d1a7abcf5ceaf2577952b90ca77eb776bc95d2 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Mon, 18 Nov 2013 17:26:28 +0100
-Subject: [PATCH 74/83] docs: document remaining undocumented options in net
- manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Tue Nov 19 12:05:56 CET 2013 on sn-devel-104
----
- docs-xml/manpages/net.8.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 42 insertions(+)
-
-diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
-index ce976b4..49cab42 100644
---- a/docs-xml/manpages/net.8.xml
-+++ b/docs-xml/manpages/net.8.xml
-@@ -183,6 +183,48 @@
- </para></listitem>
- </varlistentry>
-
-+ <varlistentry>
-+ <term>-T|--test</term>
-+ <listitem><para>Only test command sequence, dry-run.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-F|--flags FLAGS</term>
-+ <listitem><para>Pass down integer flags to a net subcommand.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-C|--comment COMMENT</term>
-+ <listitem><para>Pass down a comment string to a net subcommand.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-n|--myname MYNAME</term>
-+ <listitem><para>Use MYNAME as a requester name for a net subcommand.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-c|--container CONTAINER</term>
-+ <listitem><para>Use a specific AD container for net ads operations.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-M|--maxusers MAXUSERS</term>
-+ <listitem><para>Fill in the maxusers field in net rpc share operations.
-+ </para></listitem>
-+ </varlistentry>
-+
-+ <varlistentry>
-+ <term>-r|--reboot</term>
-+ <listitem><para>Reboot a remote machine after a command has been successfully executed (e.g. in remote join operations).
-+ </para></listitem>
-+ </varlistentry>
-+
- <!-- Options for net rpc vampire -->
-
- <varlistentry>
---
-1.8.3.1
-
-
-From 7a587e715ae413ce0f44be4c6f63a9e30fe697e5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:14:45 +0100
-Subject: [PATCH 75/83] docs: remove duplicate "a" from vfs_cacheprime manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/manpages/vfs_cacheprime.8.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/manpages/vfs_cacheprime.8.xml b/docs-xml/manpages/vfs_cacheprime.8.xml
-index b490ba6..b92a6c1 100644
---- a/docs-xml/manpages/vfs_cacheprime.8.xml
-+++ b/docs-xml/manpages/vfs_cacheprime.8.xml
-@@ -84,7 +84,7 @@
-
- <refsect1>
- <title>CAVEATS</title>
-- <para><command>cacheprime</command> is not a a substitute for
-+ <para><command>cacheprime</command> is not a substitute for
- a general-purpose readahead mechanism. It is intended for use
- only in very specific environments where disk operations must
- be aligned and sized to known values (as much as that is possible).
---
-1.8.3.1
-
-
-From b55b56351d71bb4a4517d857959c7c9d9d2b768c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:17:19 +0100
-Subject: [PATCH 76/83] docs: remove duplicate "the" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/misc/directorynamecachesize.xml | 2 +-
- docs-xml/smbdotconf/protocol/ntaclsupport.xml | 2 +-
- docs-xml/smbdotconf/winbind/idmapconfig.xml | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/misc/directorynamecachesize.xml b/docs-xml/smbdotconf/misc/directorynamecachesize.xml
-index 1064b7e..d02c4f5 100644
---- a/docs-xml/smbdotconf/misc/directorynamecachesize.xml
-+++ b/docs-xml/smbdotconf/misc/directorynamecachesize.xml
-@@ -5,7 +5,7 @@
- xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
- <description>
- <para>
-- This parameter specifies the the size of the directory name cache.
-+ This parameter specifies the size of the directory name cache.
- It will be needed to turn this off for *BSD systems.
- </para>
-
-diff --git a/docs-xml/smbdotconf/protocol/ntaclsupport.xml b/docs-xml/smbdotconf/protocol/ntaclsupport.xml
-index 1e9cedf..451d5d8 100644
---- a/docs-xml/smbdotconf/protocol/ntaclsupport.xml
-+++ b/docs-xml/smbdotconf/protocol/ntaclsupport.xml
-@@ -7,7 +7,7 @@
- <para>This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry> will attempt to map
- UNIX permissions into Windows NT access control lists. The UNIX
-- permissions considered are the the traditional UNIX owner and
-+ permissions considered are the traditional UNIX owner and
- group permissions, as well as POSIX ACLs set on any files or
- directories. This parameter was formally a global parameter in
- releases prior to 2.2.2.</para>
-diff --git a/docs-xml/smbdotconf/winbind/idmapconfig.xml b/docs-xml/smbdotconf/winbind/idmapconfig.xml
-index 5d3605a..30925a2 100644
---- a/docs-xml/smbdotconf/winbind/idmapconfig.xml
-+++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml
-@@ -17,7 +17,7 @@
-
- <para>
- The idmap configuration is hence divided into groups, one group
-- for each domain to be configured, and one group with the the
-+ for each domain to be configured, and one group with the
- asterisk instead of a proper domain name, which specifies the
- default configuration that is used to catch all domains that do
- not have an explicit idmap configuration of their own.
---
-1.8.3.1
-
-
-From 25577278211f82a353477c48ea1381cdd16b3b63 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:18:57 +0100
-Subject: [PATCH 77/83] docs: remove duplicate "to" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/misc/rpcserver.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/misc/rpcserver.xml b/docs-xml/smbdotconf/misc/rpcserver.xml
-index 4372eea..9a22939 100644
---- a/docs-xml/smbdotconf/misc/rpcserver.xml
-+++ b/docs-xml/smbdotconf/misc/rpcserver.xml
-@@ -59,7 +59,7 @@
- Currently in Samba3 we support three daemons, spoolssd, epmd and
- lsasd. These daemons can be enabled using the
- <emphasis>rpc_daemon</emphasis> option. For spoolssd you have
-- to to enable the daemon and proxy the named pipe with:
-+ to enable the daemon and proxy the named pipe with:
- </para>
-
- <para>
---
-1.8.3.1
-
-
-From ced12107e0af429af088cd63b86c8b8b21e83a1a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:20:12 +0100
-Subject: [PATCH 78/83] docs: remove duplicate "not" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/protocol/aclallowexecutealways.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml b/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml
-index 49d2c48..0c9588e 100644
---- a/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml
-+++ b/docs-xml/smbdotconf/protocol/aclallowexecutealways.xml
-@@ -17,7 +17,7 @@
- If this parameter is set to "True", Samba does not check execute permissions on
- "open for execution", thus re-establishing the behaviour of Samba 3.6.
- This can be useful to smoothen upgrades from older Samba versions to 4.0 and newer.
-- This setting is not not meant to be used as a permanent setting, but as a temporary relief:
-+ This setting is not meant to be used as a permanent setting, but as a temporary relief:
- It is recommended to fix the permissions in the ACLs and reset this parameter to the
- default after a certain transition period.
- </para>
---
-1.8.3.1
-
-
-From 59a240513c7d48afb337b102466c539af3f880f3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:33:33 +0100
-Subject: [PATCH 79/83] docs: remove duplicate "or" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml b/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml
-index 974b6f0..54e7b87 100644
---- a/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml
-+++ b/docs-xml/smbdotconf/misc/fakedirectorycreatetimes.xml
-@@ -20,7 +20,7 @@
- timestamp than the object files it contains.</para>
-
- <para>However, Unix time semantics mean that the create time
-- reported by Samba will be updated whenever a file is created or
-+ reported by Samba will be updated whenever a file is created
- or deleted in the directory. NMAKE finds all object files in
- the object directory. The timestamp of the last one built is then
- compared to the timestamp of the object directory. If the
---
-1.8.3.1
-
-
-From 0cf92d476feabb870f67061d38d1027ebc59a852 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:34:05 +0100
-Subject: [PATCH 80/83] docs: remove duplicate "on" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/security/aclgroupcontrol.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/security/aclgroupcontrol.xml b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
-index e62216a..279a57b 100644
---- a/docs-xml/smbdotconf/security/aclgroupcontrol.xml
-+++ b/docs-xml/smbdotconf/security/aclgroupcontrol.xml
-@@ -24,7 +24,7 @@
-
- <para>
- This parameter is best used with the <smbconfoption name="inherit owner"/> option and also
-- on on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set
-+ on a share containing directories with the UNIX <emphasis>setgid bit</emphasis> set
- on them, which causes new files and directories created within it to inherit the group
- ownership from the containing directory.
- </para>
---
-1.8.3.1
-
-
-From 8d1ff1d73f43d0fd4c2290496389c006afb2de93 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:34:33 +0100
-Subject: [PATCH 81/83] docs: remove duplicate "must" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/security/smbencrypt.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/security/smbencrypt.xml b/docs-xml/smbdotconf/security/smbencrypt.xml
-index d556166..51079ae 100644
---- a/docs-xml/smbdotconf/security/smbencrypt.xml
-+++ b/docs-xml/smbdotconf/security/smbencrypt.xml
-@@ -21,7 +21,7 @@
- and <emphasis>disabled</emphasis>. This may be set on a per-share
- basis, but clients may chose to encrypt the entire session, not
- just traffic to a specific share. If this is set to mandatory
-- then all traffic to a share <emphasis>must</emphasis> must
-+ then all traffic to a share <emphasis>must</emphasis>
- be encrypted once the connection has been made to the share.
- The server would return "access denied" to all non-encrypted
- requests on such a share. Selecting encrypted traffic reduces
---
-1.8.3.1
-
-
-From 344c59f99996d4e6a23c2cc914377536ea7e9eee Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:34:54 +0100
-Subject: [PATCH 82/83] docs: remove duplicate "line" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- docs-xml/smbdotconf/security/usernamemapscript.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/security/usernamemapscript.xml b/docs-xml/smbdotconf/security/usernamemapscript.xml
-index 6df134c..9e2e1a5 100644
---- a/docs-xml/smbdotconf/security/usernamemapscript.xml
-+++ b/docs-xml/smbdotconf/security/usernamemapscript.xml
-@@ -8,7 +8,7 @@
- <smbconfoption name="username map"/> parameter. This parameter
- specifies and external program or script that must accept a single
- command line option (the username transmitted in the authentication
-- request) and return a line line on standard output (the name to which
-+ request) and return a line on standard output (the name to which
- the account should mapped). In this way, it is possible to store
- username map tables in an LDAP or NIS directory services.
- </para>
---
-1.8.3.1
-
-
-From c0bdd8011cc14a03bbddb7ad894219c649a609d9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 19 Nov 2013 12:36:53 +0100
-Subject: [PATCH 83/83] docs: remove duplicate "used" from smb.conf manpage.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Tue Nov 19 14:40:40 CET 2013 on sn-devel-104
----
- docs-xml/smbdotconf/filename/manglingmethod.xml | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs-xml/smbdotconf/filename/manglingmethod.xml b/docs-xml/smbdotconf/filename/manglingmethod.xml
-index f6e2eda..347dc56 100644
---- a/docs-xml/smbdotconf/filename/manglingmethod.xml
-+++ b/docs-xml/smbdotconf/filename/manglingmethod.xml
-@@ -6,7 +6,7 @@
- <description>
- <para> controls the algorithm used for the generating
- the mangled names. Can take two different values, "hash" and
-- "hash2". "hash" is the algorithm that was used
-+ "hash2". "hash" is the algorithm that was
- used in Samba for many years and was the default in Samba 2.2.x "hash2" is
- now the default and is newer and considered a better algorithm (generates less collisions) in
- the names. Many Win32 applications store the mangled names and so
---
-1.8.3.1
-
diff --git a/SOURCES/samba-4.1.2-fix_strict_aliasing.patch b/SOURCES/samba-4.1.2-fix_strict_aliasing.patch
deleted file mode 100644
index 7a60239..0000000
--- a/SOURCES/samba-4.1.2-fix_strict_aliasing.patch
+++ /dev/null
@@ -1,109 +0,0 @@
-From d31a18bcaaa3f3dd5f0bf8db705089c42c7ab0b3 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 14 Nov 2013 18:36:41 +0100
-Subject: [PATCH] util: Remove 32bit macros breaking strict aliasing.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10269
-
-These macros might have worked but they break strict aliasing in the
-meantime and so the compiler is not able to optimize the relevant code.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-
-Autobuild-User(master): Volker Lendecke <vl@samba.org>
-Autobuild-Date(master): Thu Nov 14 23:16:45 CET 2013 on sn-devel-104
-
-(cherry picked from commit af69cb2a78810e608ccff115b433801a58a749e4)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- lib/util/byteorder.h | 52 ++--------------------------------------------------
- 1 file changed, 2 insertions(+), 50 deletions(-)
-
-diff --git a/lib/util/byteorder.h b/lib/util/byteorder.h
-index 6bcf71e..58cd68a 100644
---- a/lib/util/byteorder.h
-+++ b/lib/util/byteorder.h
-@@ -35,15 +35,6 @@ Here is a description of this file that I emailed to the samba list once:
-
- sure.
-
--The distinction between 386 and other architectures is only there as
--an optimisation. You can take it out completely and it will make no
--difference. The routines (macros) in byteorder.h are totally byteorder
--independent. The 386 optimsation just takes advantage of the fact that
--the x86 processors don't care about alignment, so we don't have to
--align ints on int boundaries etc. If there are other processors out
--there that aren't alignment sensitive then you could also define
--CAREFUL_ALIGNMENT=0 on those processors as well.
--
- Ok, now to the macros themselves. I'll take a simple example, say we
- want to extract a 2 byte integer from a SMB packet and put it into a
- type called uint16_t that is in the local machines byte order, and you
-@@ -130,20 +121,6 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val)
- #define HAVE_ASM_BYTEORDER 0
- #endif
-
--
--
--#undef CAREFUL_ALIGNMENT
--
--/* we know that the 386 can handle misalignment and has the "right"
-- byteorder */
--#if defined(__i386__)
--#define CAREFUL_ALIGNMENT 0
--#endif
--
--#ifndef CAREFUL_ALIGNMENT
--#define CAREFUL_ALIGNMENT 1
--#endif
--
- #define CVAL(buf,pos) ((unsigned int)(((const uint8_t *)(buf))[pos]))
- #define CVAL_NC(buf,pos) (((uint8_t *)(buf))[pos]) /* Non-const version of CVAL */
- #define PVAL(buf,pos) (CVAL(buf,pos))
-@@ -161,7 +138,7 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val)
- #define SSVALS(buf,pos,val) SSVAL((buf),(pos),((int16_t)(val)))
- #define SIVALS(buf,pos,val) SIVAL((buf),(pos),((int32_t)(val)))
-
--#elif CAREFUL_ALIGNMENT
-+#else /* not HAVE_ASM_BYTEORDER */
-
- #define SVAL(buf,pos) (PVAL(buf,pos)|PVAL(buf,(pos)+1)<<8)
- #define IVAL(buf,pos) (SVAL(buf,pos)|SVAL(buf,(pos)+2)<<16)
-@@ -174,32 +151,7 @@ static __inline__ void st_le32(uint32_t *addr, const uint32_t val)
- #define SSVALS(buf,pos,val) SSVALX((buf),(pos),((int16_t)(val)))
- #define SIVALS(buf,pos,val) SIVALX((buf),(pos),((int32_t)(val)))
-
--#else /* not CAREFUL_ALIGNMENT */
--
--/* this handles things for architectures like the 386 that can handle
-- alignment errors */
--/*
-- WARNING: This section is dependent on the length of int16_t and int32_t
-- being correct
--*/
--
--/* get single value from an SMB buffer */
--#define SVAL(buf,pos) (*(const uint16_t *)((const char *)(buf) + (pos)))
--#define SVAL_NC(buf,pos) (*(uint16_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */
--#define IVAL(buf,pos) (*(const uint32_t *)((const char *)(buf) + (pos)))
--#define IVAL_NC(buf,pos) (*(uint32_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */
--#define SVALS(buf,pos) (*(const int16_t *)((const char *)(buf) + (pos)))
--#define SVALS_NC(buf,pos) (*(int16_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */
--#define IVALS(buf,pos) (*(const int32_t *)((const char *)(buf) + (pos)))
--#define IVALS_NC(buf,pos) (*(int32_t *)((void *)((char *)(buf) + (pos)))) /* Non const version of above. */
--
--/* store single value in an SMB buffer */
--#define SSVAL(buf,pos,val) SVAL_NC(buf,pos)=((uint16_t)(val))
--#define SIVAL(buf,pos,val) IVAL_NC(buf,pos)=((uint32_t)(val))
--#define SSVALS(buf,pos,val) SVALS_NC(buf,pos)=((int16_t)(val))
--#define SIVALS(buf,pos,val) IVALS_NC(buf,pos)=((int32_t)(val))
--
--#endif /* not CAREFUL_ALIGNMENT */
-+#endif /* not HAVE_ASM_BYTEORDER */
-
- /* 64 bit macros */
- #define BVAL(p, ofs) (IVAL(p,ofs) | (((uint64_t)IVAL(p,(ofs)+4)) << 32))
---
-1.8.4
-
diff --git a/SOURCES/samba-4.1.2-winbind_cache_keysize.patch b/SOURCES/samba-4.1.2-winbind_cache_keysize.patch
deleted file mode 100644
index fd4b505..0000000
--- a/SOURCES/samba-4.1.2-winbind_cache_keysize.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 944e9fbc20f125b52e047484dca1792d75561ed9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Wed, 13 Nov 2013 15:10:33 +0100
-Subject: [PATCH] s3-winbindd: Fix #10264, cache_traverse_validate_fn failure
- for NDR cache entries.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We need to increase the keysize limit for NDR queries. A wbint_LookupSids query
-for just 20 sids already hits the older limit.
-
-Guenther
-
-https://bugzilla.samba.org/show_bug.cgi?id=10264
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
-
-Autobuild-User(master): Michael Adam <obnox@samba.org>
-Autobuild-Date(master): Wed Nov 13 19:33:46 CET 2013 on sn-devel-104
----
- source3/winbindd/winbindd_cache.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
-index 91c19fa..267cefc 100644
---- a/source3/winbindd/winbindd_cache.c
-+++ b/source3/winbindd/winbindd_cache.c
-@@ -4065,7 +4065,8 @@ static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_D
- struct tdb_validation_status *v_state = (struct tdb_validation_status *)state;
-
- /* Paranoia check. */
-- if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0) {
-+ if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0 ||
-+ strncmp("NDR/", (const char *)kbuf.dptr, 4) == 0) {
- max_key_len = 1024 * 1024;
- }
- if (kbuf.dsize > max_key_len) {
---
-1.8.3.1
-
diff --git a/SOURCES/samba-4.1.3-CVE-2012-6150.patch b/SOURCES/samba-4.1.3-CVE-2012-6150.patch
deleted file mode 100644
index b4bd091..0000000
--- a/SOURCES/samba-4.1.3-CVE-2012-6150.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From f62683956a3b182f6a61cc7a2b4ada2e74cde243 Mon Sep 17 00:00:00 2001
-From: Noel Power <noel.power@suse.com>
-Date: Wed, 16 Oct 2013 16:30:55 +0100
-Subject: [PATCH] fail authentication for single group name which cannot be
- converted to sid
-
-furthermore if more than one name is supplied and no sid is converted
-then also fail.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10300
-
-Signed-off-by: Noel Power <noel.power@suse.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-[ddiss@samba.org: fixed incorrect bugzilla tag I added to master commit]
----
- nsswitch/pam_winbind.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
-index 9322971..cd5e7ba 100644
---- a/nsswitch/pam_winbind.c
-+++ b/nsswitch/pam_winbind.c
-@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
- _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
- "to sid, please contact your administrator to see "
- "if group %s is valid."), search_location, search_location);
-+
-+ /* If no valid groups were converted we should fail outright */
-+ if (name_list != NULL && strlen(sid_list_buffer) == 0) {
-+ result = false;
-+ goto out;
-+ }
- /*
- * The lookup of the last name failed..
- * It results in require_member_of_sid ends with ','
---
-1.8.1.4
diff --git a/SOURCES/samba-4.1.3-CVE-2013-4408.patch b/SOURCES/samba-4.1.3-CVE-2013-4408.patch
deleted file mode 100644
index 7624ff1..0000000
--- a/SOURCES/samba-4.1.3-CVE-2013-4408.patch
+++ /dev/null
@@ -1,1974 +0,0 @@
-From ea6e3de5ae7c79b3badf9cfa8fcbaebf76ec5bae Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 24 Sep 2013 05:03:40 +0200
-Subject: [PATCH 01/16] CVE-2013-4408:librpc: check for invalid frag_len
- within dcerpc_read_ncacn_packet_done()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- librpc/rpc/dcerpc_util.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
-index de292c8..458ecc5 100644
---- a/librpc/rpc/dcerpc_util.c
-+++ b/librpc/rpc/dcerpc_util.c
-@@ -292,6 +292,11 @@ static void dcerpc_read_ncacn_packet_done(struct tevent_req *subreq)
- return;
- }
-
-+ if (state->pkt->frag_length != state->buffer.length) {
-+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
-+ return;
-+ }
-+
- tevent_req_done(req);
- }
-
---
-1.7.9.5
-
-
-From d405a5afc175c5a936511f861a35cffd3be43fd9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 24 Sep 2013 05:03:40 +0200
-Subject: [PATCH 02/16] CVE-2013-4408:librpc: check for invalid frag_len
- within dcerpc_read_ncacn_packet_next_vector()
-
-We should do this explicit instead of relying on
-tstream_readv_pdu_ask_for_next_vector() to catch the overflow.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- librpc/rpc/dcerpc_util.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
-index 458ecc5..0b9cca3 100644
---- a/librpc/rpc/dcerpc_util.c
-+++ b/librpc/rpc/dcerpc_util.c
-@@ -223,6 +223,15 @@ static int dcerpc_read_ncacn_packet_next_vector(struct tstream_context *stream,
-
- ofs = state->buffer.length;
-
-+ if (frag_len < ofs) {
-+ /*
-+ * something is wrong, let the caller deal with it
-+ */
-+ *_vector = NULL;
-+ *_count = 0;
-+ return 0;
-+ }
-+
- state->buffer.data = talloc_realloc(state,
- state->buffer.data,
- uint8_t, frag_len);
---
-1.7.9.5
-
-
-From db3a2292a096d95ce672950e738c35e902077604 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 25 Sep 2013 23:25:12 +0200
-Subject: [PATCH 03/16] CVE-2013-4408:s3:rpc_client: check for invalid
- frag_len in dcerpc_pull_ncacn_packet()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source3/librpc/rpc/dcerpc_helpers.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
-index d36c2da..a55e419 100644
---- a/source3/librpc/rpc/dcerpc_helpers.c
-+++ b/source3/librpc/rpc/dcerpc_helpers.c
-@@ -127,6 +127,10 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
- NDR_PRINT_DEBUG(ncacn_packet, r);
- }
-
-+ if (r->frag_length != blob->length) {
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
-+ }
-+
- return NT_STATUS_OK;
- }
-
---
-1.7.9.5
-
-
-From 1e1b1d587a056d898f0f5bb99235e488a06079f1 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 25 Sep 2013 23:25:12 +0200
-Subject: [PATCH 04/16] CVE-2013-4408:s3:rpc_client: verify frag_len at least
- contains the header size
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source3/rpc_client/cli_pipe.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index 2e978ef..fd854c4 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -284,6 +284,10 @@ static struct tevent_req *get_complete_frag_send(TALLOC_CTX *mem_ctx,
- }
-
- state->frag_len = dcerpc_get_frag_length(pdu);
-+ if (state->frag_len < RPC_HEADER_LEN) {
-+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
-+ return tevent_req_post(req, ev);
-+ }
-
- /*
- * Ensure we have frag_len bytes of data.
-@@ -332,6 +336,10 @@ static void get_complete_frag_got_header(struct tevent_req *subreq)
- }
-
- state->frag_len = dcerpc_get_frag_length(state->pdu);
-+ if (state->frag_len < RPC_HEADER_LEN) {
-+ tevent_req_nterror(req, NT_STATUS_RPC_PROTOCOL_ERROR);
-+ return;
-+ }
-
- if (!data_blob_realloc(NULL, state->pdu, state->frag_len)) {
- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
---
-1.7.9.5
-
-
-From 33d4dc2f0512d845cc6e00174b870833dd055862 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 25 Sep 2013 23:25:12 +0200
-Subject: [PATCH 05/16] CVE-2013-4408:s4:dcerpc: check for invalid frag_len in
- ncacn_pull()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source4/librpc/rpc/dcerpc.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
-index e653cba..2826160 100644
---- a/source4/librpc/rpc/dcerpc.c
-+++ b/source4/librpc/rpc/dcerpc.c
-@@ -693,6 +693,10 @@ static NTSTATUS ncacn_pull(struct dcecli_connection *c, DATA_BLOB *blob, TALLOC_
- return ndr_map_error2ntstatus(ndr_err);
- }
-
-+ if (pkt->frag_length != blob->length) {
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
-+ }
-+
- return NT_STATUS_OK;
- }
-
---
-1.7.9.5
-
-
-From 7ff27a03ddcb2aaa6b130266a9262dca79a324c5 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 25 Sep 2013 23:25:12 +0200
-Subject: [PATCH 06/16] CVE-2013-4408:s4:dcerpc_smb: check for invalid
- frag_len in send_read_request_continue()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source4/librpc/rpc/dcerpc_smb.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source4/librpc/rpc/dcerpc_smb.c b/source4/librpc/rpc/dcerpc_smb.c
-index e02631e..efb76cf 100644
---- a/source4/librpc/rpc/dcerpc_smb.c
-+++ b/source4/librpc/rpc/dcerpc_smb.c
-@@ -163,6 +163,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
- } else {
- uint32_t frag_length = blob->length>=16?
- dcerpc_get_frag_length(blob):0x2000;
-+
-+ if (frag_length < state->data.length) {
-+ talloc_free(state);
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
-+ }
-+
- state->received = blob->length;
- state->data = data_blob_talloc(state, NULL, frag_length);
- if (!state->data.data) {
---
-1.7.9.5
-
-
-From 2e01567db620407a9bfdee28efa61ddccc1357f8 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 25 Sep 2013 23:25:12 +0200
-Subject: [PATCH 07/16] CVE-2013-4408:s4:dcerpc_smb2: check for invalid
- frag_len in send_read_request_continue()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source4/librpc/rpc/dcerpc_smb2.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source4/librpc/rpc/dcerpc_smb2.c b/source4/librpc/rpc/dcerpc_smb2.c
-index 473ca78..2b1c66e 100644
---- a/source4/librpc/rpc/dcerpc_smb2.c
-+++ b/source4/librpc/rpc/dcerpc_smb2.c
-@@ -173,6 +173,12 @@ static NTSTATUS send_read_request_continue(struct dcecli_connection *c, DATA_BLO
-
- if (state->data.length >= 16) {
- uint16_t frag_length = dcerpc_get_frag_length(&state->data);
-+
-+ if (frag_length < state->data.length) {
-+ talloc_free(state);
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
-+ }
-+
- io.in.length = frag_length - state->data.length;
- } else {
- io.in.length = 0x2000;
---
-1.7.9.5
-
-
-From 2a94a9db0086582119bbcb7b4c82e86e8a3f8137 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 24 Sep 2013 05:03:40 +0200
-Subject: [PATCH 08/16] CVE-2013-4408:s4:dcerpc_sock: check for invalid
- frag_len within sock_complete_packet()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source4/librpc/rpc/dcerpc_sock.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source4/librpc/rpc/dcerpc_sock.c b/source4/librpc/rpc/dcerpc_sock.c
-index 58fca4c..d36af11 100644
---- a/source4/librpc/rpc/dcerpc_sock.c
-+++ b/source4/librpc/rpc/dcerpc_sock.c
-@@ -102,6 +102,12 @@ static NTSTATUS sock_complete_packet(void *private_data, DATA_BLOB blob, size_t
- return STATUS_MORE_ENTRIES;
- }
- *size = dcerpc_get_frag_length(&blob);
-+ if (*size < blob.length) {
-+ /*
-+ * something is wrong, let the caller deal with it
-+ */
-+ *size = blob.length;
-+ }
- if (*size > blob.length) {
- return STATUS_MORE_ENTRIES;
- }
---
-1.7.9.5
-
-
-From 79c3d6df2fc63e188ae6091d6f0bd0a55f3fe548 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 16 Oct 2013 14:17:49 +0200
-Subject: [PATCH 09/16] CVE-2013-4408:async_sock: add some overflow detection
- to read_packet_handler()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- lib/async_req/async_sock.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/lib/async_req/async_sock.c b/lib/async_req/async_sock.c
-index 59dde88..74b2cb7 100644
---- a/lib/async_req/async_sock.c
-+++ b/lib/async_req/async_sock.c
-@@ -667,6 +667,11 @@ static void read_packet_handler(struct tevent_context *ev,
- return;
- }
-
-+ if (total + more < total) {
-+ tevent_req_error(req, EMSGSIZE);
-+ return;
-+ }
-+
- tmp = talloc_realloc(state, state->buf, uint8_t, total+more);
- if (tevent_req_nomem(tmp, req)) {
- return;
---
-1.7.9.5
-
-
-From ebfad1eadb3fc492f31c35a9d2585fe27ed00ad5 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 16 Oct 2013 14:17:49 +0200
-Subject: [PATCH 10/16] CVE-2013-4408:s3:util_tsock: add some overflow
- detection to tstream_read_packet_done()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source3/lib/util_tsock.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/lib/util_tsock.c b/source3/lib/util_tsock.c
-index 35a97f5..03380ef 100644
---- a/source3/lib/util_tsock.c
-+++ b/source3/lib/util_tsock.c
-@@ -110,6 +110,11 @@ static void tstream_read_packet_done(struct tevent_req *subreq)
- return;
- }
-
-+ if (total + more < total) {
-+ tevent_req_error(req, EMSGSIZE);
-+ return;
-+ }
-+
- tmp = talloc_realloc(state, state->buf, uint8_t, total+more);
- if (tevent_req_nomem(tmp, req)) {
- return;
---
-1.7.9.5
-
-
-From 1108ce2b996cde47a653cdfca27e059e3986da5f Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 16 Oct 2013 14:17:49 +0200
-Subject: [PATCH 11/16] CVE-2013-4408:libcli/util: add some size verification
- to tstream_read_pdu_blob_done()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- libcli/util/tstream.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/libcli/util/tstream.c b/libcli/util/tstream.c
-index 12cef9b..dd830e2 100644
---- a/libcli/util/tstream.c
-+++ b/libcli/util/tstream.c
-@@ -129,6 +129,11 @@ static void tstream_read_pdu_blob_done(struct tevent_req *subreq)
- return;
- }
-
-+ if (new_buf_size <= old_buf_size) {
-+ tevent_req_nterror(req, NT_STATUS_INVALID_BUFFER_SIZE);
-+ return;
-+ }
-+
- buf = talloc_realloc(state, state->pdu_blob.data, uint8_t, new_buf_size);
- if (tevent_req_nomem(buf, req)) {
- return;
---
-1.7.9.5
-
-
-From 72d5d302c5ed46f3ca465653f6c595ea500b3063 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Wed, 16 Oct 2013 16:26:58 +0200
-Subject: [PATCH 12/16] CVE-2013-4408:s3:ctdb_conn: add some length
- verification to ctdb_packet_more()
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
----
- source3/lib/ctdb_conn.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/source3/lib/ctdb_conn.c b/source3/lib/ctdb_conn.c
-index 90930eb..40071d4 100644
---- a/source3/lib/ctdb_conn.c
-+++ b/source3/lib/ctdb_conn.c
-@@ -233,6 +233,11 @@ static ssize_t ctdb_packet_more(uint8_t *buf, size_t buflen, void *p)
- return 0;
- }
- memcpy(&len, buf, sizeof(len));
-+
-+ if (len < sizeof(uint32_t)) {
-+ return -1;
-+ }
-+
- return (len - sizeof(uint32_t));
- }
-
---
-1.7.9.5
-
-
-From 5335358922eb2d86f00c73bb9e11940cc0cec7ce Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 17 Oct 2013 14:44:35 -0700
-Subject: [PATCH 13/16] CVE-2013-4408:s3:Ensure we always check call_id when
- validating an RPC reply.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/rpc_client/cli_pipe.c | 33 +++++++++++++++++++++++++--------
- 1 file changed, 25 insertions(+), 8 deletions(-)
-
-diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
-index fd854c4..385ae25 100644
---- a/source3/rpc_client/cli_pipe.c
-+++ b/source3/rpc_client/cli_pipe.c
-@@ -389,6 +389,7 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- struct ncacn_packet *pkt,
- DATA_BLOB *pdu,
- uint8_t expected_pkt_type,
-+ uint32_t call_id,
- DATA_BLOB *rdata,
- DATA_BLOB *reply_pdu)
- {
-@@ -487,7 +488,7 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- "from %s!\n",
- (unsigned int)pkt->ptype,
- rpccli_pipe_txt(talloc_tos(), cli)));
-- return NT_STATUS_INVALID_INFO_CLASS;
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
- }
-
- if (pkt->ptype != expected_pkt_type) {
-@@ -495,7 +496,15 @@ static NTSTATUS cli_pipe_validate_current_pdu(TALLOC_CTX *mem_ctx,
- "RPC packet type - %u, not %u\n",
- rpccli_pipe_txt(talloc_tos(), cli),
- pkt->ptype, expected_pkt_type));
-- return NT_STATUS_INVALID_INFO_CLASS;
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
-+ }
-+
-+ if (pkt->call_id != call_id) {
-+ DEBUG(3, (__location__ ": Connection to %s got an unexpected "
-+ "RPC call_id - %u, not %u\n",
-+ rpccli_pipe_txt(talloc_tos(), cli),
-+ pkt->call_id, call_id));
-+ return NT_STATUS_RPC_PROTOCOL_ERROR;
- }
-
- /* Do this just before return - we don't want to modify any rpc header
-@@ -701,6 +710,7 @@ struct rpc_api_pipe_state {
- struct tevent_context *ev;
- struct rpc_pipe_client *cli;
- uint8_t expected_pkt_type;
-+ uint32_t call_id;
-
- DATA_BLOB incoming_frag;
- struct ncacn_packet *pkt;
-@@ -719,7 +729,8 @@ static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct rpc_pipe_client *cli,
- DATA_BLOB *data, /* Outgoing PDU */
-- uint8_t expected_pkt_type)
-+ uint8_t expected_pkt_type,
-+ uint32_t call_id)
- {
- struct tevent_req *req, *subreq;
- struct rpc_api_pipe_state *state;
-@@ -733,6 +744,7 @@ static struct tevent_req *rpc_api_pipe_send(TALLOC_CTX *mem_ctx,
- state->ev = ev;
- state->cli = cli;
- state->expected_pkt_type = expected_pkt_type;
-+ state->call_id = call_id;
- state->incoming_frag = data_blob_null;
- state->reply_pdu = data_blob_null;
- state->reply_pdu_offset = 0;
-@@ -884,6 +896,7 @@ static void rpc_api_pipe_got_pdu(struct tevent_req *subreq)
- state->cli, state->pkt,
- &state->incoming_frag,
- state->expected_pkt_type,
-+ state->call_id,
- &rdata,
- &state->reply_pdu);
-
-@@ -1226,7 +1239,8 @@ struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
- if (is_last_frag) {
- subreq = rpc_api_pipe_send(state, ev, state->cli,
- &state->rpc_out,
-- DCERPC_PKT_RESPONSE);
-+ DCERPC_PKT_RESPONSE,
-+ state->call_id);
- if (subreq == NULL) {
- goto fail;
- }
-@@ -1362,7 +1376,8 @@ static void rpc_api_pipe_req_write_done(struct tevent_req *subreq)
- if (is_last_frag) {
- subreq = rpc_api_pipe_send(state, state->ev, state->cli,
- &state->rpc_out,
-- DCERPC_PKT_RESPONSE);
-+ DCERPC_PKT_RESPONSE,
-+ state->call_id);
- if (tevent_req_nomem(subreq, req)) {
- return;
- }
-@@ -1608,7 +1623,7 @@ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
- }
-
- subreq = rpc_api_pipe_send(state, ev, cli, &state->rpc_out,
-- DCERPC_PKT_BIND_ACK);
-+ DCERPC_PKT_BIND_ACK, state->rpc_call_id);
- if (subreq == NULL) {
- goto fail;
- }
-@@ -1916,7 +1931,8 @@ static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
- }
-
- subreq = rpc_api_pipe_send(state, state->ev, state->cli,
-- &state->rpc_out, DCERPC_PKT_ALTER_RESP);
-+ &state->rpc_out, DCERPC_PKT_ALTER_RESP,
-+ state->rpc_call_id);
- if (subreq == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -1948,7 +1964,8 @@ static NTSTATUS rpc_bind_finish_send(struct tevent_req *req,
- }
-
- subreq = rpc_api_pipe_send(state, state->ev, state->cli,
-- &state->rpc_out, DCERPC_PKT_AUTH3);
-+ &state->rpc_out, DCERPC_PKT_AUTH3,
-+ state->rpc_call_id);
- if (subreq == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
---
-1.7.9.5
-
-
-From 7d60c72841e8b2e4315e506fb1033508b43425f6 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 7 Nov 2013 20:38:01 -0800
-Subject: [PATCH 14/16] CVE-2013-4408:s3:Ensure LookupSids replies arrays are
- range checked.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- nsswitch/libwbclient/wbc_sid.c | 7 +++++++
- nsswitch/wbinfo.c | 23 ++++++++++++++++++++---
- source3/rpc_client/cli_lsarpc.c | 17 ++++++++++++++++-
- source3/rpcclient/cmd_lsarpc.c | 7 +++++--
- source3/winbindd/wb_lookupsids.c | 3 +++
- source3/winbindd/winbindd_rpc.c | 32 ++++++++++++++++++++++++++++++++
- source4/libcli/util/clilsa.c | 16 +++++++++++++++-
- source4/winbind/wb_async_helpers.c | 13 ++++++++++++-
- 8 files changed, 110 insertions(+), 8 deletions(-)
-
-diff --git a/nsswitch/libwbclient/wbc_sid.c b/nsswitch/libwbclient/wbc_sid.c
-index bab6933..82ac339 100644
---- a/nsswitch/libwbclient/wbc_sid.c
-+++ b/nsswitch/libwbclient/wbc_sid.c
-@@ -421,6 +421,13 @@ wbcErr wbcLookupSids(const struct wbcDomainSid *sids, int num_sids,
- for (i=0; i<num_names; i++) {
-
- names[i].domain_index = strtoul(p, &q, 10);
-+ if (names[i].domain_index < 0) {
-+ goto wbc_err_invalid;
-+ }
-+ if (names[i].domain_index >= num_domains) {
-+ goto wbc_err_invalid;
-+ }
-+
- if (*q != ' ') {
- goto wbc_err_invalid;
- }
-diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
-index 17977ed..3f0310a 100644
---- a/nsswitch/wbinfo.c
-+++ b/nsswitch/wbinfo.c
-@@ -1391,11 +1391,28 @@ static bool wbinfo_lookup_sids(const char *arg)
- }
-
- for (i=0; i<num_sids; i++) {
-+ const char *domain = NULL;
-+
- wbcSidToStringBuf(&sids[i], sidstr, sizeof(sidstr));
-
-- d_printf("%s -> %s\\%s %d\n", sidstr,
-- domains[names[i].domain_index].short_name,
-- names[i].name, names[i].type);
-+ if (names[i].domain_index >= num_domains) {
-+ domain = "<none>";
-+ } else if (names[i].domain_index < 0) {
-+ domain = "<none>";
-+ } else {
-+ domain = domains[names[i].domain_index].short_name;
-+ }
-+
-+ if (names[i].type == WBC_SID_NAME_DOMAIN) {
-+ d_printf("%s -> %s %d\n", sidstr,
-+ domain,
-+ names[i].type);
-+ } else {
-+ d_printf("%s -> %s%c%s %d\n", sidstr,
-+ domain,
-+ winbind_separator(),
-+ names[i].name, names[i].type);
-+ }
- }
- wbcFreeMemory(names);
- wbcFreeMemory(domains);
-diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
-index 126f370..7cadd6e 100644
---- a/source3/rpc_client/cli_lsarpc.c
-+++ b/source3/rpc_client/cli_lsarpc.c
-@@ -279,11 +279,26 @@ static NTSTATUS dcerpc_lsa_lookup_sids_noalloc(struct dcerpc_binding_handle *h,
-
- for (i = 0; i < num_sids; i++) {
- const char *name, *dom_name;
-- uint32_t dom_idx = lsa_names.names[i].sid_index;
-+ uint32_t dom_idx;
-+
-+ if (i >= lsa_names.count) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ return status;
-+ }
-+
-+ dom_idx = lsa_names.names[i].sid_index;
-
- /* Translate optimised name through domain index array */
-
- if (dom_idx != 0xffffffff) {
-+ if (ref_domains == NULL) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ return status;
-+ }
-+ if (dom_idx >= ref_domains->count) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ return status;
-+ }
-
- dom_name = ref_domains->domains[dom_idx].name.string;
- name = lsa_names.names[i].name.string;
-diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
-index cbc089f..a7ee4e4 100644
---- a/source3/rpcclient/cmd_lsarpc.c
-+++ b/source3/rpcclient/cmd_lsarpc.c
-@@ -450,7 +450,7 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli,
- NTSTATUS status = NT_STATUS_UNSUCCESSFUL, result;
- int i;
- struct lsa_SidArray sids;
-- struct lsa_RefDomainList *domains;
-+ struct lsa_RefDomainList *domains = NULL;
- struct lsa_TransNameArray2 names;
- uint32_t count = 0;
- struct dcerpc_binding_handle *b = cli->binding_handle;
-@@ -506,9 +506,12 @@ static NTSTATUS cmd_lsa_lookup_sids3(struct rpc_pipe_client *cli,
-
- /* Print results */
-
-- for (i = 0; i < count; i++) {
-+ for (i = 0; i < names.count; i++) {
- fstring sid_str;
-
-+ if (i >= sids.num_sids) {
-+ break;
-+ }
- sid_to_fstring(sid_str, sids.sids[i].sid);
- printf("%s %s (%d)\n", sid_str,
- names.names[i].name.string,
-diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
-index 2c4ebda..e10d511 100644
---- a/source3/winbindd/wb_lookupsids.c
-+++ b/source3/winbindd/wb_lookupsids.c
-@@ -402,6 +402,9 @@ static bool wb_lookupsids_move_name(struct lsa_RefDomainList *src_domains,
- uint32_t src_domain_index, dst_domain_index;
-
- src_domain_index = src_name->sid_index;
-+ if (src_domain_index >= src_domains->count) {
-+ return false;
-+ }
- src_domain = &src_domains->domains[src_domain_index];
-
- if (!wb_lookupsids_find_dom_idx(
-diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
-index 44deeb0..7345ea7 100644
---- a/source3/winbindd/winbindd_rpc.c
-+++ b/source3/winbindd/winbindd_rpc.c
-@@ -1084,6 +1084,10 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
- if (NT_STATUS_IS_ERR(result)) {
- return result;
- }
-+ if (sids->num_sids != lsa_names2.count) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
- names = talloc_zero(mem_ctx, struct lsa_TransNameArray);
- if (names == NULL) {
- return NT_STATUS_NO_MEMORY;
-@@ -1099,6 +1103,16 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
- names->names[i].name.string = talloc_move(
- names->names, &lsa_names2.names[i].name.string);
- names->names[i].sid_index = lsa_names2.names[i].sid_index;
-+
-+ if (names->names[i].sid_index == UINT32_MAX) {
-+ continue;
-+ }
-+ if ((*pdomains) == NULL) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (names->names[i].sid_index >= (*pdomains)->count) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
- }
- *pnames = names;
- return result;
-@@ -1114,6 +1128,7 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
- struct rpc_pipe_client *cli = NULL;
- struct policy_handle lsa_policy;
- uint32_t count;
-+ uint32_t i;
- NTSTATUS status, result;
-
- status = cm_connect_lsat(domain, mem_ctx, &cli, &lsa_policy);
-@@ -1140,6 +1155,23 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
- if (NT_STATUS_IS_ERR(result)) {
- return result;
- }
-+
-+ if (sids->num_sids != names->count) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
-+ for (i=0; i < names->count; i++) {
-+ if (names->names[i].sid_index == UINT32_MAX) {
-+ continue;
-+ }
-+ if ((*pdomains) == NULL) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (names->names[i].sid_index >= (*pdomains)->count) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ }
-+
- *pnames = names;
- return result;
- }
-diff --git a/source4/libcli/util/clilsa.c b/source4/libcli/util/clilsa.c
-index 812f953..cc0dae5 100644
---- a/source4/libcli/util/clilsa.c
-+++ b/source4/libcli/util/clilsa.c
-@@ -260,7 +260,21 @@ NTSTATUS smblsa_lookup_sid(struct smbcli_state *cli,
- }
- if (names.count != 1) {
- talloc_free(mem_ctx2);
-- return NT_STATUS_UNSUCCESSFUL;
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (domains == NULL) {
-+ talloc_free(mem_ctx2);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (domains->count != 1) {
-+ talloc_free(mem_ctx2);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (names.names[0].sid_index != UINT32_MAX &&
-+ names.names[0].sid_index >= domains->count)
-+ {
-+ talloc_free(mem_ctx2);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- (*name) = talloc_asprintf(mem_ctx, "%s\\%s",
-diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c
-index 2af8567..e3de2eb 100644
---- a/source4/winbind/wb_async_helpers.c
-+++ b/source4/winbind/wb_async_helpers.c
-@@ -122,6 +122,12 @@ static void lsa_lookupsids_recv_names(struct tevent_req *subreq)
- return;
- }
-
-+ if (state->names.count != state->num_sids) {
-+ composite_error(state->ctx,
-+ NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
-+
- state->result = talloc_array(state, struct wb_sid_object *,
- state->num_sids);
- if (composite_nomem(state->result, state->ctx)) return;
-@@ -142,9 +148,14 @@ static void lsa_lookupsids_recv_names(struct tevent_req *subreq)
- continue;
- }
-
-+ if (domains == NULL) {
-+ composite_error(state->ctx,
-+ NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
- if (name->sid_index >= domains->count) {
- composite_error(state->ctx,
-- NT_STATUS_INVALID_PARAMETER);
-+ NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
---
-1.7.9.5
-
-
-From e89cb29f386adf364fb953686eb34d0db7d62202 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 7 Nov 2013 21:40:55 -0800
-Subject: [PATCH 15/16] CVE-2013-4408:s3:Ensure LookupNames replies arrays are
- range checked.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/lib/netapi/group.c | 82 +++++++++++++++++++++++++++
- source3/lib/netapi/localgroup.c | 8 ++-
- source3/lib/netapi/user.c | 56 ++++++++++++++++++
- source3/libnet/libnet_join.c | 16 ++++++
- source3/rpc_client/cli_lsarpc.c | 18 ++++++
- source3/rpc_server/netlogon/srv_netlog_nt.c | 2 +-
- source3/rpcclient/cmd_lsarpc.c | 6 +-
- source3/rpcclient/cmd_samr.c | 58 ++++++++++++++++++-
- source3/smbd/lanman.c | 8 +++
- source3/utils/net_rpc.c | 40 ++++++++++++-
- source3/utils/net_rpc_join.c | 9 +++
- source3/winbindd/winbindd_rpc.c | 14 +----
- source4/libcli/util/clilsa.c | 6 +-
- source4/libnet/groupinfo.c | 9 ++-
- source4/libnet/groupman.c | 10 ++--
- source4/libnet/libnet_join.c | 12 +++-
- source4/libnet/libnet_lookup.c | 5 ++
- source4/libnet/libnet_passwd.c | 10 +++-
- source4/libnet/userinfo.c | 8 ++-
- source4/libnet/userman.c | 24 ++++----
- source4/winbind/wb_async_helpers.c | 13 ++++-
- 21 files changed, 368 insertions(+), 46 deletions(-)
-
-diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
-index 9813f7e..69c7af4 100644
---- a/source3/lib/netapi/group.c
-+++ b/source3/lib/netapi/group.c
-@@ -309,6 +309,15 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
- goto done;
- }
-
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+
- if (types.ids[0] != SID_NAME_DOM_GRP) {
- werr = WERR_INVALID_DATATYPE;
- goto done;
-@@ -511,6 +520,14 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- if (types.ids[0] != SID_NAME_DOM_GRP) {
- werr = WERR_INVALID_DATATYPE;
-@@ -781,6 +798,14 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- if (types.ids[0] != SID_NAME_DOM_GRP) {
- werr = WERR_INVALID_DATATYPE;
-@@ -921,6 +946,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
- werr = WERR_GROUPNOTFOUND;
- goto done;
- }
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- if (types.ids[0] != SID_NAME_DOM_GRP) {
- werr = WERR_GROUPNOTFOUND;
-@@ -959,6 +992,14 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
- werr = WERR_USER_NOT_FOUND;
- goto done;
- }
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- if (types.ids[0] != SID_NAME_USER) {
- werr = WERR_USER_NOT_FOUND;
-@@ -1065,6 +1106,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
- werr = WERR_GROUPNOTFOUND;
- goto done;
- }
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- if (types.ids[0] != SID_NAME_DOM_GRP) {
- werr = WERR_GROUPNOTFOUND;
-@@ -1104,6 +1153,14 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
- werr = WERR_USER_NOT_FOUND;
- goto done;
- }
-+ if (rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- if (types.ids[0] != SID_NAME_USER) {
- werr = WERR_USER_NOT_FOUND;
-@@ -1515,6 +1572,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (group_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenGroup(b, talloc_tos(),
- &domain_handle,
-@@ -1691,6 +1756,14 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (group_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (group_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenGroup(b, talloc_tos(),
- &domain_handle,
-@@ -1769,6 +1842,15 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
- goto done;
- }
-
-+ if (r->in.num_entries != user_rids.count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (r->in.num_entries != name_types.count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+
- member_rids = user_rids.ids;
-
- status = dcerpc_samr_QueryGroupMember(b, talloc_tos(),
-diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
-index 1a544ad..17cab68 100644
---- a/source3/lib/netapi/localgroup.c
-+++ b/source3/lib/netapi/localgroup.c
-@@ -58,6 +58,12 @@ static NTSTATUS libnetapi_samr_lookup_and_open_alias(TALLOC_CTX *mem_ctx,
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
-+ if (user_rids.count != 1) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (name_types.count != 1) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-
- switch (name_types.ids[0]) {
- case SID_NAME_ALIAS:
-@@ -1041,7 +1047,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx,
- NT_STATUS_NOT_OK_RETURN(result);
-
- if (count != 1 || sids.count != 1) {
-- return NT_STATUS_NONE_MAPPED;
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- sid_copy(sid, sids.sids[0].sid);
-diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
-index df3914c..e699ad3 100644
---- a/source3/lib/netapi/user.c
-+++ b/source3/lib/netapi/user.c
-@@ -604,6 +604,14 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, talloc_tos(),
- &domain_handle,
-@@ -1803,6 +1811,14 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = libnetapi_samr_lookup_user_map_USER_INFO(ctx, pipe_cli,
- domain_sid,
-@@ -1968,6 +1984,14 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, talloc_tos(),
- &domain_handle,
-@@ -3027,6 +3051,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, talloc_tos(),
- &domain_handle,
-@@ -3202,6 +3234,14 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, talloc_tos(),
- &domain_handle,
-@@ -3262,6 +3302,14 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (group_rids.count != r->in.num_entries) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != r->in.num_entries) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- member_rids = group_rids.ids;
-
-@@ -3539,6 +3587,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, talloc_tos(),
- &domain_handle,
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index dfe7283..29d1944 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -1023,6 +1023,14 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
- status = result;
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- if (name_types.ids[0] != SID_NAME_USER) {
- DEBUG(0,("%s is not a user account (type=%d)\n",
-@@ -1416,6 +1424,14 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
- status = result;
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- if (name_types.ids[0] != SID_NAME_USER) {
- DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name,
-diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
-index 7cadd6e..974538b 100644
---- a/source3/rpc_client/cli_lsarpc.c
-+++ b/source3/rpc_client/cli_lsarpc.c
-@@ -662,9 +662,19 @@ NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h,
- struct dom_sid *sid = &(*sids)[i];
-
- if (use_lookupnames4) {
-+ if (i >= sid_array3.count) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+
- dom_idx = sid_array3.sids[i].sid_index;
- (*types)[i] = sid_array3.sids[i].sid_type;
- } else {
-+ if (i >= sid_array.count) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+
- dom_idx = sid_array.sids[i].sid_index;
- (*types)[i] = sid_array.sids[i].sid_type;
- }
-@@ -677,6 +687,14 @@ NTSTATUS dcerpc_lsa_lookup_names_generic(struct dcerpc_binding_handle *h,
- (*types)[i] = SID_NAME_UNKNOWN;
- continue;
- }
-+ if (domains == NULL) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (dom_idx >= domains->count) {
-+ *presult = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- if (use_lookupnames4) {
- sid_copy(sid, sid_array3.sids[i].sid);
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 6a6c125..e5ca474 100644
---- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -580,7 +580,7 @@ static NTSTATUS samr_find_machine_account(TALLOC_CTX *mem_ctx,
- status = NT_STATUS_NO_SUCH_USER;
- goto out;
- }
-- if (rids.count != types.count) {
-+ if (types.count != 1) {
- status = NT_STATUS_INVALID_PARAMETER;
- goto out;
- }
-diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c
-index a7ee4e4..5c28b1c 100644
---- a/source3/rpcclient/cmd_lsarpc.c
-+++ b/source3/rpcclient/cmd_lsarpc.c
-@@ -323,7 +323,7 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli,
-
- uint32_t num_names;
- struct lsa_String *names;
-- struct lsa_RefDomainList *domains;
-+ struct lsa_RefDomainList *domains = NULL;
- struct lsa_TransSidArray3 sids;
- uint32_t count = 0;
- int i;
-@@ -361,6 +361,10 @@ static NTSTATUS cmd_lsa_lookup_names4(struct rpc_pipe_client *cli,
- return result;
- }
-
-+ if (sids.count != num_names) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
- for (i = 0; i < sids.count; i++) {
- fstring sid_str;
- sid_to_fstring(sid_str, sids.sids[i].sid);
-diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
-index 022230b..5bc8c0b 100644
---- a/source3/rpcclient/cmd_samr.c
-+++ b/source3/rpcclient/cmd_samr.c
-@@ -385,7 +385,17 @@ static NTSTATUS cmd_samr_query_user(struct rpc_pipe_client *cli,
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
-+
- if (NT_STATUS_IS_OK(result)) {
-+ if (rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+
- status = dcerpc_samr_OpenUser(b, mem_ctx,
- &domain_pol,
- access_mask,
-@@ -1453,6 +1463,15 @@ static NTSTATUS cmd_samr_delete_alias(struct rpc_pipe_client *cli,
- goto done;
- }
- if (NT_STATUS_IS_OK(result)) {
-+ if (rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+
- status = dcerpc_samr_OpenAlias(b, mem_ctx,
- &domain_pol,
- access_mask,
-@@ -2115,6 +2134,14 @@ static NTSTATUS cmd_samr_lookup_names(struct rpc_pipe_client *cli,
- status = result;
- goto done;
- }
-+ if (rids.count != num_names) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != num_names) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- /* Display results */
-
-@@ -2272,6 +2299,14 @@ static NTSTATUS cmd_samr_delete_dom_group(struct rpc_pipe_client *cli,
- status = result;
- goto done;
- }
-+ if (group_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenGroup(b, mem_ctx,
- &domain_pol,
-@@ -2375,6 +2410,14 @@ static NTSTATUS cmd_samr_delete_dom_user(struct rpc_pipe_client *cli,
- status = result;
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, mem_ctx,
- &domain_pol,
-@@ -2763,6 +2806,14 @@ static NTSTATUS cmd_samr_chgpasswd(struct rpc_pipe_client *cli,
- status = result;
- goto done;
- }
-+ if (rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, mem_ctx,
- &domain_pol,
-@@ -3166,7 +3217,12 @@ static NTSTATUS cmd_samr_setuserinfo_int(struct rpc_pipe_client *cli,
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
--
-+ if (rids.count != 1) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (types.count != 1) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-
- status = dcerpc_samr_OpenUser(b, mem_ctx,
- &domain_pol,
-diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
-index b5598a4..e6b9530 100644
---- a/source3/smbd/lanman.c
-+++ b/source3/smbd/lanman.c
-@@ -2629,6 +2629,14 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
- nt_errstr(result)));
- goto close_domain;
- }
-+ if (rid.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto close_domain;
-+ }
-+ if (type.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto close_domain;
-+ }
-
- if (type.ids[0] != SID_NAME_USER) {
- DEBUG(10, ("%s is a %s, not a user\n", UserName,
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index 870ad22..e0c8eea 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -1667,6 +1667,14 @@ static NTSTATUS rpc_group_delete_internals(struct net_context *c,
- d_fprintf(stderr, _("Lookup of '%s' failed\n"),argv[0]);
- goto done;
- }
-+ if (group_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- switch (name_types.ids[0])
- {
-@@ -2074,6 +2082,14 @@ static NTSTATUS rpc_add_groupmem(struct rpc_pipe_client *pipe_hnd,
- member);
- goto done;
- }
-+ if (rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (rid_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenGroup(b, mem_ctx,
- &domain_pol,
-@@ -2329,6 +2345,14 @@ static NTSTATUS rpc_del_groupmem(struct net_context *c,
- member);
- goto done;
- }
-+ if (rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (rid_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenGroup(b, mem_ctx,
- &domain_pol,
-@@ -3112,9 +3136,15 @@ static NTSTATUS rpc_group_members_internals(struct net_context *c,
- if (rids.count != 1) {
- d_fprintf(stderr, _("Couldn't find group %s\n"),
- argv[0]);
-- return result;
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (rid_types.count != 1) {
-+ d_fprintf(stderr, _("Couldn't find group %s\n"),
-+ argv[0]);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
-+
- if (rid_types.ids[0] == SID_NAME_DOM_GRP) {
- return rpc_list_group_members(c, pipe_hnd, mem_ctx, domain_name,
- domain_sid, &domain_pol,
-@@ -6064,6 +6094,14 @@ static NTSTATUS rpc_trustdom_del_internals(struct net_context *c,
- acct_name, nt_errstr(result) );
- goto done;
- }
-+ if (user_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- status = dcerpc_samr_OpenUser(b, mem_ctx,
- &domain_pol,
-diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
-index 7167cf9..56799cd 100644
---- a/source3/utils/net_rpc_join.c
-+++ b/source3/utils/net_rpc_join.c
-@@ -380,6 +380,15 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
- ("error looking up rid for user %s: %s/%s\n",
- acct_name, nt_errstr(status), nt_errstr(result)));
-
-+ if (user_rids.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (name_types.count != 1) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+
- if (name_types.ids[0] != SID_NAME_USER) {
- DEBUG(0, ("%s is not a user account (type=%d)\n", acct_name, name_types.ids[0]));
- goto done;
-diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
-index 7345ea7..6b88c84 100644
---- a/source3/winbindd/winbindd_rpc.c
-+++ b/source3/winbindd/winbindd_rpc.c
-@@ -1063,7 +1063,7 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
- struct lsa_TransNameArray **pnames)
- {
- struct lsa_TransNameArray2 lsa_names2;
-- struct lsa_TransNameArray *names;
-+ struct lsa_TransNameArray *names = *pnames;
- uint32_t i, count;
- NTSTATUS status, result;
-
-@@ -1088,10 +1088,6 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
- return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
-- names = talloc_zero(mem_ctx, struct lsa_TransNameArray);
-- if (names == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
- names->count = lsa_names2.count;
- names->names = talloc_array(names, struct lsa_TranslatedName,
- names->count);
-@@ -1114,7 +1110,6 @@ static NTSTATUS rpc_try_lookup_sids3(TALLOC_CTX *mem_ctx,
- return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
- }
-- *pnames = names;
- return result;
- }
-
-@@ -1124,7 +1119,7 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
- struct lsa_RefDomainList **pdomains,
- struct lsa_TransNameArray **pnames)
- {
-- struct lsa_TransNameArray *names;
-+ struct lsa_TransNameArray *names = *pnames;
- struct rpc_pipe_client *cli = NULL;
- struct policy_handle lsa_policy;
- uint32_t count;
-@@ -1141,10 +1136,6 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
- pdomains, pnames);
- }
-
-- names = talloc_zero(mem_ctx, struct lsa_TransNameArray);
-- if (names == NULL) {
-- return NT_STATUS_NO_MEMORY;
-- }
- status = dcerpc_lsa_LookupSids(cli->binding_handle, mem_ctx,
- &lsa_policy, sids, pdomains,
- names, LSA_LOOKUP_NAMES_ALL,
-@@ -1172,6 +1163,5 @@ NTSTATUS rpc_lookup_sids(TALLOC_CTX *mem_ctx,
- }
- }
-
-- *pnames = names;
- return result;
- }
-diff --git a/source4/libcli/util/clilsa.c b/source4/libcli/util/clilsa.c
-index cc0dae5..0437352 100644
---- a/source4/libcli/util/clilsa.c
-+++ b/source4/libcli/util/clilsa.c
-@@ -335,7 +335,11 @@ NTSTATUS smblsa_lookup_name(struct smbcli_state *cli,
- }
- if (sids.count != 1) {
- talloc_free(mem_ctx2);
-- return NT_STATUS_UNSUCCESSFUL;
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (domains->count != 1) {
-+ talloc_free(mem_ctx2);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- sid = domains->domains[0].sid;
-diff --git a/source4/libnet/groupinfo.c b/source4/libnet/groupinfo.c
-index 9060973..5c8b0f7 100644
---- a/source4/libnet/groupinfo.c
-+++ b/source4/libnet/groupinfo.c
-@@ -88,11 +88,14 @@ static void continue_groupinfo_lookup(struct tevent_req *subreq)
- s->monitor_fn(&msg);
- }
-
--
- /* have we actually got name resolved
- - we're looking for only one at the moment */
-- if (s->lookup.out.rids->count == 0) {
-- composite_error(c, NT_STATUS_NO_SUCH_USER);
-+ if (s->lookup.out.rids->count != s->lookup.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
-+ if (s->lookup.out.types->count != s->lookup.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
-diff --git a/source4/libnet/groupman.c b/source4/libnet/groupman.c
-index 9771ea5..59a3f35 100644
---- a/source4/libnet/groupman.c
-+++ b/source4/libnet/groupman.c
-@@ -219,13 +219,13 @@ static void continue_groupdel_name_found(struct tevent_req *subreq)
-
- /* what to do when there's no group account to delete
- and what if there's more than one rid resolved */
-- if (!s->lookupname.out.rids->count) {
-- c->status = NT_STATUS_NO_SUCH_GROUP;
-+ if (s->lookupname.out.rids->count != s->lookupname.in.num_names) {
-+ c->status = NT_STATUS_INVALID_NETWORK_RESPONSE;
- composite_error(c, c->status);
- return;
--
-- } else if (!s->lookupname.out.rids->count > 1) {
-- c->status = NT_STATUS_INVALID_ACCOUNT_NAME;
-+ }
-+ if (s->lookupname.out.types->count != s->lookupname.in.num_names) {
-+ c->status = NT_STATUS_INVALID_NETWORK_RESPONSE;
- composite_error(c, c->status);
- return;
- }
-diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
-index 0977403..8c1b57d 100644
---- a/source4/libnet/libnet_join.c
-+++ b/source4/libnet/libnet_join.c
-@@ -656,9 +656,17 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
- "samr_LookupNames for [%s] returns %d RIDs",
- r->in.account_name, ln.out.rids->count);
- talloc_free(tmp_ctx);
-- return NT_STATUS_INVALID_PARAMETER;
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
--
-+
-+ if (ln.out.types->count != 1) {
-+ r->out.error_string = talloc_asprintf(mem_ctx,
-+ "samr_LookupNames for [%s] returns %d RID TYPEs",
-+ r->in.account_name, ln.out.types->count);
-+ talloc_free(tmp_ctx);
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+
- /* prepare samr_OpenUser */
- ZERO_STRUCTP(u_handle);
- ou.in.domain_handle = &d_handle;
-diff --git a/source4/libnet/libnet_lookup.c b/source4/libnet/libnet_lookup.c
-index cf2d70c..77072b7 100644
---- a/source4/libnet/libnet_lookup.c
-+++ b/source4/libnet/libnet_lookup.c
-@@ -365,6 +365,11 @@ static void continue_name_found(struct tevent_req *subreq)
- c->status = s->lookup.out.result;
- if (!composite_is_ok(c)) return;
-
-+ if (s->lookup.out.sids->count != s->lookup.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
-+
- composite_done(c);
- }
-
-diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
-index 861d746..77176bc 100644
---- a/source4/libnet/libnet_passwd.c
-+++ b/source4/libnet/libnet_passwd.c
-@@ -627,10 +627,18 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX *
- r->samr.out.error_string = talloc_asprintf(mem_ctx,
- "samr_LookupNames for [%s] returns %d RIDs",
- r->samr.in.account_name, ln.out.rids->count);
-- status = NT_STATUS_INVALID_PARAMETER;
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
- goto disconnect;
- }
-
-+ if (ln.out.types->count != 1) {
-+ r->samr.out.error_string = talloc_asprintf(mem_ctx,
-+ "samr_LookupNames for [%s] returns %d RID TYPEs",
-+ r->samr.in.account_name, ln.out.types->count);
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto disconnect;
-+ }
-+
- /* prepare samr_OpenUser */
- ZERO_STRUCT(u_handle);
- ou.in.domain_handle = &d_handle;
-diff --git a/source4/libnet/userinfo.c b/source4/libnet/userinfo.c
-index 75c46e4..9530f9e 100644
---- a/source4/libnet/userinfo.c
-+++ b/source4/libnet/userinfo.c
-@@ -90,8 +90,12 @@ static void continue_userinfo_lookup(struct tevent_req *subreq)
-
- /* have we actually got name resolved
- - we're looking for only one at the moment */
-- if (s->lookup.out.rids->count == 0) {
-- composite_error(c, NT_STATUS_NO_SUCH_USER);
-+ if (s->lookup.out.rids->count != s->lookup.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
-+ if (s->lookup.out.types->count != s->lookup.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
-diff --git a/source4/libnet/userman.c b/source4/libnet/userman.c
-index c1ee017..a7301ea 100644
---- a/source4/libnet/userman.c
-+++ b/source4/libnet/userman.c
-@@ -237,14 +237,12 @@ static void continue_userdel_name_found(struct tevent_req *subreq)
-
- /* what to do when there's no user account to delete
- and what if there's more than one rid resolved */
-- if (!s->lookupname.out.rids->count) {
-- c->status = NT_STATUS_NO_SUCH_USER;
-- composite_error(c, c->status);
-+ if (s->lookupname.out.rids->count != s->lookupname.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
--
-- } else if (!s->lookupname.out.rids->count > 1) {
-- c->status = NT_STATUS_INVALID_ACCOUNT_NAME;
-- composite_error(c, c->status);
-+ }
-+ if (s->lookupname.out.types->count != s->lookupname.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
-@@ -513,14 +511,12 @@ static void continue_usermod_name_found(struct tevent_req *subreq)
-
- /* what to do when there's no user account to delete
- and what if there's more than one rid resolved */
-- if (!s->lookupname.out.rids->count) {
-- c->status = NT_STATUS_NO_SUCH_USER;
-- composite_error(c, c->status);
-+ if (s->lookupname.out.rids->count != s->lookupname.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
--
-- } else if (!s->lookupname.out.rids->count > 1) {
-- c->status = NT_STATUS_INVALID_ACCOUNT_NAME;
-- composite_error(c, c->status);
-+ }
-+ if (s->lookupname.out.types->count != s->lookupname.in.num_names) {
-+ composite_error(c, NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
-diff --git a/source4/winbind/wb_async_helpers.c b/source4/winbind/wb_async_helpers.c
-index e3de2eb..2a05f12 100644
---- a/source4/winbind/wb_async_helpers.c
-+++ b/source4/winbind/wb_async_helpers.c
-@@ -285,6 +285,12 @@ static void lsa_lookupnames_recv_sids(struct tevent_req *subreq)
- return;
- }
-
-+ if (state->sids.count != state->num_names) {
-+ composite_error(state->ctx,
-+ NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
-+
- state->result = talloc_array(state, struct wb_sid_object *,
- state->num_names);
- if (composite_nomem(state->result, state->ctx)) return;
-@@ -303,9 +309,14 @@ static void lsa_lookupnames_recv_sids(struct tevent_req *subreq)
- continue;
- }
-
-+ if (domains == NULL) {
-+ composite_error(state->ctx,
-+ NT_STATUS_INVALID_NETWORK_RESPONSE);
-+ return;
-+ }
- if (sid->sid_index >= domains->count) {
- composite_error(state->ctx,
-- NT_STATUS_INVALID_PARAMETER);
-+ NT_STATUS_INVALID_NETWORK_RESPONSE);
- return;
- }
-
---
-1.7.9.5
-
-
-From 4e96ec86265ec504555f8542b735782589f73b17 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Thu, 7 Nov 2013 22:41:22 -0800
-Subject: [PATCH 16/16] CVE-2013-4408:s3:Ensure LookupRids() replies arrays
- are range checked.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10185
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
----
- source3/lib/netapi/group.c | 16 ++++++++++++++++
- source3/lib/netapi/user.c | 16 ++++++++++++++++
- source3/rpcclient/cmd_samr.c | 8 ++++++++
- source3/utils/net_rpc.c | 7 ++++++-
- source3/winbindd/winbindd_msrpc.c | 10 ++++++++--
- source3/winbindd/winbindd_rpc.c | 10 ++++++++--
- 6 files changed, 62 insertions(+), 5 deletions(-)
-
-diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
-index 69c7af4..b806fc4 100644
---- a/source3/lib/netapi/group.c
-+++ b/source3/lib/netapi/group.c
-@@ -395,6 +395,14 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (names.count != rid_array->count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (member_types.count != rid_array->count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
- }
-
- for (i=0; i < rid_array->count; i++) {
-@@ -1624,6 +1632,14 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (names.count != rid_array->count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (member_types.count != rid_array->count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- for (i=0; i < names.count; i++) {
-
-diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
-index e699ad3..a971e2d 100644
---- a/source3/lib/netapi/user.c
-+++ b/source3/lib/netapi/user.c
-@@ -3114,6 +3114,14 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (names.count != rid_array->count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != rid_array->count) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- for (i=0; i < names.count; i++) {
- status = add_GROUP_USERS_INFO_X_buffer(ctx,
-@@ -3716,6 +3724,14 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
- werr = ntstatus_to_werror(result);
- goto done;
- }
-+ if (names.count != num_rids) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-+ if (types.count != num_rids) {
-+ werr = WERR_BAD_NET_RESP;
-+ goto done;
-+ }
-
- for (i=0; i < names.count; i++) {
- status = add_LOCALGROUP_USERS_INFO_X_buffer(ctx,
-diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c
-index 5bc8c0b..87882c3 100644
---- a/source3/rpcclient/cmd_samr.c
-+++ b/source3/rpcclient/cmd_samr.c
-@@ -2223,6 +2223,14 @@ static NTSTATUS cmd_samr_lookup_rids(struct rpc_pipe_client *cli,
- goto done;
-
- /* Display results */
-+ if (num_rids != names.count) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-+ if (num_rids != types.count) {
-+ status = NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ goto done;
-+ }
-
- for (i = 0; i < num_rids; i++) {
- printf("rid 0x%x: %s (%d)\n",
-diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
-index e0c8eea..92964b5 100644
---- a/source3/utils/net_rpc.c
-+++ b/source3/utils/net_rpc.c
-@@ -2900,7 +2900,12 @@ static NTSTATUS rpc_list_group_members(struct net_context *c,
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
--
-+ if (names.count != this_time) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (types.count != this_time) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
- /* We only have users as members, but make the output
- the same as the output of alias members */
-
-diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
-index e86838c..0dc69c7 100644
---- a/source3/winbindd/winbindd_msrpc.c
-+++ b/source3/winbindd/winbindd_msrpc.c
-@@ -744,14 +744,20 @@ static NTSTATUS msrpc_lookup_groupmem(struct winbindd_domain *domain,
- /* Copy result into array. The talloc system will take
- care of freeing the temporary arrays later on. */
-
-- if (tmp_names.count != tmp_types.count) {
-- return NT_STATUS_UNSUCCESSFUL;
-+ if (tmp_names.count != num_lookup_rids) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (tmp_types.count != num_lookup_rids) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- for (r=0; r<tmp_names.count; r++) {
- if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
- continue;
- }
-+ if (total_names >= *num_names) {
-+ break;
-+ }
- (*names)[total_names] = fill_domain_username_talloc(
- mem_ctx, domain->name,
- tmp_names.names[r].string, true);
-diff --git a/source3/winbindd/winbindd_rpc.c b/source3/winbindd/winbindd_rpc.c
-index 6b88c84..0986d82 100644
---- a/source3/winbindd/winbindd_rpc.c
-+++ b/source3/winbindd/winbindd_rpc.c
-@@ -871,14 +871,20 @@ NTSTATUS rpc_lookup_groupmem(TALLOC_CTX *mem_ctx,
-
- /* Copy result into array. The talloc system will take
- care of freeing the temporary arrays later on. */
-- if (tmp_names.count != tmp_types.count) {
-- return NT_STATUS_UNSUCCESSFUL;
-+ if (tmp_names.count != num_names) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
-+ }
-+ if (tmp_types.count != num_names) {
-+ return NT_STATUS_INVALID_NETWORK_RESPONSE;
- }
-
- for (r = 0; r < tmp_names.count; r++) {
- if (tmp_types.ids[r] == SID_NAME_UNKNOWN) {
- continue;
- }
-+ if (total_names >= num_names) {
-+ break;
-+ }
- names[total_names] = fill_domain_username_talloc(names,
- domain_name,
- tmp_names.names[r].string,
---
-1.7.9.5
-
diff --git a/SOURCES/samba-4.1.3-fix_build_warnings.patch b/SOURCES/samba-4.1.3-fix_build_warnings.patch
deleted file mode 100644
index 8626a93..0000000
--- a/SOURCES/samba-4.1.3-fix_build_warnings.patch
+++ /dev/null
@@ -1,331 +0,0 @@
-From 09692988bc382c3fd01e51e88818b29d5265cc57 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:12 +0100
-Subject: [PATCH 02/10] s3-libsmb: Use the right macro to set uint16_t attr.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit f8ab594d0253920cefc441587a55fddb688be550)
----
- source3/libsmb/cli_smb2_fnum.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libsmb/cli_smb2_fnum.c b/source3/libsmb/cli_smb2_fnum.c
-index 202000f..c3feef6 100644
---- a/source3/libsmb/cli_smb2_fnum.c
-+++ b/source3/libsmb/cli_smb2_fnum.c
-@@ -1290,7 +1290,7 @@ NTSTATUS cli_smb2_setatr(struct cli_state *cli,
- inbuf.length = sizeof(inbuf_store);
- data_blob_clear(&inbuf);
-
-- SIVAL(inbuf.data,32,attr);
-+ SSVAL(inbuf.data, 32, attr);
- if (mtime != 0) {
- put_long_date((char *)inbuf.data + 16,mtime);
- }
---
-1.8.4.3
-
-
-From a4732fa9ab8414e79a73bcac7d69147da75ae8c5 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:13 +0100
-Subject: [PATCH 03/10] testsuit: Fix fprintf format.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 69b3a0cb3f2736e98c20dabb43c201af0c004f67)
----
- testsuite/nsswitch/getgrent_r.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/testsuite/nsswitch/getgrent_r.c b/testsuite/nsswitch/getgrent_r.c
-index 4f1f0ce..883c897 100644
---- a/testsuite/nsswitch/getgrent_r.c
-+++ b/testsuite/nsswitch/getgrent_r.c
-@@ -32,7 +32,7 @@ void dump_grent(char *id)
- setgrent();
-
- while((gr = getgrent()) != NULL) {
-- fprintf(fptr,"%s:%s:%d:%d\n", gr->gr_name, gr->gr_passwd,
-+ fprintf(fptr,"%s:%s:%d\n", gr->gr_name, gr->gr_passwd,
- gr->gr_gid);
- }
-
---
-1.8.4.3
-
-
-From 1ff739972f7d8feb864a4d3cf595e49d37636082 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:14 +0100
-Subject: [PATCH 04/10] s3-utils: Fix scanf format in smbacls.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 4c98b9ce8f8de5883796aa38f1193e04a0ee4e58)
----
- source3/utils/smbcacls.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
-index 3ee7034..bb02aa0 100644
---- a/source3/utils/smbcacls.c
-+++ b/source3/utils/smbcacls.c
-@@ -490,7 +490,7 @@ static bool parse_ace(struct cli_state *cli, struct security_ace *ace,
- p++;
- /* Try to parse numeric form */
-
-- if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
-+ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 &&
- StringToSid(cli, &sid, str)) {
- goto done;
- }
-@@ -553,7 +553,7 @@ static bool parse_ace(struct cli_state *cli, struct security_ace *ace,
- return False;
- }
- } else {
-- if (!sscanf(tok, "%i", &aflags)) {
-+ if (!sscanf(tok, "%u", &aflags)) {
- printf("ACE '%s': bad integer flags entry at '%s'\n",
- orig_str, tok);
- SAFE_FREE(str);
-@@ -571,7 +571,7 @@ static bool parse_ace(struct cli_state *cli, struct security_ace *ace,
- }
-
- if (strncmp(tok, "0x", 2) == 0) {
-- if (sscanf(tok, "%i", &amask) != 1) {
-+ if (sscanf(tok, "%u", &amask) != 1) {
- printf("ACE '%s': bad hex number at '%s'\n",
- orig_str, tok);
- SAFE_FREE(str);
---
-1.8.4.3
-
-
-From b22ff03654cf781a982580a41bcec99b2c25a5f2 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:15 +0100
-Subject: [PATCH 05/10] s3-utils: Fix scanf format in sharesec.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 278899f5a763af7e7603f05f07048b7d8d4e9972)
----
- source3/utils/sharesec.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/utils/sharesec.c b/source3/utils/sharesec.c
-index 38c11e0..2b1e435 100644
---- a/source3/utils/sharesec.c
-+++ b/source3/utils/sharesec.c
-@@ -186,7 +186,7 @@ static bool parse_ace(struct security_ace *ace, const char *orig_str)
- p++;
- /* Try to parse numeric form */
-
-- if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
-+ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 &&
- string_to_sid(&sid, str)) {
- goto done;
- }
-@@ -226,7 +226,7 @@ static bool parse_ace(struct security_ace *ace, const char *orig_str)
- /* no flags on share permissions */
-
- if (!(next_token_talloc(frame, &cp, &tok, "/") &&
-- sscanf(tok, "%i", &aflags) && aflags == 0)) {
-+ sscanf(tok, "%u", &aflags) && aflags == 0)) {
- fprintf(stderr, "ACE '%s': bad integer flags entry at '%s'\n",
- orig_str, tok);
- SAFE_FREE(str);
-@@ -243,7 +243,7 @@ static bool parse_ace(struct security_ace *ace, const char *orig_str)
- }
-
- if (strncmp(tok, "0x", 2) == 0) {
-- if (sscanf(tok, "%i", &amask) != 1) {
-+ if (sscanf(tok, "%u", &amask) != 1) {
- fprintf(stderr, "ACE '%s': bad hex number at '%s'\n",
- orig_str, tok);
- TALLOC_FREE(frame);
---
-1.8.4.3
-
-
-From 3f8b5b50e6ed56241ee92f9d26f0c4b6d0166db2 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:16 +0100
-Subject: [PATCH 06/10] s3-libsmb: Fix scanf format in parse_ace().
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 1214e3345c655a4c7dc98c69c4e018e47558f639)
----
- source3/libsmb/libsmb_xattr.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/source3/libsmb/libsmb_xattr.c b/source3/libsmb/libsmb_xattr.c
-index 22ffa8f..7d34290 100644
---- a/source3/libsmb/libsmb_xattr.c
-+++ b/source3/libsmb/libsmb_xattr.c
-@@ -303,7 +303,7 @@ parse_ace(struct cli_state *ipc_cli,
- p++;
- /* Try to parse numeric form */
-
-- if (sscanf(p, "%i/%i/%i", &atype, &aflags, &amask) == 3 &&
-+ if (sscanf(p, "%u/%u/%u", &atype, &aflags, &amask) == 3 &&
- convert_string_to_sid(ipc_cli, pol, numeric, &sid, str)) {
- goto done;
- }
-@@ -333,7 +333,7 @@ parse_ace(struct cli_state *ipc_cli,
- /* Only numeric form accepted for flags at present */
-
- if (!(next_token_talloc(frame, &cp, &tok, "/") &&
-- sscanf(tok, "%i", &aflags))) {
-+ sscanf(tok, "%u", &aflags))) {
- TALLOC_FREE(frame);
- return false;
- }
-@@ -344,7 +344,7 @@ parse_ace(struct cli_state *ipc_cli,
- }
-
- if (strncmp(tok, "0x", 2) == 0) {
-- if (sscanf(tok, "%i", &amask) != 1) {
-+ if (sscanf(tok, "%u", &amask) != 1) {
- TALLOC_FREE(frame);
- return false;
- }
---
-1.8.4.3
-
-
-From 502d63223e4fd77152ea095c7d94774d093c9c4a Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:17 +0100
-Subject: [PATCH 07/10] examples: Fix scanf format in perf_writer_disk.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit f71b5e44e7a705096e4fdd7aa3d0e22df994e363)
----
- examples/perfcounter/perf_writer_disk.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/examples/perfcounter/perf_writer_disk.c b/examples/perfcounter/perf_writer_disk.c
-index 15188d2..18a63a4 100644
---- a/examples/perfcounter/perf_writer_disk.c
-+++ b/examples/perfcounter/perf_writer_disk.c
-@@ -132,7 +132,7 @@ void get_diskinfo(PERF_DATA_BLOCK *data)
- int status, num;
- char buf[LARGE_BUF], *start;
- FILE *diskstats;
-- long reads, writes, discard;
-+ unsigned long reads, writes, discard;
-
- diskstats = fopen("/proc/diskstats", "r");
- rewind(diskstats);
-@@ -147,10 +147,10 @@ void get_diskinfo(PERF_DATA_BLOCK *data)
- p->freeMegs = (statfsbuf.f_bfree*statfsbuf.f_bsize)/1048576;
- start = strstr(buf, data->diskInfo.mdata[i].name);
- start += strlen(data->diskInfo.mdata[i].name) + 1;
-- num = sscanf(start, "%u %u %u %u",
-+ num = sscanf(start, "%lu %lu %lu %lu",
- &reads,
-- &discard,
-- &writes,
-+ &discard,
-+ &writes,
- &discard);
- p->writesPerSec = writes;
- p->readsPerSec = reads;
---
-1.8.4.3
-
-
-From f636ca86e3cb4b61960c3db927760b6de3776365 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:18 +0100
-Subject: [PATCH 08/10] s3-vfs: Remove unused variable in vfs_glusterfs.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 9e7e83e9d07e967ac966b1cc17f21cb75c81a774)
----
- source3/modules/vfs_glusterfs.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
-index e5c691e..d792fb3 100644
---- a/source3/modules/vfs_glusterfs.c
-+++ b/source3/modules/vfs_glusterfs.c
-@@ -1397,7 +1397,6 @@ static int vfs_gluster_sys_acl_set_fd(struct vfs_handle_struct *handle,
- SMB_ACL_T theacl)
- {
- int ret;
-- char *key;
- char *buf;
- ssize_t size;
-
---
-1.8.4.3
-
-
-From ea3bc968082c8fbb18d9416143c9fe8a56d691fa Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:19 +0100
-Subject: [PATCH 09/10] s3-vfs: Make glfs_set_preopened() static.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 4deb00a60f484824217a9683ec9cc2838deae8e0)
----
- source3/modules/vfs_glusterfs.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
-index d792fb3..ca7d790 100644
---- a/source3/modules/vfs_glusterfs.c
-+++ b/source3/modules/vfs_glusterfs.c
-@@ -145,7 +145,7 @@ static struct glfs_preopened {
- } *glfs_preopened;
-
-
--int glfs_set_preopened(const char *volume, glfs_t *fs)
-+static int glfs_set_preopened(const char *volume, glfs_t *fs)
- {
- struct glfs_preopened *entry = NULL;
-
---
-1.8.4.3
-
-
-From 22264b8b9578f85e457e99c5b18739ea92854189 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Fri, 15 Nov 2013 17:02:20 +0100
-Subject: [PATCH 10/10] s3-libnet: Use a const char for realm.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Fri Nov 15 23:11:54 CET 2013 on sn-devel-104
-
-(cherry picked from commit d02d70251f98ea2e7db4aea36f372cb0f65c04c5)
----
- source3/libnet/libnet_join.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
-index 96f7a98..7edccd1 100644
---- a/source3/libnet/libnet_join.c
-+++ b/source3/libnet/libnet_join.c
-@@ -449,7 +449,7 @@ static ADS_STATUS libnet_join_set_machine_upn(TALLOC_CTX *mem_ctx,
- }
-
- if (!r->in.upn) {
-- char *realm = r->out.dns_domain_name;
-+ const char *realm = r->out.dns_domain_name;
-
- /* in case we are about to generate a keytab during the join
- * make sure the default upn we create is usable with kinit -k.
---
-1.8.4.3
-
diff --git a/SOURCES/samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch b/SOURCES/samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch
deleted file mode 100644
index 2f8cfcd..0000000
--- a/SOURCES/samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch
+++ /dev/null
@@ -1,370 +0,0 @@
-From 9346945c4b57ffc937f7800202e5c42504750d3d Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 18 Nov 2013 14:58:04 +0100
-Subject: [PATCH 1/2] s3-lib: Add grpname to talloc_sub_specified().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-(cherry picked from commit 6366ebb79bb72d9dcb12f8fe8d6e35611fcff150)
----
- source3/include/proto.h | 1 +
- source3/lib/substitute.c | 31 +++++++++++++++++++++++++------
- source3/passdb/passdb.c | 8 ++++----
- source3/passdb/pdb_ldap.c | 24 +++++++++++++++++++++---
- source3/torture/torture.c | 2 +-
- source3/utils/net_sam.c | 2 ++
- source3/winbindd/wb_fill_pwent.c | 4 ++--
- 7 files changed, 56 insertions(+), 16 deletions(-)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index ddf3fab..a42faf8 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -222,6 +222,7 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx, const char *smb_name,
- char *talloc_sub_specified(TALLOC_CTX *mem_ctx,
- const char *input_string,
- const char *username,
-+ const char *grpname,
- const char *domain,
- uid_t uid,
- gid_t gid);
-diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
-index a254bca..ca2ac79 100644
---- a/source3/lib/substitute.c
-+++ b/source3/lib/substitute.c
-@@ -613,6 +613,7 @@ done:
- char *talloc_sub_specified(TALLOC_CTX *mem_ctx,
- const char *input_string,
- const char *username,
-+ const char *grpname,
- const char *domain,
- uid_t uid,
- gid_t gid)
-@@ -648,9 +649,18 @@ char *talloc_sub_specified(TALLOC_CTX *mem_ctx,
- break;
- case 'G' :
- if (gid != -1) {
-- a_string = talloc_string_sub(
-- tmp_ctx, a_string, "%G",
-- gidtoname(gid));
-+ const char *name;
-+
-+ if (grpname != NULL) {
-+ name = grpname;
-+ } else {
-+ name = gidtoname(gid);
-+ }
-+
-+ a_string = talloc_string_sub(tmp_ctx,
-+ a_string,
-+ "%G",
-+ name);
- } else {
- a_string = talloc_string_sub(
- tmp_ctx, a_string,
-@@ -659,9 +669,18 @@ char *talloc_sub_specified(TALLOC_CTX *mem_ctx,
- break;
- case 'g' :
- if (gid != -1) {
-- a_string = talloc_string_sub(
-- tmp_ctx, a_string, "%g",
-- gidtoname(gid));
-+ const char *name;
-+
-+ if (grpname != NULL) {
-+ name = grpname;
-+ } else {
-+ name = gidtoname(gid);
-+ }
-+
-+ a_string = talloc_string_sub(tmp_ctx,
-+ a_string,
-+ "%g",
-+ name);
- } else {
- a_string = talloc_string_sub(
- tmp_ctx, a_string, "%g", "NO_GROUP");
-diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
-index 379d858..5a4620f 100644
---- a/source3/passdb/passdb.c
-+++ b/source3/passdb/passdb.c
-@@ -228,16 +228,16 @@ static NTSTATUS samu_set_unix_internal(struct pdb_methods *methods,
- /* set some basic attributes */
-
- pdb_set_profile_path(user, talloc_sub_specified(user,
-- lp_logon_path(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
-+ lp_logon_path(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- pdb_set_homedir(user, talloc_sub_specified(user,
-- lp_logon_home(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
-+ lp_logon_home(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- pdb_set_dir_drive(user, talloc_sub_specified(user,
-- lp_logon_drive(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
-+ lp_logon_drive(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- pdb_set_logon_script(user, talloc_sub_specified(user,
-- lp_logon_script(), pwd->pw_name, domain, pwd->pw_uid, pwd->pw_gid),
-+ lp_logon_script(), pwd->pw_name, NULL, domain, pwd->pw_uid, pwd->pw_gid),
- PDB_DEFAULT);
- }
-
-diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
-index d7db4d8..bb0d3b3 100644
---- a/source3/passdb/pdb_ldap.c
-+++ b/source3/passdb/pdb_ldap.c
-@@ -5316,11 +5316,29 @@ static NTSTATUS ldapsam_create_user(struct pdb_methods *my_methods,
-
- if (is_machine) {
- /* TODO: choose a more appropriate default for machines */
-- homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), "SMB_workstations_home", ldap_state->domain_name, uid, gid);
-+ homedir = talloc_sub_specified(tmp_ctx,
-+ lp_template_homedir(),
-+ "SMB_workstations_home",
-+ NULL,
-+ ldap_state->domain_name,
-+ uid,
-+ gid);
- shell = talloc_strdup(tmp_ctx, "/bin/false");
- } else {
-- homedir = talloc_sub_specified(tmp_ctx, lp_template_homedir(), name, ldap_state->domain_name, uid, gid);
-- shell = talloc_sub_specified(tmp_ctx, lp_template_shell(), name, ldap_state->domain_name, uid, gid);
-+ homedir = talloc_sub_specified(tmp_ctx,
-+ lp_template_homedir(),
-+ name,
-+ NULL,
-+ ldap_state->domain_name,
-+ uid,
-+ gid);
-+ shell = talloc_sub_specified(tmp_ctx,
-+ lp_template_shell(),
-+ name,
-+ NULL,
-+ ldap_state->domain_name,
-+ uid,
-+ gid);
- }
- uidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)uid);
- gidstr = talloc_asprintf(tmp_ctx, "%u", (unsigned int)gid);
-diff --git a/source3/torture/torture.c b/source3/torture/torture.c
-index ee51a4d..b7badc6 100644
---- a/source3/torture/torture.c
-+++ b/source3/torture/torture.c
-@@ -6553,7 +6553,7 @@ static bool subst_test(const char *str, const char *user, const char *domain,
- char *subst;
- bool result = true;
-
-- subst = talloc_sub_specified(talloc_tos(), str, user, domain, uid, gid);
-+ subst = talloc_sub_specified(talloc_tos(), str, user, NULL, domain, uid, gid);
-
- if (strcmp(subst, expected) != 0) {
- printf("sub_specified(%s, %s, %s, %d, %d) returned [%s], expected "
-diff --git a/source3/utils/net_sam.c b/source3/utils/net_sam.c
-index 3a752ce..b7b76e8 100644
---- a/source3/utils/net_sam.c
-+++ b/source3/utils/net_sam.c
-@@ -1873,10 +1873,12 @@ doma_done:
- gidstr = talloc_asprintf(tc, "%u", (unsigned int)domadmins_gid);
- dir = talloc_sub_specified(tc, lp_template_homedir(),
- "Administrator",
-+ NULL,
- get_global_sam_name(),
- uid, domadmins_gid);
- shell = talloc_sub_specified(tc, lp_template_shell(),
- "Administrator",
-+ NULL,
- get_global_sam_name(),
- uid, domadmins_gid);
-
-diff --git a/source3/winbindd/wb_fill_pwent.c b/source3/winbindd/wb_fill_pwent.c
-index 688afc6..3b711bd 100644
---- a/source3/winbindd/wb_fill_pwent.c
-+++ b/source3/winbindd/wb_fill_pwent.c
-@@ -214,11 +214,11 @@ static bool fillup_pw_field(const char *lp_template,
-
- if ((in != NULL) && (in[0] != '\0') && (lp_security() == SEC_ADS)) {
- templ = talloc_sub_specified(talloc_tos(), in,
-- username, domname,
-+ username, NULL, domname,
- uid, gid);
- } else {
- templ = talloc_sub_specified(talloc_tos(), lp_template,
-- username, domname,
-+ username, NULL, domname,
- uid, gid);
- }
-
---
-1.8.4.3
-
-
-From 5ccae02f63d655d476d887660f28ad4dce08e790 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Mon, 18 Nov 2013 14:58:14 +0100
-Subject: [PATCH 2/2] s3-winbind: Pass the group name to fillup_pw_field().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=2191
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Fri Nov 22 02:04:54 CET 2013 on sn-devel-104
-
-(cherry picked from commit 000172a5ab7e4bfac7ef618d0d78ec7fe95d0e2a)
----
- source3/winbindd/wb_fill_pwent.c | 73 +++++++++++++++++++++++-----------------
- 1 file changed, 43 insertions(+), 30 deletions(-)
-
-diff --git a/source3/winbindd/wb_fill_pwent.c b/source3/winbindd/wb_fill_pwent.c
-index 3b711bd..9d0abbd 100644
---- a/source3/winbindd/wb_fill_pwent.c
-+++ b/source3/winbindd/wb_fill_pwent.c
-@@ -29,6 +29,7 @@ struct wb_fill_pwent_state {
-
- static bool fillup_pw_field(const char *lp_template,
- const char *username,
-+ const char *grpname,
- const char *domname,
- uid_t uid,
- gid_t gid,
-@@ -36,7 +37,7 @@ static bool fillup_pw_field(const char *lp_template,
- fstring out);
-
- static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq);
--static void wb_fill_pwent_sid2gid_done(struct tevent_req *subreq);
-+static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq);
-
- struct tevent_req *wb_fill_pwent_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
-@@ -90,47 +91,45 @@ static void wb_fill_pwent_sid2uid_done(struct tevent_req *subreq)
-
- state->pw->pw_uid = (uid_t)xid.id;
-
-- subreq = wb_sids2xids_send(state, state->ev, &state->info->group_sid, 1);
-+ subreq = wb_getgrsid_send(state, state->ev, &state->info->group_sid, 1);
- if (tevent_req_nomem(subreq, req)) {
- return;
- }
-- tevent_req_set_callback(subreq, wb_fill_pwent_sid2gid_done, req);
-+ tevent_req_set_callback(subreq, wb_fill_pwent_getgrsid_done, req);
- }
-
--static void wb_fill_pwent_sid2gid_done(struct tevent_req *subreq)
-+static void wb_fill_pwent_getgrsid_done(struct tevent_req *subreq)
- {
- struct tevent_req *req = tevent_req_callback_data(
- subreq, struct tevent_req);
- struct wb_fill_pwent_state *state = tevent_req_data(
- req, struct wb_fill_pwent_state);
- struct winbindd_domain *domain;
-- char *dom_name;
-+ const char *dom_name;
-+ const char *grp_name;
- fstring user_name, output_username;
- char *mapped_name = NULL;
-+ struct talloc_dict *members;
-+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
- NTSTATUS status;
-- struct unixid xid;
--
-- status = wb_sids2xids_recv(subreq, &xid);
-+ bool ok;
-+
-+ /* xid handling is done in getgrsid() */
-+ status = wb_getgrsid_recv(subreq,
-+ tmp_ctx,
-+ &dom_name,
-+ &grp_name,
-+ &state->pw->pw_gid,
-+ &members);
- TALLOC_FREE(subreq);
- if (tevent_req_nterror(req, status)) {
-+ talloc_free(tmp_ctx);
- return;
- }
-
-- /*
-- * We are filtering further down in sids2xids, but that filtering
-- * depends on the actual type of the sid handed in (as determined
-- * by lookupsids). Here we need to filter for the type of object
-- * actually requested, in this case gid.
-- */
-- if (!(xid.type == ID_TYPE_GID || xid.type == ID_TYPE_BOTH)) {
-- tevent_req_nterror(req, NT_STATUS_NONE_MAPPED);
-- return;
-- }
--
-- state->pw->pw_gid = (gid_t)xid.id;
--
- domain = find_domain_from_sid_noinit(&state->info->user_sid);
- if (domain == NULL) {
-+ talloc_free(tmp_ctx);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return;
- }
-@@ -166,17 +165,30 @@ static void wb_fill_pwent_sid2gid_done(struct tevent_req *subreq)
- fstrcpy(state->pw->pw_gecos, state->info->full_name);
-
- /* Home directory and shell */
--
-- if (!fillup_pw_field(lp_template_homedir(), user_name, dom_name,
-- state->pw->pw_uid, state->pw->pw_gid,
-- state->info->homedir, state->pw->pw_dir)) {
-+ ok = fillup_pw_field(lp_template_homedir(),
-+ user_name,
-+ grp_name,
-+ dom_name,
-+ state->pw->pw_uid,
-+ state->pw->pw_gid,
-+ state->info->homedir,
-+ state->pw->pw_dir);
-+ if (!ok) {
-+ talloc_free(tmp_ctx);
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return;
- }
-
-- if (!fillup_pw_field(lp_template_shell(), user_name, dom_name,
-- state->pw->pw_uid, state->pw->pw_gid,
-- state->info->shell, state->pw->pw_shell)) {
-+ ok = fillup_pw_field(lp_template_shell(),
-+ user_name,
-+ grp_name,
-+ dom_name,
-+ state->pw->pw_uid,
-+ state->pw->pw_gid,
-+ state->info->shell,
-+ state->pw->pw_shell);
-+ talloc_free(tmp_ctx);
-+ if (!ok) {
- tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER);
- return;
- }
-@@ -195,6 +207,7 @@ NTSTATUS wb_fill_pwent_recv(struct tevent_req *req)
-
- static bool fillup_pw_field(const char *lp_template,
- const char *username,
-+ const char *grpname,
- const char *domname,
- uid_t uid,
- gid_t gid,
-@@ -214,11 +227,11 @@ static bool fillup_pw_field(const char *lp_template,
-
- if ((in != NULL) && (in[0] != '\0') && (lp_security() == SEC_ADS)) {
- templ = talloc_sub_specified(talloc_tos(), in,
-- username, NULL, domname,
-+ username, grpname, domname,
- uid, gid);
- } else {
- templ = talloc_sub_specified(talloc_tos(), lp_template,
-- username, NULL, domname,
-+ username, grpname, domname,
- uid, gid);
- }
-
---
-1.8.4.3
-
diff --git a/SOURCES/samba-4.1.3-winbind_debug.patch b/SOURCES/samba-4.1.3-winbind_debug.patch
deleted file mode 100644
index 714be1b..0000000
--- a/SOURCES/samba-4.1.3-winbind_debug.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 967f9bd1f8a147c4b89ada3b6c7e1ce064c511bc Mon Sep 17 00:00:00 2001
-From: Jan Brummer <jan.brummer@tabos.org>
-Date: Mon, 9 Dec 2013 15:22:29 +0100
-Subject: [PATCH] s3-winbindd: Fix DEBUG statement in winbind_msg_offline().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Guenther
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10285
-
-Reviewed-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Mon Dec 9 17:28:37 CET 2013 on sn-devel-104
----
- source3/winbindd/winbindd_dual.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
-index 972924c..64af571 100644
---- a/source3/winbindd/winbindd_dual.c
-+++ b/source3/winbindd/winbindd_dual.c
-@@ -626,7 +626,7 @@ void winbind_msg_offline(struct messaging_context *msg_ctx,
- we only set it online / offline for that domain. */
-
- DEBUG(10,("winbind_msg_offline: sending message to pid %u for domain %s.\n",
-- (unsigned int)child->pid, domain->name ));
-+ (unsigned int)child->pid, child->domain->name ));
-
- messaging_send_buf(msg_ctx, pid_to_procid(child->pid),
- MSG_WINBIND_OFFLINE,
---
-1.8.3.1
-
diff --git a/SOURCES/samba-4.1.4-Fix-segfault-in-smbd.patch b/SOURCES/samba-4.1.4-Fix-segfault-in-smbd.patch
deleted file mode 100644
index b403ae9..0000000
--- a/SOURCES/samba-4.1.4-Fix-segfault-in-smbd.patch
+++ /dev/null
@@ -1,210 +0,0 @@
-From 770d684ee974efde80186fe579ff85bc4c038b83 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Thu, 21 Nov 2013 21:05:29 +0100
-Subject: [PATCH] smbd: Fix bug 10284
-
-If we msg_read_send on a nonempty channel, we create one
-tevent_immediate. If we directly receive another message and from
-within the msg_read_send's tevent_req callback we immediately do
-another msg_read_send, we end up with two tevent_immediate events for
-msg_channel_trigger with just one incoming message. Test to follow.
-
-This patch simplifies msg_channel.c by removing the explicit immediate
-events. Instead, it relies on the implicit immediate event available
-via tevent_req_defer_callback. For messages received from tdb with
-a msg_read_send req pending, we directly finish that request without
-putting the message on the queue.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10284
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-(cherry picked from commit 6b6920b02905661ae661a894e3bd8d2c744d7003)
----
- source3/lib/msg_channel.c | 100 ++++++++++++++--------------------------------
- 1 file changed, 31 insertions(+), 69 deletions(-)
-
-diff --git a/source3/lib/msg_channel.c b/source3/lib/msg_channel.c
-index 625d07c..8e23fd4 100644
---- a/source3/lib/msg_channel.c
-+++ b/source3/lib/msg_channel.c
-@@ -41,9 +41,6 @@ static void msg_channel_init_got_ctdb(struct tevent_req *subreq);
- static void msg_channel_init_got_msg(struct messaging_context *msg,
- void *priv, uint32_t msg_type,
- struct server_id server_id, DATA_BLOB *data);
--static void msg_channel_trigger(struct tevent_context *ev,
-- struct tevent_immediate *im,
-- void *priv);
- static int msg_channel_destructor(struct msg_channel *s);
-
- struct tevent_req *msg_channel_init_send(TALLOC_CTX *mem_ctx,
-@@ -157,6 +154,12 @@ fail:
- return err;
- }
-
-+struct msg_read_state {
-+ struct tevent_context *ev;
-+ struct msg_channel *channel;
-+ struct messaging_rec *rec;
-+};
-+
- static void msg_channel_init_got_msg(struct messaging_context *msg,
- void *priv, uint32_t msg_type,
- struct server_id server_id,
-@@ -167,7 +170,6 @@ static void msg_channel_init_got_msg(struct messaging_context *msg,
- struct messaging_rec *rec;
- struct messaging_rec **msgs;
- size_t num_msgs;
-- struct tevent_immediate *im;
-
- rec = talloc(s, struct messaging_rec);
- if (rec == NULL) {
-@@ -184,6 +186,19 @@ static void msg_channel_init_got_msg(struct messaging_context *msg,
- }
- rec->buf.length = data->length;
-
-+ if (s->pending_req != NULL) {
-+ struct tevent_req *req = s->pending_req;
-+ struct msg_read_state *state = tevent_req_data(
-+ req, struct msg_read_state);
-+
-+ s->pending_req = NULL;
-+
-+ state->rec = talloc_move(state, &rec);
-+ tevent_req_defer_callback(req, s->ev);
-+ tevent_req_done(req);
-+ return;
-+ }
-+
- num_msgs = talloc_array_length(s->msgs);
- msgs = talloc_realloc(s, s->msgs, struct messaging_rec *, num_msgs+1);
- if (msgs == NULL) {
-@@ -192,28 +207,11 @@ static void msg_channel_init_got_msg(struct messaging_context *msg,
- s->msgs = msgs;
- s->msgs[num_msgs] = talloc_move(s->msgs, &rec);
-
-- if (s->pending_req == NULL) {
-- return;
-- }
--
-- im = tevent_create_immediate(s);
-- if (im == NULL) {
-- goto fail;
-- }
-- tevent_schedule_immediate(im, s->ev, msg_channel_trigger, s);
- return;
- fail:
- TALLOC_FREE(rec);
- }
-
--struct msg_read_state {
-- struct tevent_context *ev;
-- struct tevent_req *req;
-- struct msg_channel *channel;
-- struct messaging_rec *rec;
--};
--
--static int msg_read_state_destructor(struct msg_read_state *s);
- static void msg_read_got_ctdb(struct tevent_req *subreq);
-
- struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx,
-@@ -221,7 +219,6 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx,
- struct msg_channel *channel)
- {
- struct tevent_req *req;
-- struct tevent_immediate *im;
- struct msg_read_state *state;
- void *msg_tdb_event;
- size_t num_msgs;
-@@ -231,28 +228,28 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx,
- return NULL;
- }
- state->ev = ev;
-- state->req = req;
- state->channel = channel;
-
- if (channel->pending_req != NULL) {
- tevent_req_error(req, EBUSY);
- return tevent_req_post(req, ev);
- }
-- channel->pending_req = req;
-- channel->ev = ev;
-- talloc_set_destructor(state, msg_read_state_destructor);
-
- num_msgs = talloc_array_length(channel->msgs);
- if (num_msgs != 0) {
-- im = tevent_create_immediate(channel->ev);
-- if (tevent_req_nomem(im, req)) {
-- return tevent_req_post(req, ev);
-- }
-- tevent_schedule_immediate(im, channel->ev, msg_channel_trigger,
-- channel);
-- return req;
-+ state->rec = talloc_move(state, &channel->msgs[0]);
-+ memmove(channel->msgs, channel->msgs+1,
-+ sizeof(struct messaging_rec *) * (num_msgs-1));
-+ channel->msgs = talloc_realloc(
-+ channel, channel->msgs, struct messaging_rec *,
-+ num_msgs - 1);
-+ tevent_req_done(req);
-+ return tevent_req_post(req, ev);
- }
-
-+ channel->pending_req = req;
-+ channel->ev = ev;
-+
- msg_tdb_event = messaging_tdb_event(state, channel->msg, ev);
- if (tevent_req_nomem(msg_tdb_event, req)) {
- return tevent_req_post(req, ev);
-@@ -271,42 +268,6 @@ struct tevent_req *msg_read_send(TALLOC_CTX *mem_ctx,
- return req;
- }
-
--static int msg_read_state_destructor(struct msg_read_state *s)
--{
-- assert(s->channel->pending_req == s->req);
-- s->channel->pending_req = NULL;
-- return 0;
--}
--
--static void msg_channel_trigger(struct tevent_context *ev,
-- struct tevent_immediate *im,
-- void *priv)
--{
-- struct msg_channel *channel;
-- struct tevent_req *req;
-- struct msg_read_state *state;
-- size_t num_msgs;
--
-- channel = talloc_get_type_abort(priv, struct msg_channel);
-- req = channel->pending_req;
-- state = tevent_req_data(req, struct msg_read_state);
--
-- talloc_set_destructor(state, NULL);
-- msg_read_state_destructor(state);
--
-- num_msgs = talloc_array_length(channel->msgs);
-- assert(num_msgs > 0);
--
-- state->rec = talloc_move(state, &channel->msgs[0]);
--
-- memmove(channel->msgs, channel->msgs+1,
-- sizeof(struct messaging_rec *) * (num_msgs-1));
-- channel->msgs = talloc_realloc(
-- channel, channel->msgs, struct messaging_rec *, num_msgs - 1);
--
-- tevent_req_done(req);
--}
--
- static void msg_read_got_ctdb(struct tevent_req *subreq)
- {
- struct tevent_req *req = tevent_req_callback_data(
-@@ -368,5 +329,6 @@ int msg_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
- return err;
- }
- *prec = talloc_move(mem_ctx, &state->rec);
-+ tevent_req_received(req);
- return 0;
- }
---
-1.8.1.2
-
diff --git a/SOURCES/samba-4.1.4-fix_G_substitution_in_service_path.patch b/SOURCES/samba-4.1.4-fix_G_substitution_in_service_path.patch
deleted file mode 100644
index 250798b..0000000
--- a/SOURCES/samba-4.1.4-fix_G_substitution_in_service_path.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From b73750c2d2f65a0b4597fa0a11cc22272ba47524 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Wed, 27 Nov 2013 17:21:01 +0100
-Subject: [PATCH] s3-lib: Fix %G substitution for domain users in smbd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10286
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Christian Ambach <ambi@samba.org>
-
-Autobuild-User(master): Christian Ambach <ambi@samba.org>
-Autobuild-Date(master): Tue Dec 10 16:39:43 CET 2013 on sn-devel-104
-
-(cherry picked from commit 8eef4ab79ec5fb7e96ad2f2ad6c9bf30db13a50d)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/lib/substitute.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c
-index ca2ac79..937f02c 100644
---- a/source3/lib/substitute.c
-+++ b/source3/lib/substitute.c
-@@ -499,10 +499,20 @@ char *talloc_sub_basic(TALLOC_CTX *mem_ctx,
- break;
- case 'G' : {
- struct passwd *pass;
-- r = talloc_strdup(tmp_ctx, smb_name);
-+
-+ if (domain_name != NULL && domain_name[0] != '\0') {
-+ r = talloc_asprintf(tmp_ctx,
-+ "%s%c%s",
-+ domain_name,
-+ *lp_winbind_separator(),
-+ smb_name);
-+ } else {
-+ r = talloc_strdup(tmp_ctx, smb_name);
-+ }
- if (r == NULL) {
- goto error;
- }
-+
- pass = Get_Pwnam_alloc(tmp_ctx, r);
- if (pass != NULL) {
- a_string = realloc_string_sub(
---
-1.8.5
diff --git a/SOURCES/samba-4.1.4-fix_dropbox_regression.patch b/SOURCES/samba-4.1.4-fix_dropbox_regression.patch
deleted file mode 100644
index db6abc0..0000000
--- a/SOURCES/samba-4.1.4-fix_dropbox_regression.patch
+++ /dev/null
@@ -1,269 +0,0 @@
-From 22b7400498af7cecbdf608adb7f622b803b50471 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Tue, 3 Dec 2013 13:20:17 +0100
-Subject: [PATCH 1/3] smbd: Fix regression for the dropbox case.
-
-We need to allow to save a file to a directory with perm -wx.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 5b49fe24c906cbae12beff7a1b45de6809258cab)
----
- source3/smbd/filename.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
-index fc96550..16d0df1 100644
---- a/source3/smbd/filename.c
-+++ b/source3/smbd/filename.c
-@@ -722,7 +722,10 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
- */
-
- if (errno == EACCES) {
-- if (ucf_flags & UCF_CREATING_FILE) {
-+ if ((ucf_flags & UCF_CREATING_FILE) == 0) {
-+ status = NT_STATUS_ACCESS_DENIED;
-+ goto fail;
-+ } else {
- /*
- * This is the dropbox
- * behaviour. A dropbox is a
-@@ -734,11 +737,8 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
- * nevertheless want to allow
- * users creating a file.
- */
-- status = NT_STATUS_OBJECT_PATH_NOT_FOUND;
-- } else {
-- status = NT_STATUS_ACCESS_DENIED;
-+ errno = 0;
- }
-- goto fail;
- }
-
- if ((errno != 0) && (errno != ENOENT)) {
---
-1.8.5.1
-
-
-From e02e1bca121fa8dec84afa01132d450b6b2355b6 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 3 Dec 2013 10:19:09 -0800
-Subject: [PATCH 2/3] smbd: change flag name from UCF_CREATING_FILE to
- UCF_PREP_CREATEFILE
-
-In preparation to using it for all open calls.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-(cherry picked from commit 874318a97868e08837a1febb1be8e8a167b5ae0f)
----
- source3/smbd/filename.c | 2 +-
- source3/smbd/nttrans.c | 4 ++--
- source3/smbd/reply.c | 10 +++++-----
- source3/smbd/smb2_create.c | 2 +-
- source3/smbd/smbd.h | 2 +-
- 5 files changed, 10 insertions(+), 10 deletions(-)
-
-diff --git a/source3/smbd/filename.c b/source3/smbd/filename.c
-index 16d0df1..ba41986 100644
---- a/source3/smbd/filename.c
-+++ b/source3/smbd/filename.c
-@@ -722,7 +722,7 @@ NTSTATUS unix_convert(TALLOC_CTX *ctx,
- */
-
- if (errno == EACCES) {
-- if ((ucf_flags & UCF_CREATING_FILE) == 0) {
-+ if ((ucf_flags & UCF_PREP_CREATEFILE) == 0) {
- status = NT_STATUS_ACCESS_DENIED;
- goto fail;
- } else {
-diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
-index b7dfa8c..15fa4b6 100644
---- a/source3/smbd/nttrans.c
-+++ b/source3/smbd/nttrans.c
-@@ -539,7 +539,7 @@ void reply_ntcreate_and_X(struct smb_request *req)
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
- (create_disposition == FILE_CREATE)
-- ? UCF_CREATING_FILE : 0,
-+ ? UCF_PREP_CREATEFILE : 0,
- NULL,
- &smb_fname);
-
-@@ -1119,7 +1119,7 @@ static void call_nt_transact_create(connection_struct *conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
- (create_disposition == FILE_CREATE)
-- ? UCF_CREATING_FILE : 0,
-+ ? UCF_PREP_CREATEFILE : 0,
- NULL,
- &smb_fname);
-
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 2d729ec..2c9749e 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -1918,7 +1918,7 @@ void reply_open(struct smb_request *req)
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
- (create_disposition == FILE_CREATE)
-- ? UCF_CREATING_FILE : 0,
-+ ? UCF_PREP_CREATEFILE : 0,
- NULL,
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2096,7 +2096,7 @@ void reply_open_and_X(struct smb_request *req)
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
- (create_disposition == FILE_CREATE)
-- ? UCF_CREATING_FILE : 0,
-+ ? UCF_PREP_CREATEFILE : 0,
- NULL,
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2329,7 +2329,7 @@ void reply_mknew(struct smb_request *req)
- conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- UCF_CREATING_FILE,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2470,7 +2470,7 @@ void reply_ctemp(struct smb_request *req)
- status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- UCF_CREATING_FILE,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -5829,7 +5829,7 @@ void reply_mkdir(struct smb_request *req)
- status = filename_convert(ctx, conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- directory,
-- UCF_CREATING_FILE,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_dname);
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
-index c4d4991..f637dac 100644
---- a/source3/smbd/smb2_create.c
-+++ b/source3/smbd/smb2_create.c
-@@ -872,7 +872,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
- smb1req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
- (in_create_disposition == FILE_CREATE) ?
-- UCF_CREATING_FILE : 0,
-+ UCF_PREP_CREATEFILE : 0,
- NULL, /* ppath_contains_wcards */
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/smbd/smbd.h b/source3/smbd/smbd.h
-index e769157..5cf88bf 100644
---- a/source3/smbd/smbd.h
-+++ b/source3/smbd/smbd.h
-@@ -73,6 +73,6 @@ struct trans_state {
- #define UCF_COND_ALLOW_WCARD_LCOMP 0x00000004
- #define UCF_POSIX_PATHNAMES 0x00000008
- #define UCF_UNIX_NAME_LOOKUP 0x00000010
--#define UCF_CREATING_FILE 0x00000020
-+#define UCF_PREP_CREATEFILE 0x00000020
-
- #endif /* _SMBD_SMBD_H */
---
-1.8.5.1
-
-
-From e7abcfae4fbbf4d6fe56e5a1a4d76ffe4e9677d9 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 3 Dec 2013 10:21:16 -0800
-Subject: [PATCH 3/3] smbd: Always use UCF_PREP_CREATEFILE for filename_convert
- calls to resolve a path for open.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10297
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Mon Dec 9 21:02:21 CET 2013 on sn-devel-104
-
-(cherry picked from commit f98d10af2a05f0261611f4cabdfe274cd9fe91c0)
----
- source3/smbd/nttrans.c | 6 ++----
- source3/smbd/reply.c | 6 ++----
- source3/smbd/smb2_create.c | 3 +--
- 3 files changed, 5 insertions(+), 10 deletions(-)
-
-diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
-index 15fa4b6..0d3cd07 100644
---- a/source3/smbd/nttrans.c
-+++ b/source3/smbd/nttrans.c
-@@ -538,8 +538,7 @@ void reply_ntcreate_and_X(struct smb_request *req)
- conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- (create_disposition == FILE_CREATE)
-- ? UCF_PREP_CREATEFILE : 0,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_fname);
-
-@@ -1118,8 +1117,7 @@ static void call_nt_transact_create(connection_struct *conn,
- conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- (create_disposition == FILE_CREATE)
-- ? UCF_PREP_CREATEFILE : 0,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_fname);
-
-diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
-index 2c9749e..f293b69 100644
---- a/source3/smbd/reply.c
-+++ b/source3/smbd/reply.c
-@@ -1917,8 +1917,7 @@ void reply_open(struct smb_request *req)
- conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- (create_disposition == FILE_CREATE)
-- ? UCF_PREP_CREATEFILE : 0,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-@@ -2095,8 +2094,7 @@ void reply_open_and_X(struct smb_request *req)
- conn,
- req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- (create_disposition == FILE_CREATE)
-- ? UCF_PREP_CREATEFILE : 0,
-+ UCF_PREP_CREATEFILE,
- NULL,
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
-diff --git a/source3/smbd/smb2_create.c b/source3/smbd/smb2_create.c
-index f637dac..6730ad6 100644
---- a/source3/smbd/smb2_create.c
-+++ b/source3/smbd/smb2_create.c
-@@ -871,8 +871,7 @@ static struct tevent_req *smbd_smb2_create_send(TALLOC_CTX *mem_ctx,
- smb1req->conn,
- smb1req->flags2 & FLAGS2_DFS_PATHNAMES,
- fname,
-- (in_create_disposition == FILE_CREATE) ?
-- UCF_PREP_CREATEFILE : 0,
-+ UCF_PREP_CREATEFILE,
- NULL, /* ppath_contains_wcards */
- &smb_fname);
- if (!NT_STATUS_IS_OK(status)) {
---
-1.8.5.1
diff --git a/SOURCES/samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch b/SOURCES/samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch
deleted file mode 100644
index f60d6e2..0000000
--- a/SOURCES/samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From c1b7cf5481f20e7503e736ac2edd4c6d47dfea1c Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Thu, 5 Dec 2013 15:50:58 +0100
-Subject: [PATCH] smbd: Fix a panic when a smb2 brlock times out
-
-Found by Peter Somogyi.
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Thu Dec 5 21:21:35 CET 2013 on sn-devel-104
----
- source3/smbd/smb2_lock.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/smbd/smb2_lock.c b/source3/smbd/smb2_lock.c
-index e2ea251..671cd6f 100644
---- a/source3/smbd/smb2_lock.c
-+++ b/source3/smbd/smb2_lock.c
-@@ -511,7 +511,7 @@ static bool recalc_smb2_brl_timeout(struct smbd_server_connection *sconn)
- NULL,
- next_timeout,
- brl_timeout_fn,
-- NULL);
-+ sconn);
- if (!sconn->smb2.locks.brl_timeout) {
- return false;
- }
---
-1.8.5.1
-
diff --git a/SOURCES/samba-4.1.4-fix_winbind_100_percent_childs.patch b/SOURCES/samba-4.1.4-fix_winbind_100_percent_childs.patch
deleted file mode 100644
index f67d136..0000000
--- a/SOURCES/samba-4.1.4-fix_winbind_100_percent_childs.patch
+++ /dev/null
@@ -1,233 +0,0 @@
-From ac40cbf90f78cf25d7cc2b5182a11c6706b73bf4 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 6 Jan 2014 15:15:37 -0800
-Subject: [PATCH 1/2] s3: winbindd: Move the logic of whether to set
- 'domain->primary' into add_trusted_domain().
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-(cherry picked from commit cfa6a36467f5679a88e49419e8af32b724c242bd)
----
- source3/winbindd/winbindd_util.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
-index 85b014d..10ca132 100644
---- a/source3/winbindd/winbindd_util.c
-+++ b/source3/winbindd/winbindd_util.c
-@@ -99,6 +99,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
- char *idmap_config_option;
- const char *param;
- const char **ignored_domains, **dom;
-+ int role = lp_server_role();
-
- ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
- for (dom=ignored_domains; dom && *dom; dom++) {
-@@ -196,6 +197,15 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
- sid_copy(&domain->sid, sid);
- }
-
-+ /* Is this our primary domain ? */
-+ if (strequal(domain_name, get_global_sam_name()) &&
-+ (role != ROLE_DOMAIN_MEMBER)) {
-+ domain->primary = true;
-+ } else if (strequal(domain_name, lp_workgroup()) &&
-+ (role == ROLE_DOMAIN_MEMBER)) {
-+ domain->primary = true;
-+ }
-+
- /* Link to domain list */
- DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
-
-@@ -628,9 +638,6 @@ bool init_domain_list(void)
- domain = add_trusted_domain(get_global_sam_name(), NULL,
- &cache_methods, get_global_sam_sid());
- if (domain) {
-- if ( role != ROLE_DOMAIN_MEMBER ) {
-- domain->primary = True;
-- }
- setup_domain_child(domain);
- }
-
-@@ -647,7 +654,6 @@ bool init_domain_list(void)
- domain = add_trusted_domain( lp_workgroup(), lp_realm(),
- &cache_methods, &our_sid);
- if (domain) {
-- domain->primary = True;
- setup_domain_child(domain);
-
- /* Even in the parent winbindd we'll need to
---
-1.8.5.1
-
-
-From 607019cef6f730c91af9d9825cd0c1d82e494859 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 6 Jan 2014 15:22:59 -0800
-Subject: [PATCH 2/2] s3: winbindd: Move calling setup_domain_child() into
- add_trusted_domain().
-
-Ensure it only gets called when a new domain is allocated
-and added to the list.
-
-This should fix problems with the previous logic where
-setup_domain_child() was called in places where an existing
-domain was returned.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10358
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Wed Jan 8 20:46:55 CET 2014 on sn-devel-104
-
-(cherry picked from commit ca931e460460ffe46735f98b31db47220772d566)
----
- source3/winbindd/winbindd_util.c | 46 ++++++++++++----------------------------
- 1 file changed, 14 insertions(+), 32 deletions(-)
-
-diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
-index 10ca132..a00fe14 100644
---- a/source3/winbindd/winbindd_util.c
-+++ b/source3/winbindd/winbindd_util.c
-@@ -89,7 +89,10 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
- }
-
-
--/* Add a trusted domain to our list of domains */
-+/* Add a trusted domain to our list of domains.
-+ If the domain already exists in the list,
-+ return it and don't re-initialize. */
-+
- static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
- struct winbindd_methods *methods,
- const struct dom_sid *sid)
-@@ -147,7 +150,10 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
-
- if (domain != NULL) {
- /*
-- * We found a match. Possibly update the SID
-+ * We found a match on domain->name or
-+ * domain->alt_name. Possibly update the SID
-+ * if the stored SID was the NULL SID
-+ * and return the matching entry.
- */
- if ((sid != NULL)
- && dom_sid_equal(&domain->sid, &global_sid_NULL)) {
-@@ -242,6 +248,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
-
- done:
-
-+ setup_domain_child(domain);
-+
- DEBUG(2,("Added domain %s %s %s\n",
- domain->name, domain->alt_name,
- &domain->sid?sid_string_dbg(&domain->sid):""));
-@@ -315,9 +323,7 @@ static void trustdom_list_done(struct tevent_req *req)
- while ((p != NULL) && (*p != '\0')) {
- char *q, *sidstr, *alt_name;
- struct dom_sid sid;
-- struct winbindd_domain *domain;
- char *alternate_name = NULL;
-- bool domain_exists;
-
- alt_name = strchr(p, '\\');
- if (alt_name == NULL) {
-@@ -351,26 +357,16 @@ static void trustdom_list_done(struct tevent_req *req)
- if ( !strequal( alt_name, "(null)" ) )
- alternate_name = alt_name;
-
-- /* Check if we already have a child for the domain */
-- domain_exists = (find_domain_from_name_noinit(p) != NULL);
--
- /*
- * We always call add_trusted_domain() cause on an existing
- * domain structure, it will update the SID if necessary.
- * This is important because we need the SID for sibling
- * domains.
- */
-- domain = add_trusted_domain(p, alternate_name,
-+ (void)add_trusted_domain(p, alternate_name,
- &cache_methods,
- &sid);
-
-- /*
-- * If the domain doesn't exist yet and got correctly added,
-- * setup a new domain child.
-- */
-- if (!domain_exists && domain != NULL) {
-- setup_domain_child(domain);
-- }
- p=q;
- if (p != NULL)
- p += 1;
-@@ -444,9 +440,6 @@ static void rescan_forest_root_trusts( void )
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid );
-- if (d != NULL) {
-- setup_domain_child(d);
-- }
- }
-
- if (d == NULL) {
-@@ -516,9 +509,6 @@ static void rescan_forest_trusts( void )
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid );
-- if (d != NULL) {
-- setup_domain_child(d);
-- }
- }
-
- if (d == NULL) {
-@@ -619,7 +609,6 @@ enum winbindd_result winbindd_dual_init_connection(struct winbindd_domain *domai
- /* Look up global info for the winbind daemon */
- bool init_domain_list(void)
- {
-- struct winbindd_domain *domain;
- int role = lp_server_role();
-
- /* Free existing list */
-@@ -627,23 +616,18 @@ bool init_domain_list(void)
-
- /* BUILTIN domain */
-
-- domain = add_trusted_domain("BUILTIN", NULL, &cache_methods,
-+ (void)add_trusted_domain("BUILTIN", NULL, &cache_methods,
- &global_sid_Builtin);
-- if (domain) {
-- setup_domain_child(domain);
-- }
-
- /* Local SAM */
-
-- domain = add_trusted_domain(get_global_sam_name(), NULL,
-+ (void)add_trusted_domain(get_global_sam_name(), NULL,
- &cache_methods, get_global_sam_sid());
-- if (domain) {
-- setup_domain_child(domain);
-- }
-
- /* Add ourselves as the first entry. */
-
- if ( role == ROLE_DOMAIN_MEMBER ) {
-+ struct winbindd_domain *domain;
- struct dom_sid our_sid;
-
- if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
-@@ -654,8 +638,6 @@ bool init_domain_list(void)
- domain = add_trusted_domain( lp_workgroup(), lp_realm(),
- &cache_methods, &our_sid);
- if (domain) {
-- setup_domain_child(domain);
--
- /* Even in the parent winbindd we'll need to
- talk to the DC, so try and see if we can
- contact it. Theoretically this isn't neccessary
---
-1.8.5.1
-
diff --git a/SOURCES/samba-4.1.5-fix_resource_leaks.patch b/SOURCES/samba-4.1.5-fix_resource_leaks.patch
deleted file mode 100644
index b2c6e05..0000000
--- a/SOURCES/samba-4.1.5-fix_resource_leaks.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From d790112e74b684a516152e301d5a46c178bf437c Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Jan 2014 14:50:18 +0100
-Subject: [PATCH 1/4] lib: Fix strict-aliasing warning in md5 code.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If the compiler detects strict aliasing problems it isn't able to
-optimize the code.
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 615efa4ae84373ae8aefb36fcf7583338665429a)
----
- lib/crypto/md5.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/lib/crypto/md5.c b/lib/crypto/md5.c
-index b834c91..352f80f 100644
---- a/lib/crypto/md5.c
-+++ b/lib/crypto/md5.c
-@@ -137,9 +137,12 @@ _PUBLIC_ void MD5Final(uint8_t digest[16], MD5_CTX *ctx)
- }
- byteReverse(ctx->in, 14);
-
-- /* Append length in bits and transform */
-- ((uint32_t *) ctx->in)[14] = ctx->bits[0];
-- ((uint32_t *) ctx->in)[15] = ctx->bits[1];
-+ /* Append length in bits and transform.
-+ * Use memcpy to avoid strict-aliasing problems.
-+ * This way it can be optimized.
-+ */
-+ memcpy(&ctx->in[14 * sizeof(uint32_t)], &ctx->bits[0], sizeof(uint32_t));
-+ memcpy(&ctx->in[15 * sizeof(uint32_t)], &ctx->bits[1], sizeof(uint32_t));
-
- MD5Transform(ctx->buf, (uint32_t *) ctx->in);
- byteReverse((uint8_t *) ctx->buf, 4);
---
-1.8.5.2
-
-
-From 38bae403ce6a8efaee5704328b47ec5b8300b5ed Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Jan 2014 15:06:14 +0100
-Subject: [PATCH 2/4] s3-libads: Fix memory leaks in ads_build_path().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit c8371b4ec12f2dea6ce18724de59a23e04826c1d)
----
- source3/libads/ads_struct.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/source3/libads/ads_struct.c b/source3/libads/ads_struct.c
-index fd7e417..30d433e 100644
---- a/source3/libads/ads_struct.c
-+++ b/source3/libads/ads_struct.c
-@@ -55,12 +55,14 @@ char *ads_build_path(const char *realm, const char *sep, const char *field, int
- if (strlcpy(ret,field, len) >= len) {
- /* Truncate ! */
- free(r);
-+ free(ret);
- return NULL;
- }
- p=strtok_r(r, sep, &saveptr);
- if (p) {
- if (strlcat(ret, p, len) >= len) {
- free(r);
-+ free(ret);
- return NULL;
- }
-
---
-1.8.5.2
-
-
-From 37eb6566dd18958cbe2f216aa9880e9455939426 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Jan 2014 15:12:24 +0100
-Subject: [PATCH 3/4] wbinfo: Fix a memory leak in wbinfo_ping_dc().
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-(cherry picked from commit 541164d47a86bab90ef96a9be40b8c0997abdd61)
----
- nsswitch/wbinfo.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
-index 3f0310a..0a5ec40 100644
---- a/nsswitch/wbinfo.c
-+++ b/nsswitch/wbinfo.c
-@@ -838,6 +838,7 @@ static bool wbinfo_ping_dc(void)
- dcname ? dcname : "",
- WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
-
-+ wbcFreeMemory(dcname);
- if (wbc_status == WBC_ERR_AUTH_ERROR) {
- d_fprintf(stderr, "error code was %s (0x%x)\n",
- error->nt_string, error->nt_status);
---
-1.8.5.2
-
-
-From f203bfbd91a695f582a6c7ea2fae2c8f3c6825c9 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 9 Jan 2014 15:20:21 +0100
-Subject: [PATCH 4/4] s3-passdb: Fix string duplication to pointers.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Günther Deschner <gd@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Thu Jan 9 22:35:25 CET 2014 on sn-devel-104
-
-(cherry picked from commit bff3ac250e9d4e7d91820eb53c28257aa38fff88)
----
- source3/passdb/py_passdb.c | 14 ++++++++++++--
- 1 file changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c
-index 3fd14cd..e1df75b 100644
---- a/source3/passdb/py_passdb.c
-+++ b/source3/passdb/py_passdb.c
-@@ -2269,8 +2269,18 @@ static PyObject *py_pdb_set_aliasinfo(pytalloc_Object *self, PyObject *args)
-
- alias_sid = pytalloc_get_ptr(py_alias_sid);
-
-- fstrcpy(alias_info.acct_name, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_name")));
-- fstrcpy(alias_info.acct_desc, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_desc")));
-+ alias_info.acct_name = talloc_strdup(frame, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_name")));
-+ if (alias_info.acct_name == NULL) {
-+ PyErr_Format(py_pdb_error, "Unable to allocate memory");
-+ talloc_free(frame);
-+ return NULL;
-+ }
-+ alias_info.acct_desc = talloc_strdup(frame, PyString_AsString(PyDict_GetItemString(py_alias_info, "acct_desc")));
-+ if (alias_info.acct_desc == NULL) {
-+ PyErr_Format(py_pdb_error, "Unable to allocate memory");
-+ talloc_free(frame);
-+ return NULL;
-+ }
-
- status = methods->set_aliasinfo(methods, alias_sid, &alias_info);
- if (!NT_STATUS_IS_OK(status)) {
---
-1.8.5.2
-
diff --git a/SOURCES/samba-4.1.6-fix_fragmented_rpc_handling.patch b/SOURCES/samba-4.1.6-fix_fragmented_rpc_handling.patch
deleted file mode 100644
index 467d37a..0000000
--- a/SOURCES/samba-4.1.6-fix_fragmented_rpc_handling.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 44cf46b0bbb0abf5aebfbf2f2da713da65573175 Mon Sep 17 00:00:00 2001
-From: Gregor Beck <gbeck@sernet.de>
-Date: Thu, 9 Jan 2014 10:15:31 +0100
-Subject: [PATCH 1/2] s3:rpc_server: minor refactoring of process_request_pdu()
-
-Signed-off-by: Gregor Beck <gbeck@sernet.de>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Guenther Deschner <gd@samba.org>
-(cherry picked from commit b5f30205931a4b9d0b3b257d5855869e606f8b63)
----
- source3/rpc_server/srv_pipe.c | 25 ++++++++++---------------
- 1 file changed, 10 insertions(+), 15 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index 894f12c..a5b74ed 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1561,24 +1561,19 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
- }
- }
-
-- if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
-- bool ret = False;
-- /*
-- * Ok - we finally have a complete RPC stream.
-- * Call the rpc command to process it.
-- */
--
-- /*
-- * Process the complete data stream here.
-- */
-- if (pipe_init_outgoing_data(p)) {
-- ret = api_pipe_request(p, pkt);
-- }
-+ if (!(pkt->pfc_flags & DCERPC_PFC_FLAG_LAST)) {
-+ return true;
-+ }
-
-- return ret;
-+ /*
-+ * Ok - we finally have a complete RPC stream.
-+ * Call the rpc command to process it.
-+ */
-+ if (!pipe_init_outgoing_data(p)) {
-+ return false;
- }
-
-- return True;
-+ return api_pipe_request(p, pkt);
- }
-
- /****************************************************************************
---
-1.9.0
-
-
-From 436aa053561b9b6ff4b991bf6a2f5196ed39dd38 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Thu, 20 Mar 2014 14:45:01 +0100
-Subject: [PATCH 2/2] s3-rpc_server: Fix handling of fragmented rpc requests.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We need to call pipe_init_outgoing_data() as the first thing in
-process_complete_pdu(). Otherwise the caller may use uninitialized
-memory and tries to write a response into the socket.
-
-The problem happens only if a real socket is used, which means
-in all cases for master and only with external rpc daemons in v4-0
-and v4-1.
-
-The problem looks like this in the logs.
-
- [2014/03/20 14:49:35.531663, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1627(process_complete_pdu)
- Processing packet type 0
- [2014/03/20 14:49:35.531695, 10, pid=7309, effective(0, 0), real(0, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1472(dcesrv_auth_request)
- Checking request auth.
- [2014/03/20 14:49:35.531738, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:521(named_pipe_packet_process)
- Sending 1 fragments in a total of 0 bytes
- [2014/03/20 14:49:35.531769, 10, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:526(named_pipe_packet_process)
- Sending PDU number: 0, PDU Length: 4294967228
- [2014/03/20 14:49:35.531801, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:565(named_pipe_packet_done)
- Writev failed!
- [2014/03/20 14:49:35.531845, 2, pid=7309, effective(0, 0), real(0, 0)] ../source3/rpc_server/rpc_server.c:595(named_pipe_packet_done)
- Fatal error(Message too long). Terminating client(127.0.0.1) connection!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10481
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
-Reviewed-by: Guenther Deschner <gd@samba.org
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Thu Mar 20 18:30:17 CET 2014 on sn-devel-104
-
-(cherry picked from commit 5277fc4d0393ffe2e415ad26610b36d2986c62d7)
----
- source3/rpc_server/srv_pipe.c | 19 +++++++------------
- 1 file changed, 7 insertions(+), 12 deletions(-)
-
-diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
-index a5b74ed..7daff04 100644
---- a/source3/rpc_server/srv_pipe.c
-+++ b/source3/rpc_server/srv_pipe.c
-@@ -1569,9 +1569,6 @@ static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt
- * Ok - we finally have a complete RPC stream.
- * Call the rpc command to process it.
- */
-- if (!pipe_init_outgoing_data(p)) {
-- return false;
-- }
-
- return api_pipe_request(p, pkt);
- }
-@@ -1621,6 +1618,10 @@ void process_complete_pdu(struct pipes_struct *p)
-
- DEBUG(10, ("Processing packet type %u\n", (unsigned int)pkt->ptype));
-
-+ if (!pipe_init_outgoing_data(p)) {
-+ goto done;
-+ }
-+
- switch (pkt->ptype) {
- case DCERPC_PKT_REQUEST:
- reply = process_request_pdu(p, pkt);
-@@ -1653,9 +1654,7 @@ void process_complete_pdu(struct pipes_struct *p)
- /*
- * We assume that a pipe bind is only in one pdu.
- */
-- if (pipe_init_outgoing_data(p)) {
-- reply = api_pipe_bind_req(p, pkt);
-- }
-+ reply = api_pipe_bind_req(p, pkt);
- break;
-
- case DCERPC_PKT_BIND_ACK:
-@@ -1670,9 +1669,7 @@ void process_complete_pdu(struct pipes_struct *p)
- /*
- * We assume that a pipe bind is only in one pdu.
- */
-- if (pipe_init_outgoing_data(p)) {
-- reply = api_pipe_alter_context(p, pkt);
-- }
-+ reply = api_pipe_alter_context(p, pkt);
- break;
-
- case DCERPC_PKT_ALTER_RESP:
-@@ -1684,9 +1681,7 @@ void process_complete_pdu(struct pipes_struct *p)
- /*
- * The third packet in an auth exchange.
- */
-- if (pipe_init_outgoing_data(p)) {
-- reply = api_pipe_bind_auth3(p, pkt);
-- }
-+ reply = api_pipe_bind_auth3(p, pkt);
- break;
-
- case DCERPC_PKT_SHUTDOWN:
---
-1.9.0
-
diff --git a/SOURCES/samba-4.1.6-fix_ipv6_join.patch b/SOURCES/samba-4.1.6-fix_ipv6_join.patch
old mode 100755
new mode 100644
diff --git a/SOURCES/samba-4.1.6-fix_nbt_with_more_than_9_components.patch b/SOURCES/samba-4.1.6-fix_nbt_with_more_than_9_components.patch
deleted file mode 100644
index 2ed6596..0000000
--- a/SOURCES/samba-4.1.6-fix_nbt_with_more_than_9_components.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 1545864a58c11e4b37f3950cdae457d3d2f5fd4e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
-Date: Tue, 4 Feb 2014 16:38:46 +0100
-Subject: [PATCH] librpc/nbt: increase MAX_COMPONENTS limit for nbt_names.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-domains with more then 10 subdomains are not so uncommon.
-
-https://bugzilla.samba.org/show_bug.cgi?id=10439
-
-Guenther
-
-Signed-off-by: Günther Deschner <gd@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Günther Deschner <gd@samba.org>
-Autobuild-Date(master): Thu Feb 13 16:30:50 CET 2014 on sn-devel-104
-
-(cherry picked from commit 4e05bad0d18e351cb2a2db74860e77adea727c79)
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- librpc/ndr/ndr_nbt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/librpc/ndr/ndr_nbt.c b/librpc/ndr/ndr_nbt.c
-index f2a1ca3..842e972 100644
---- a/librpc/ndr/ndr_nbt.c
-+++ b/librpc/ndr/ndr_nbt.c
-@@ -27,7 +27,7 @@
- #include "../libcli/netlogon/netlogon.h"
-
- /* don't allow an unlimited number of name components */
--#define MAX_COMPONENTS 10
-+#define MAX_COMPONENTS 128
-
- /**
- print a nbt string
---
-1.8.5.2
-
diff --git a/SOURCES/samba-4.1.6-fix_one_way_trusts.patch b/SOURCES/samba-4.1.6-fix_one_way_trusts.patch
deleted file mode 100644
index 7819bc8..0000000
--- a/SOURCES/samba-4.1.6-fix_one_way_trusts.patch
+++ /dev/null
@@ -1,132 +0,0 @@
-From 2b8174819ac31e662f1cd7092b3d122ad6ebb609 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Thu, 26 Sep 2013 01:20:10 +0200
-Subject: [PATCH 1/3] pidl:NDR/Client: fix dcerpc_function() with [out,ref]
- pointers
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit f50b561336c7b6c08300e6e477859d1f9fab62c2)
----
- pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm
-index c796b46..fed94cd 100644
---- a/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm
-+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Client.pm
-@@ -693,6 +693,20 @@ sub ParseFunction_Sync($$$$)
- }
- $self->pidl("");
-
-+ $self->pidl("/* Out parameters */");
-+ foreach my $e (@{$fn->{ELEMENTS}}) {
-+ next unless grep(/out/, @{$e->{DIRECTION}});
-+
-+ $self->ParseCopyArgument($fn, $e, "r.out.", "_");
-+ }
-+ $self->pidl("");
-+
-+ if (defined($fn->{RETURN_TYPE})) {
-+ $self->pidl("/* Result */");
-+ $self->pidl("ZERO_STRUCT(r.out.result);");
-+ $self->pidl("");
-+ }
-+
- $self->pidl("status = dcerpc_$name\_r(h, mem_ctx, &r);");
- $self->pidl("if (!NT_STATUS_IS_OK(status)) {");
- $self->indent;
---
-1.7.9.5
-
-
-From a211a1dd984b6b55a7222987e5acda1c9b2a5e8b Mon Sep 17 00:00:00 2001
-From: Gregor Beck <gbeck@sernet.de>
-Date: Thu, 20 Feb 2014 13:14:31 +0100
-Subject: [PATCH 2/3] s3:winbindd: fix _wbint_LookupSids() on error
-
-We need to make sure that r->out.domains remains valid,
-otherwise we're not able to marshall the response.
-
-Note that wbint_LookupSids() has [out,ref] lsa_RefDomainList *domains,
-while lsa_LookupSids() has [out,ref] lsa_RefDomainList **domains.
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10458
-Signed-off-by: Gregor Beck <gbeck@sernet.de>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 3413e64149702136429d7b5acaa7a52c49abf564)
----
- source3/winbindd/winbindd_dual_srv.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
-index e23d048..b873655 100644
---- a/source3/winbindd/winbindd_dual_srv.c
-+++ b/source3/winbindd/winbindd_dual_srv.c
-@@ -74,6 +74,7 @@ NTSTATUS _wbint_LookupSid(struct pipes_struct *p, struct wbint_LookupSid *r)
- NTSTATUS _wbint_LookupSids(struct pipes_struct *p, struct wbint_LookupSids *r)
- {
- struct winbindd_domain *domain = wb_child_domain();
-+ struct lsa_RefDomainList *domains = r->out.domains;
- NTSTATUS status;
-
- if (domain == NULL) {
-@@ -87,7 +88,12 @@ NTSTATUS _wbint_LookupSids(struct pipes_struct *p, struct wbint_LookupSids *r)
- * done at the wbint RPC layer.
- */
- status = rpc_lookup_sids(p->mem_ctx, domain, r->in.sids,
-- &r->out.domains, &r->out.names);
-+ &domains, &r->out.names);
-+
-+ if (domains != NULL) {
-+ r->out.domains = domains;
-+ }
-+
- reset_cm_connection_on_error(domain, status);
- return status;
- }
---
-1.7.9.5
-
-
-From a1f5fd46627a9cff9bae645eeccff209978fa2ee Mon Sep 17 00:00:00 2001
-From: Gregor Beck <gbeck@sernet.de>
-Date: Thu, 20 Feb 2014 11:25:53 +0100
-Subject: [PATCH 3/3] s3:winbindd: avoid directly asking a trusted domain in
- wb_lookupsids*()
-
-As a domain member we should always use a DC of our own domain.
-
-It would be possible to pass all sids in one single dcerpc_wbint_LookupSids()
-call. For now we just fix bug.
-
-Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10458
-Signed-off-by: Gregor Beck <gbeck@sernet.de>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 66fb0ce9557553a4c01607b517e65ac4c93841d0)
----
- source3/winbindd/wb_lookupsids.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c
-index e10d511..b474220 100644
---- a/source3/winbindd/wb_lookupsids.c
-+++ b/source3/winbindd/wb_lookupsids.c
-@@ -320,7 +320,7 @@ static struct wb_lookupsids_domain *wb_lookupsids_get_domain(
- }
- }
-
-- wb_domain = find_domain_from_sid_noinit(sid);
-+ wb_domain = find_lookup_domain_from_sid(sid);
- if (wb_domain == NULL) {
- return NULL;
- }
---
-1.7.9.5
-
diff --git a/SOURCES/samba-4.1.6-fix_pidl_install.patch b/SOURCES/samba-4.1.6-fix_pidl_install.patch
deleted file mode 100644
index d1df233..0000000
--- a/SOURCES/samba-4.1.6-fix_pidl_install.patch
+++ /dev/null
@@ -1,229 +0,0 @@
-From 1124387625c3e24a4e8a100d2db83dec502bfa13 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 25 Feb 2014 16:04:24 +0100
-Subject: [PATCH 1/3] pidl: Install pidl files corrently.
-
-Globbing is a really bad idea in installtion system. One of them is if
-you use patch -b to create a backup, you will end up installing the
-backup file too!
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10472
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Kai Blin <kai@samba.org>
-(cherry picked from commit cee11cfa4544425099268cd32393169afb4bb107)
----
- pidl/lib/wscript_build | 31 ++++++++++++++++++++++++++++++-
- pidl/wscript | 3 ---
- 2 files changed, 30 insertions(+), 4 deletions(-)
-
-diff --git a/pidl/lib/wscript_build b/pidl/lib/wscript_build
-index eb5f1e0..9bddf3f 100644
---- a/pidl/lib/wscript_build
-+++ b/pidl/lib/wscript_build
-@@ -1,4 +1,33 @@
- #!/usr/bin/env python
-
- # install the pidl modules
--bld.INSTALL_WILDCARD('${DATAROOTDIR}/perl5', '**/*.pm', flat=False)
-+bld.INSTALL_FILES('${DATAROOTDIR}/perl5',
-+ '''
-+ Parse/Pidl.pm
-+ Parse/Pidl/Samba4.pm
-+ Parse/Pidl/CUtil.pm
-+ Parse/Pidl/Expr.pm
-+ Parse/Pidl/Wireshark/Conformance.pm
-+ Parse/Pidl/Wireshark/NDR.pm
-+ Parse/Pidl/ODL.pm
-+ Parse/Pidl/Dump.pm
-+ Parse/Pidl/Util.pm
-+ Parse/Pidl/Samba4/Header.pm
-+ Parse/Pidl/Samba4/COM/Header.pm
-+ Parse/Pidl/Samba4/COM/Proxy.pm
-+ Parse/Pidl/Samba4/COM/Stub.pm
-+ Parse/Pidl/Samba4/TDR.pm
-+ Parse/Pidl/Samba4/NDR/Server.pm
-+ Parse/Pidl/Samba4/NDR/Client.pm
-+ Parse/Pidl/Samba4/NDR/Parser.pm
-+ Parse/Pidl/Samba4/Python.pm
-+ Parse/Pidl/Samba4/Template.pm
-+ Parse/Pidl/IDL.pm
-+ Parse/Pidl/Typelist.pm
-+ Parse/Pidl/Samba3/ClientNDR.pm
-+ Parse/Pidl/Samba3/ServerNDR.pm
-+ Parse/Pidl/Compat.pm
-+ Parse/Pidl/NDR.pm
-+ Parse/Yapp/Driver.pm
-+ ''',
-+ flat=False)
-diff --git a/pidl/wscript b/pidl/wscript
-index 7a25734..05d9982 100644
---- a/pidl/wscript
-+++ b/pidl/wscript
-@@ -26,9 +26,6 @@ def build(bld):
- if not bld.CONFIG_SET('HAVE_PERL_MAKEMAKER'):
- return
-
-- pidl_src = ['pidl']
-- pidl_src.extend(bld.path.ant_glob('lib/**/*.pm').split())
--
- pidl_manpages = {
- 'pidl': 'man1/pidl.${PERLMAN1EXT}',
- 'lib/Parse/Pidl/NDR.pm': 'man3/Parse::Pidl::NDR.${PERLMAN3EXT}',
---
-1.8.5.2
-
-
-From b929788024a2d051f0ef5d94b566346147151062 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 25 Feb 2014 17:16:37 +0100
-Subject: [PATCH 2/3] waf: Add option to specify perl vendor dir.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10472
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Kai Blin <kai@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Thu Feb 27 11:48:54 CET 2014 on sn-devel-104
-
-(cherry picked from commit 9b200555fec2e33da9521db388d1839375aa8d83)
----
- buildtools/wafadmin/Tools/perl.py | 7 +++++++
- pidl/lib/wscript_build | 2 +-
- pidl/wscript | 2 ++
- 3 files changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/buildtools/wafadmin/Tools/perl.py b/buildtools/wafadmin/Tools/perl.py
-index a6787a8..90be8d8 100644
---- a/buildtools/wafadmin/Tools/perl.py
-+++ b/buildtools/wafadmin/Tools/perl.py
-@@ -103,7 +103,14 @@ def check_perl_ext_devel(conf):
- else:
- conf.env.ARCHDIR_PERL = read_out('print $Config{sitearch}')[0]
-
-+ conf.env.VENDORDIR_PERL = Options.options.perlvendordir
-+
- def set_options(opt):
- opt.add_option("--with-perl-binary", type="string", dest="perlbinary", help = 'Specify alternate perl binary', default=None)
- opt.add_option("--with-perl-archdir", type="string", dest="perlarchdir", help = 'Specify directory where to install arch specific files', default=None)
-
-+ opt.add_option("--with-perl-vendordir",
-+ type="string",
-+ dest="perlvendordir",
-+ help="Specify directory where to install perl vendor files",
-+ default='${DATAROOTDIR}/perl5/vendor_perl')
-diff --git a/pidl/lib/wscript_build b/pidl/lib/wscript_build
-index 9bddf3f..29632d4 100644
---- a/pidl/lib/wscript_build
-+++ b/pidl/lib/wscript_build
-@@ -1,7 +1,7 @@
- #!/usr/bin/env python
-
- # install the pidl modules
--bld.INSTALL_FILES('${DATAROOTDIR}/perl5',
-+bld.INSTALL_FILES(bld.env.VENDORDIR_PERL,
- '''
- Parse/Pidl.pm
- Parse/Pidl/Samba4.pm
-diff --git a/pidl/wscript b/pidl/wscript
-index 05d9982..77abb01 100644
---- a/pidl/wscript
-+++ b/pidl/wscript
-@@ -8,6 +8,8 @@ def set_options(opt):
-
- def configure(conf):
- conf.check_tool('perl')
-+ conf.check_perl_ext_devel()
-+
- # we need a recent version of MakeMaker to get the right man page names
- if conf.CHECK_PERL_MANPAGE():
- conf.env.PERLMAN1EXT = conf.CHECK_PERL_MANPAGE(section='1')
---
-1.8.5.2
-
-
-From bbf583db46d258e9f406b4f4c3d73fe94bf3bfab Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Thu, 27 Feb 2014 13:14:56 +0100
-Subject: [PATCH 3/3] pidl: Make perl(Parse:Yapp:Driver) installation optional.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10472
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Thu Feb 27 18:47:03 CET 2014 on sn-devel-104
-
-(cherry picked from commit f0030c619bcf22dbe9eed54b2c0dc9c61f564838)
----
- pidl/lib/wscript_build | 6 +++++-
- pidl/wscript | 25 ++++++++++++++++++++++++-
- 2 files changed, 29 insertions(+), 2 deletions(-)
-
-diff --git a/pidl/lib/wscript_build b/pidl/lib/wscript_build
-index 29632d4..09d26eb 100644
---- a/pidl/lib/wscript_build
-+++ b/pidl/lib/wscript_build
-@@ -28,6 +28,10 @@ bld.INSTALL_FILES(bld.env.VENDORDIR_PERL,
- Parse/Pidl/Samba3/ServerNDR.pm
- Parse/Pidl/Compat.pm
- Parse/Pidl/NDR.pm
-- Parse/Yapp/Driver.pm
- ''',
- flat=False)
-+
-+if not bld.CONFIG_SET('USING_SYSTEM_PARSE_YAPP_DRIVER'):
-+ bld.INSTALL_FILES(bld.env.VENDORDIR_PERL,
-+ 'Parse/Yapp/Driver.pm',
-+ flat=False)
-diff --git a/pidl/wscript b/pidl/wscript
-index 77abb01..c7b72c4 100644
---- a/pidl/wscript
-+++ b/pidl/wscript
-@@ -1,6 +1,6 @@
- #!/usr/bin/env python
-
--import os, sys, Logs
-+import os, sys, Logs, Options
- from samba_utils import MODE_755
-
- def set_options(opt):
-@@ -20,6 +20,9 @@ def configure(conf):
- conf.find_program('yapp', var='YAPP')
- conf.find_program('pod2man', var='POD2MAN')
-
-+ # Check for perl(Parse::Yapp::Driver)
-+ check_system_perl_module(conf, "Parse::Yapp::Driver", 1.05)
-+
- def build(bld):
- bld.INSTALL_FILES('${BINDIR}', 'pidl', chmod=MODE_755)
-
-@@ -82,3 +85,23 @@ try this to avoid this message:
- $ touch ../pidl/lib/Parse/Pidl/IDL.pm ../pidl/lib/Parse/Pidl/Expr.pm
- ''')
-
-+def check_system_perl_module(conf, module, version=None):
-+ bundle_name = module.replace('::', '_')
-+ module_check = module
-+ found = False
-+
-+ # Create module string with version
-+ if version:
-+ module_check = module + ' ' + str(version)
-+
-+ # Check if we have to bundle it.
-+ if conf.LIB_MUST_BE_BUNDLED(bundle_name.lower()):
-+ return False
-+
-+ # Check for system perl module
-+ if not conf.check_perl_module(module_check):
-+ return False
-+
-+ conf.define('USING_SYSTEM_%s' % bundle_name.upper(), 1)
-+
-+ return True
---
-1.8.5.2
-
diff --git a/SOURCES/samba-4.1.6-fix_printer_list_memleadk.patch b/SOURCES/samba-4.1.6-fix_printer_list_memleadk.patch
deleted file mode 100644
index be7f64b..0000000
--- a/SOURCES/samba-4.1.6-fix_printer_list_memleadk.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From bfd3125066cfc722e244c9f651a3e5dafb8d005d Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 24 Feb 2014 16:18:31 -0800
-Subject: [PATCH] s3-printing: Fix obvious memory leak in
- printer_list_get_printer().
-
-https://bugzilla.samba.org/show_bug.cgi?id=9993
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Ira Cooper <ira@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
-Autobuild-Date(master): Tue Feb 25 13:19:37 CET 2014 on sn-devel-104
-
-(cherry picked from commit 148bbdd8d04400b5d873f636671dd443952ca04f)
----
- source3/printing/printer_list.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
-index 6e02ee5..7e89ec4 100644
---- a/source3/printing/printer_list.c
-+++ b/source3/printing/printer_list.c
-@@ -133,6 +133,7 @@ NTSTATUS printer_list_get_printer(TALLOC_CTX *mem_ctx,
- done:
- SAFE_FREE(nstr);
- SAFE_FREE(cstr);
-+ SAFE_FREE(lstr);
- TALLOC_FREE(key);
- return status;
- }
---
-1.8.5.2
-
diff --git a/SOURCES/samba-4.1.6-fix_service_with_force_user.patch b/SOURCES/samba-4.1.6-fix_service_with_force_user.patch
deleted file mode 100644
index 8754ae1..0000000
--- a/SOURCES/samba-4.1.6-fix_service_with_force_user.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 34d4e883146bccda53422fa50a35ab25ca880d2e Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Mon, 17 Mar 2014 14:35:00 -0700
-Subject: [PATCH] s3: smbd: Fileserving share access checks.
-
-Git commit 86d1e1db8e2747e30c89627cda123fde1e84f579
-fixed share_access not being reset between users,
-by changing make_connection_snum() to call a common
-function check_user_share_access() in the same way
-that change_to_user() (which can be called on any
-incoming packet) does.
-
-Unfortunately that bugfix was incorrect and
-broke "force user" and "force group" as it
-called check_user_share_access() inside
-make_connection_snum() using the conn->session_info
-pointer instead of the vuser->session_info pointer.
-
-conn->session_info represents the token to use
-when actually accessing the file system, and so
-is modified by force user and force group.
-
-vuser->session_info represents the "pristine"
-token of the user logging in, and is never modified
-by force user and force group.
-
-Samba 3.6.x checked the share access based on
-the "pristine" token of the user logging in,
-not the token modified by force user and force group.
-This change restores the expected behavior.
-
-Fixes bug #9878 - force user does not work as expected
-
-https://bugzilla.samba.org/show_bug.cgi?id=9878
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/smbd/service.c | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/source3/smbd/service.c b/source3/smbd/service.c
-index a7464f0..7d06551 100644
---- a/source3/smbd/service.c
-+++ b/source3/smbd/service.c
-@@ -614,11 +614,19 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
- }
-
- /*
-- * Set up the share security descriptor
-+ * Set up the share security descriptor.
-+ * NOTE - we use the *INCOMING USER* session_info
-+ * here, as does (indirectly) change_to_user(),
-+ * which can be called on any incoming packet.
-+ * This way we set up the share access based
-+ * on the authenticated user, not the forced
-+ * user. See bug:
-+ *
-+ * https://bugzilla.samba.org/show_bug.cgi?id=9878
- */
-
- status = check_user_share_access(conn,
-- conn->session_info,
-+ vuser->session_info,
- &conn->share_access,
- &conn->read_only);
- if (!NT_STATUS_IS_OK(status)) {
---
-1.9.0.279.gdc9e3eb
-
diff --git a/SOURCES/samba-4.1.7-Make_daemons_systemd_aware.patch b/SOURCES/samba-4.1.7-Make_daemons_systemd_aware.patch
deleted file mode 100644
index dea0af3..0000000
--- a/SOURCES/samba-4.1.7-Make_daemons_systemd_aware.patch
+++ /dev/null
@@ -1,748 +0,0 @@
-From 4be15cc68a49b353f1f2f4f198b968098bee4d83 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Tue, 25 Mar 2014 12:53:04 +0200
-Subject: [PATCH 1/5] add systemd integration
-
-Add --with-systemd / --without-systemd options to check whether
-libsystemd-daemon library is available and use it to report service
-startup status to systemd for smbd/winbindd/nmbd and AD DC.
-
-The problem it solves is correct reporting of the Samba services
-at the point when they are ready to serve clients, important for
-high availability software integration.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-(cherry picked from commit 54b5d9a7384ae27b2a26586ff909128427c05abe)
----
- lib/util/become_daemon.c | 37 ++++++++++++++++++++++++++++++++++++-
- lib/util/samba_util.h | 12 ++++++++++++
- lib/util/wscript_build | 2 +-
- packaging/systemd/nmb.service | 3 ++-
- packaging/systemd/samba.service | 3 ++-
- packaging/systemd/smb.service | 3 ++-
- packaging/systemd/winbind.service | 3 ++-
- source3/nmbd/nmbd.c | 4 ++++
- source3/smbd/server.c | 4 ++++
- source3/winbindd/winbindd.c | 5 +++++
- source4/smbd/server.c | 4 ++++
- wscript | 27 +++++++++++++++++++++++----
- 12 files changed, 97 insertions(+), 10 deletions(-)
-
-diff --git a/lib/util/become_daemon.c b/lib/util/become_daemon.c
-index 2ca0478..35c8b32 100644
---- a/lib/util/become_daemon.c
-+++ b/lib/util/become_daemon.c
-@@ -24,6 +24,9 @@
- #include "includes.h"
- #include "system/filesys.h"
- #include "system/locale.h"
-+#if HAVE_SYSTEMD
-+#include <systemd/sd-daemon.h>
-+#endif
-
- /*******************************************************************
- Close the low 3 fd's and open dev/null in their place.
-@@ -75,8 +78,13 @@ _PUBLIC_ void close_low_fds(bool stdin_too, bool stdout_too, bool stderr_too)
-
- _PUBLIC_ void become_daemon(bool do_fork, bool no_process_group, bool log_stdout)
- {
-+ pid_t newpid;
- if (do_fork) {
-- if (fork()) {
-+ newpid = fork();
-+ if (newpid) {
-+#if HAVE_SYSTEMD
-+ sd_notifyf(0, "READY=0\nSTATUS=Starting process...\nMAINPID=%lu", (unsigned long) newpid);
-+#endif /* HAVE_SYSTEMD */
- _exit(0);
- }
- }
-@@ -100,3 +108,30 @@ _PUBLIC_ void become_daemon(bool do_fork, bool no_process_group, bool log_stdout
- * never close stderr (but debug might dup it onto a log file) */
- close_low_fds(do_fork, !log_stdout, false);
- }
-+
-+_PUBLIC_ void exit_daemon(const char *msg, int error)
-+{
-+#ifdef HAVE_SYSTEMD
-+ if (msg == NULL) {
-+ msg = strerror(error);
-+ }
-+
-+ sd_notifyf(0, "STATUS=daemon failed to start: %s\n"
-+ "ERRNO=%i",
-+ msg,
-+ error);
-+#endif
-+ DEBUG(0, ("STATUS=daemon failed to start: %s, error code %d\n", msg, error));
-+ exit(1);
-+}
-+
-+_PUBLIC_ void daemon_ready(const char *daemon)
-+{
-+ if (daemon == NULL) {
-+ daemon = "Samba";
-+ }
-+#ifdef HAVE_SYSTEMD
-+ sd_notifyf(0, "READY=1\nSTATUS=%s: ready to serve connections...", daemon);
-+#endif
-+ DEBUG(0, ("STATUS=daemon '%s' finished starting up and ready to serve connections", daemon));
-+}
-diff --git a/lib/util/samba_util.h b/lib/util/samba_util.h
-index f52347e..2996710 100644
---- a/lib/util/samba_util.h
-+++ b/lib/util/samba_util.h
-@@ -842,6 +842,18 @@ _PUBLIC_ void close_low_fds(bool stdin_too, bool stdout_too, bool stderr_too);
- _PUBLIC_ void become_daemon(bool do_fork, bool no_process_group, bool log_stdout);
-
- /**
-+ Exit daemon and print error message to the log at level 0
-+ Optionally report failure to systemd if systemd integration is enabled
-+**/
-+_PUBLIC_ void exit_daemon(const char *msg, int error);
-+
-+/**
-+ Report that the daemon is ready to serve connections to the log at level 0
-+ Optionally report status to systemd if systemd integration is enabled
-+**/
-+_PUBLIC_ void daemon_ready(const char *daemon);
-+
-+/**
- * @brief Get a password from the console.
- *
- * You should make sure that the buffer is an empty string!
-diff --git a/lib/util/wscript_build b/lib/util/wscript_build
-index 39a1613..5087116 100755
---- a/lib/util/wscript_build
-+++ b/lib/util/wscript_build
-@@ -10,7 +10,7 @@ bld.SAMBA_LIBRARY('samba-util',
- server_id.c dprintf.c parmlist.c bitmap.c pidfile.c
- tevent_debug.c util_process.c''',
- deps='DYNCONFIG',
-- public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid',
-+ public_deps='talloc tevent execinfo uid_wrapper pthread LIBCRYPTO charset util_setid systemd-daemon',
- public_headers='debug.h attr.h byteorder.h data_blob.h memory.h safe_string.h time.h talloc_stack.h xfile.h dlinklist.h samba_util.h string_wrappers.h',
- header_path= [ ('dlinklist.h samba_util.h', '.'), ('*', 'util') ],
- local_include=False,
-diff --git a/packaging/systemd/nmb.service b/packaging/systemd/nmb.service
-index e5e81a1..3d71a7d 100644
---- a/packaging/systemd/nmb.service
-+++ b/packaging/systemd/nmb.service
-@@ -3,7 +3,8 @@ Description=Samba NMB Daemon
- After=syslog.target network.target
-
- [Service]
--Type=forking
-+Type=notify
-+NotifyAccess=all
- PIDFile=/run/nmbd.pid
- EnvironmentFile=-/etc/sysconfig/samba
- ExecStart=/usr/sbin/nmbd $NMBDOPTIONS
-diff --git a/packaging/systemd/samba.service b/packaging/systemd/samba.service
-index e2878d1..824f89c 100644
---- a/packaging/systemd/samba.service
-+++ b/packaging/systemd/samba.service
-@@ -3,7 +3,8 @@ Description=Samba AD Daemon
- After=syslog.target network.target
-
- [Service]
--Type=forking
-+Type=notify
-+NotifyAccess=all
- PIDFile=/run/samba.pid
- LimitNOFILE=16384
- EnvironmentFile=-/etc/sysconfig/samba
-diff --git a/packaging/systemd/smb.service b/packaging/systemd/smb.service
-index d0d945a..9810891 100644
---- a/packaging/systemd/smb.service
-+++ b/packaging/systemd/smb.service
-@@ -3,7 +3,8 @@ Description=Samba SMB Daemon
- After=syslog.target network.target nmb.service winbind.service
-
- [Service]
--Type=forking
-+Type=notify
-+NotifyAccess=all
- PIDFile=/run/smbd.pid
- LimitNOFILE=16384
- EnvironmentFile=-/etc/sysconfig/samba
-diff --git a/packaging/systemd/winbind.service b/packaging/systemd/winbind.service
-index eff266f..f711a17 100644
---- a/packaging/systemd/winbind.service
-+++ b/packaging/systemd/winbind.service
-@@ -3,7 +3,8 @@ Description=Samba Winbind Daemon
- After=syslog.target network.target nmb.service
-
- [Service]
--Type=forking
-+Type=notify
-+NotifyAccess=all
- PIDFile=/run/winbindd.pid
- EnvironmentFile=-/etc/sysconfig/samba
- ExecStart=/usr/sbin/winbindd "$WINBINDOPTIONS"
-diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
-index ec0e7d0..aced774 100644
---- a/source3/nmbd/nmbd.c
-+++ b/source3/nmbd/nmbd.c
-@@ -1088,6 +1088,10 @@ static bool open_sockets(bool isdaemon, int port)
- exit(1);
- }
-
-+ if (is_daemon && !opt_interactive) {
-+ daemon_ready("nmbd");
-+ }
-+
- TALLOC_FREE(frame);
- process(msg);
-
-diff --git a/source3/smbd/server.c b/source3/smbd/server.c
-index d3cd33e..b2a9d8f 100644
---- a/source3/smbd/server.c
-+++ b/source3/smbd/server.c
-@@ -1489,6 +1489,10 @@ extern void build_options(bool screen);
- exit(1);
- }
-
-+ if (is_daemon && !interactive) {
-+ daemon_ready("smbd");
-+ }
-+
- /* only start other daemons if we are running as a daemon
- * -- bad things will happen if smbd is launched via inetd
- * and we fork a copy of ourselves here */
-diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
-index 50573ac..61c1dbc 100644
---- a/source3/winbindd/winbindd.c
-+++ b/source3/winbindd/winbindd.c
-@@ -1581,6 +1581,11 @@ int main(int argc, char **argv, char **envp)
- }
-
- TALLOC_FREE(frame);
-+
-+ if (!interactive) {
-+ daemon_ready("winbindd");
-+ }
-+
- /* Loop waiting for requests */
- while (1) {
- frame = talloc_stackframe();
-diff --git a/source4/smbd/server.c b/source4/smbd/server.c
-index 37aac62..3a23190 100644
---- a/source4/smbd/server.c
-+++ b/source4/smbd/server.c
-@@ -498,6 +498,10 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
- return 1;
- }
-
-+ if (opt_daemon) {
-+ daemon_ready("samba");
-+ }
-+
- /* wait for events - this is where smbd sits for most of its
- life */
- tevent_loop_wait(event_ctx);
-diff --git a/wscript b/wscript
-index 83c82e3..2f02c6e 100644
---- a/wscript
-+++ b/wscript
-@@ -64,8 +64,15 @@ def set_options(opt):
- help=("Disable Position Independent Executable builds"),
- action="store_false", dest='enable_pie')
-
-- gr = opt.option_group('developer options')
-+ opt.add_option('--with-systemd',
-+ help=("Enable systemd integration"),
-+ action='store_true', dest='enable_systemd')
-+
-+ opt.add_option('--without-systemd',
-+ help=("Disable systemd integration"),
-+ action='store_false', dest='enable_systemd')
-
-+ gr = opt.option_group('developer options')
-
- opt.tool_options('python') # options for disabling pyc or pyo compilation
- # enable options related to building python extensions
-@@ -162,11 +169,8 @@ def configure(conf):
- if not conf.CHECK_CODE('#include "tests/summary.c"',
- define='SUMMARY_PASSES',
- addmain=False,
-- execute=True,
- msg='Checking configure summary'):
- raise Utils.WafError('configure summary failed')
--
-- conf.SAMBA_CONFIG_H('include/config.h')
-
- if Options.options.enable_pie != False:
- if Options.options.enable_pie == True:
-@@ -178,6 +182,21 @@ def configure(conf):
- msg="Checking compiler for PIE support"):
- conf.env['ENABLE_PIE'] = True
-
-+ if Options.options.enable_systemd != False:
-+ conf.check_cfg(package='libsystemd-daemon', args='--cflags --libs',
-+ msg='Checking for libsystemd-daemon', uselib_store="SYSTEMD-DAEMON")
-+ conf.CHECK_HEADERS('systemd/sd-daemon.h', lib='systemd-daemon')
-+ conf.CHECK_LIB('systemd-daemon', shlib=True)
-+
-+ if conf.CONFIG_SET('HAVE_SYSTEMD_SD_DAEMON_H'):
-+ conf.DEFINE('HAVE_SYSTEMD', '1')
-+ conf.env['ENABLE_SYSTEMD'] = True
-+ else:
-+ conf.SET_TARGET_TYPE('systemd-daemon', 'EMPTY')
-+ conf.undefine('HAVE_SYSTEMD')
-+
-+ conf.SAMBA_CONFIG_H('include/config.h')
-+
- def etags(ctx):
- '''build TAGS file using etags'''
- import Utils
---
-1.8.5.3
-
-
-From a6250f706655bd8fda81fe15ccc9441f7d4e1c84 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Wed, 26 Mar 2014 10:56:12 +0200
-Subject: [PATCH 2/5] smbd: use exit_daemon() to support reporting to systemd
- from smbd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/smbd/server.c | 44 +++++++++++++++++++-------------------------
- 1 file changed, 19 insertions(+), 25 deletions(-)
-
-diff --git a/source3/smbd/server.c b/source3/smbd/server.c
-index b2a9d8f..34c949d 100644
---- a/source3/smbd/server.c
-+++ b/source3/smbd/server.c
-@@ -1314,8 +1314,7 @@ extern void build_options(bool screen);
- ev_ctx,
- false);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("reinit_after_fork() failed\n"));
-- exit(1);
-+ exit_daemon("reinit_after_fork() failed", map_errno_from_nt_status(status));
- }
-
- if (!interactive) {
-@@ -1326,8 +1325,7 @@ extern void build_options(bool screen);
- */
- status = init_before_fork();
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("init_before_fork failed: %s\n", nt_errstr(status)));
-- exit(1);
-+ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status));
- }
- }
-
-@@ -1360,7 +1358,7 @@ extern void build_options(bool screen);
- /* Setup all the TDB's - including CLEAR_IF_FIRST tdb's. */
-
- if (smbd_memcache() == NULL) {
-- exit(1);
-+ exit_daemon("no memcache available", EACCES);
- }
-
- memcache_set_global(smbd_memcache());
-@@ -1372,69 +1370,65 @@ extern void build_options(bool screen);
- exit(1);
-
- if (!secrets_init()) {
-- DEBUG(0, ("ERROR: smbd can not open secrets.tdb\n"));
-- exit(1);
-+ exit_daemon("smbd can not open secrets.tdb", EACCES);
- }
-
- if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
- struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_helpers());
- if (!open_schannel_session_store(NULL, lp_ctx)) {
-- DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
-- exit(1);
-+ exit_daemon("ERROR: Samba cannot open schannel store for secured NETLOGON operations.", EACCES);
- }
- TALLOC_FREE(lp_ctx);
- }
-
- if(!get_global_sam_sid()) {
-- DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n"));
-- exit(1);
-+ exit_daemon("Samba cannot create a SAM SID", EACCES);
- }
-
- server_id = messaging_server_id(msg_ctx);
- status = smbXsrv_version_global_init(&server_id);
- if (!NT_STATUS_IS_OK(status)) {
-- exit(1);
-+ exit_daemon("Samba cannot init server context", EACCES);
- }
-
- status = smbXsrv_session_global_init();
- if (!NT_STATUS_IS_OK(status)) {
-- exit(1);
-+ exit_daemon("Samba cannot init session context", EACCES);
- }
-
- status = smbXsrv_tcon_global_init();
- if (!NT_STATUS_IS_OK(status)) {
-- exit(1);
-+ exit_daemon("Samba cannot init tcon context", EACCES);
- }
-
- if (!locking_init())
-- exit(1);
-+ exit_daemon("Samba cannot init locking", EACCES);
-
- if (!messaging_tdb_parent_init(ev_ctx)) {
-- exit(1);
-+ exit_daemon("Samba cannot init TDB messaging", EACCES);
- }
-
- if (!smbd_parent_notify_init(NULL, msg_ctx, ev_ctx)) {
-- exit(1);
-+ exit_daemon("Samba cannot init notification", EACCES);
- }
-
- if (!smbd_scavenger_init(NULL, msg_ctx, ev_ctx)) {
-- exit(1);
-+ exit_daemon("Samba cannot init scavenging", EACCES);
- }
-
- if (!serverid_parent_init(ev_ctx)) {
-- exit(1);
-+ exit_daemon("Samba cannot init server id", EACCES);
- }
-
- if (!W_ERROR_IS_OK(registry_init_full()))
-- exit(1);
-+ exit_daemon("Samba cannot init registry", EACCES);
-
- /* Open the share_info.tdb here, so we don't have to open
- after the fork on every single connection. This is a small
- performance improvment and reduces the total number of system
- fds used. */
- if (!share_info_db_init()) {
-- DEBUG(0,("ERROR: failed to load share info db.\n"));
-- exit(1);
-+ exit_daemon("ERROR: failed to load share info db.", EACCES);
- }
-
- status = init_system_session_info();
-@@ -1455,7 +1449,7 @@ extern void build_options(bool screen);
- }
- status = smbXsrv_open_global_init();
- if (!NT_STATUS_IS_OK(status)) {
-- exit(1);
-+ exit_daemon("Samba cannot init global open", map_errno_from_nt_status(status));
- }
-
- /* This MUST be done before start_epmd() because otherwise
-@@ -1486,7 +1480,7 @@ extern void build_options(bool screen);
- }
-
- if (!dcesrv_ep_setup(ev_ctx, msg_ctx)) {
-- exit(1);
-+ exit_daemon("Samba cannot setup ep pipe", EACCES);
- }
-
- if (is_daemon && !interactive) {
-@@ -1507,7 +1501,7 @@ extern void build_options(bool screen);
- bool bgq = lp_parm_bool(-1, "smbd", "backgroundqueue", true);
-
- if (!printing_subsystem_init(ev_ctx, msg_ctx, true, bgq)) {
-- exit(1);
-+ exit_daemon("Samba failed to init printing subsystem", EACCES);
- }
- }
- } else if (!lp__disable_spoolss() &&
---
-1.8.5.3
-
-
-From 580933198c1da02ad668b32f68bfeac833d97980 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Wed, 26 Mar 2014 11:34:56 +0200
-Subject: [PATCH 3/5] nmbd: use exit_daemon() to report status to systemd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-
-(cherry picked from commit a54e94559b5ebabbb8c5c938fdf159efceff39e6)
----
- source3/nmbd/nmbd.c | 39 ++++++++++++++-------------------------
- 1 file changed, 14 insertions(+), 25 deletions(-)
-
-diff --git a/source3/nmbd/nmbd.c b/source3/nmbd/nmbd.c
-index aced774..dc2d4c7 100644
---- a/source3/nmbd/nmbd.c
-+++ b/source3/nmbd/nmbd.c
-@@ -966,16 +966,12 @@ static bool open_sockets(bool isdaemon, int port)
-
- ok = directory_create_or_exist(lp_lockdir(), geteuid(), 0755);
- if (!ok) {
-- DEBUG(0, ("Failed to create directory %s for lock files - %s\n",
-- lp_lockdir(), strerror(errno)));
-- exit(1);
-+ exit_daemon("Failed to create directory for lock files, check 'lock directory'", errno);
- }
-
- ok = directory_create_or_exist(lp_piddir(), geteuid(), 0755);
- if (!ok) {
-- DEBUG(0, ("Failed to create directory %s for pid files - %s\n",
-- lp_piddir(), strerror(errno)));
-- exit(1);
-+ exit_daemon("Failed to create directory for pid files, check 'pid directory'", errno);
- }
-
- pidfile_create(lp_piddir(), "nmbd");
-@@ -984,8 +980,7 @@ static bool open_sockets(bool isdaemon, int port)
- false);
-
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("reinit_after_fork() failed\n"));
-- exit(1);
-+ exit_daemon("reinit_after_fork() failed", map_errno_from_nt_status(status));
- }
-
- /*
-@@ -995,16 +990,15 @@ static bool open_sockets(bool isdaemon, int port)
- */
- status = init_before_fork();
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("init_before_fork failed: %s\n", nt_errstr(status)));
-- exit(1);
-+ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status));
- }
-
- if (!nmbd_setup_sig_term_handler(msg))
-- exit(1);
-+ exit_daemon("NMBD failed to setup signal handler", EINVAL);
- if (!nmbd_setup_stdin_handler(msg, !Fork))
-- exit(1);
-+ exit_daemon("NMBD failed to setup stdin handler", EINVAL);
- if (!nmbd_setup_sig_hup_handler(msg))
-- exit(1);
-+ exit_daemon("NMBD failed to setup SIGHUP handler", EINVAL);
-
- /* get broadcast messages */
-
-@@ -1012,8 +1006,7 @@ static bool open_sockets(bool isdaemon, int port)
- FLAG_MSG_GENERAL |
- FLAG_MSG_NMBD |
- FLAG_MSG_DBWRAP)) {
-- DEBUG(1, ("Could not register myself in serverid.tdb\n"));
-- exit(1);
-+ exit_daemon("Could not register NMBD process in serverid.tdb", EACCES);
- }
-
- messaging_register(msg, NULL, MSG_FORCE_ELECTION,
-@@ -1044,9 +1037,8 @@ static bool open_sockets(bool isdaemon, int port)
-
- /* Create an nmbd subnet record for each of the above. */
- if( False == create_subnets() ) {
-- DEBUG(0,("ERROR: Failed when creating subnet lists. Exiting.\n"));
- kill_async_dns_child();
-- exit(1);
-+ exit_daemon("NMBD failed when creating subnet lists", EACCES);
- }
-
- /* Load in any static local names. */
-@@ -1058,9 +1050,8 @@ static bool open_sockets(bool isdaemon, int port)
-
- /* If we are acting as a WINS server, initialise data structures. */
- if( !initialise_wins() ) {
-- DEBUG( 0, ( "nmbd: Failed when initialising WINS server.\n" ) );
- kill_async_dns_child();
-- exit(1);
-+ exit_daemon( "NMBD failed when initialising WINS server.", EACCES);
- }
-
- /*
-@@ -1072,21 +1063,19 @@ static bool open_sockets(bool isdaemon, int port)
- */
-
- if( False == register_my_workgroup_and_names() ) {
-- DEBUG(0,("ERROR: Failed when creating my my workgroup. Exiting.\n"));
- kill_async_dns_child();
-- exit(1);
-+ exit_daemon( "NMBD failed when creating my workgroup.", EACCES);
- }
-
- if (!initialize_nmbd_proxy_logon()) {
-- DEBUG(0,("ERROR: Failed setup nmbd_proxy_logon.\n"));
- kill_async_dns_child();
-- exit(1);
-+ exit_daemon( "NMBD failed to setup nmbd_proxy_logon.", EACCES);
- }
-
- if (!nmbd_init_packet_server()) {
- kill_async_dns_child();
-- exit(1);
-- }
-+ exit_daemon( "NMBD failed to setup packet server.", EACCES);
-+ }
-
- if (is_daemon && !opt_interactive) {
- daemon_ready("nmbd");
---
-1.8.5.3
-
-
-From 1067bdd3e590d5ab880044456c667e3663d99c95 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Wed, 26 Mar 2014 11:45:21 +0200
-Subject: [PATCH 4/5] winbindd: use exit_daemon() to pass startup status to
- systemd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit 91013315c9fa946bf85c85df0ccd40a803f3dc6f)
----
- source3/winbindd/winbindd.c | 13 ++++---------
- 1 file changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
-index 61c1dbc..68ffd7e 100644
---- a/source3/winbindd/winbindd.c
-+++ b/source3/winbindd/winbindd.c
-@@ -1543,8 +1543,7 @@ int main(int argc, char **argv, char **envp)
- winbind_event_context(),
- false);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("reinit_after_fork() failed\n"));
-- exit(1);
-+ exit_daemon("Winbindd reinit_after_fork() failed", map_errno_from_nt_status(status));
- }
-
- /*
-@@ -1554,17 +1553,14 @@ int main(int argc, char **argv, char **envp)
- */
- status = init_before_fork();
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0, ("init_before_fork failed: %s\n", nt_errstr(status)));
-- exit(1);
-+ exit_daemon(nt_errstr(status), map_errno_from_nt_status(status));
- }
-
- winbindd_register_handlers(winbind_messaging_context(), !Fork);
-
- status = init_system_session_info();
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(1, ("ERROR: failed to setup system user info: %s.\n",
-- nt_errstr(status)));
-- exit(1);
-+ exit_daemon("Winbindd failed to setup system user info", map_errno_from_nt_status(status));
- }
-
- rpc_lsarpc_init(NULL);
-@@ -1576,8 +1572,7 @@ int main(int argc, char **argv, char **envp)
- /* setup listen sockets */
-
- if (!winbindd_setup_listeners()) {
-- DEBUG(0,("winbindd_setup_listeners() failed\n"));
-- exit(1);
-+ exit_daemon("Winbindd failed to setup listeners", EPIPE);
- }
-
- TALLOC_FREE(frame);
---
-1.8.5.3
-
-
-From 037b9fd66e777571e2c963945e41535371b4683e Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Wed, 26 Mar 2014 12:30:30 +0200
-Subject: [PATCH 5/5] ad-dc: use exit_daemon() to communicate status of startup
- to systemd
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=10517
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-(cherry picked from commit a343303cbcd5af303455843ebf202e2f30daf3a6)
----
- source4/smbd/server.c | 19 +++++++------------
- 1 file changed, 7 insertions(+), 12 deletions(-)
-
-diff --git a/source4/smbd/server.c b/source4/smbd/server.c
-index 3a23190..d5d9d9c 100644
---- a/source4/smbd/server.c
-+++ b/source4/smbd/server.c
-@@ -398,15 +398,13 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
-
- if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
- if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
-- DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
-- exit(1);
-+ exit_daemon("Samba cannot open schannel store for secured NETLOGON operations.", EACCES);
- }
- }
-
- /* make sure we won't go through nss_winbind */
- if (!winbind_off()) {
-- DEBUG(0,("Failed to disable recusive winbindd calls. Exiting.\n"));
-- exit(1);
-+ exit_daemon("Samba failed to disable recusive winbindd calls.", EACCES);
- }
-
- gensec_init(); /* FIXME: */
-@@ -431,8 +429,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
- event_ctx = s4_event_context_init(talloc_autofree_context());
-
- if (event_ctx == NULL) {
-- DEBUG(0,("Initializing event context failed\n"));
-- return 1;
-+ exit_daemon("Initializing event context failed", EACCES);
- }
-
- if (opt_interactive) {
-@@ -449,7 +446,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
- #endif
-
- if (fstat(0, &st) != 0) {
-- exit(1);
-+ exit_daemon("Samba failed to set standard input handler", ENOTTY);
- }
-
- if (S_ISFIFO(st.st_mode) || S_ISSOCK(st.st_mode)) {
-@@ -478,15 +475,14 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
- DEBUG(0, ("At this time the 'samba' binary should only be used for either:\n"));
- DEBUGADD(0, ("'server role = active directory domain controller' or to access the ntvfs file server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint servers = remote'\n"));
- DEBUGADD(0, ("You should start smbd/nmbd/winbindd instead for domain member and standalone file server tasks\n"));
-- exit(1);
-+ exit_daemon("Samba detected misconfigured 'server role' and exited. Check logs for details", EINVAL);
- };
-
- prime_ldb_databases(event_ctx);
-
- status = setup_parent_messaging(event_ctx, cmdline_lp_ctx);
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("Failed to setup parent messaging - %s\n", nt_errstr(status)));
-- return 1;
-+ exit_daemon("Samba failed to setup parent messaging", NT_STATUS_V(status));
- }
-
- DEBUG(0,("%s: using '%s' process model\n", binary_name, model));
-@@ -494,8 +490,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
- status = server_service_startup(event_ctx, cmdline_lp_ctx, model,
- lpcfg_server_services(cmdline_lp_ctx));
- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("Starting Services failed - %s\n", nt_errstr(status)));
-- return 1;
-+ exit_daemon("Samba failed to start services", NT_STATUS_V(status));
- }
-
- if (opt_daemon) {
---
-1.8.5.3
-
diff --git a/SOURCES/samba-4.1.7-make_pidl_lsa_struct_public.patch b/SOURCES/samba-4.1.7-make_pidl_lsa_struct_public.patch
deleted file mode 100644
index ec602da..0000000
--- a/SOURCES/samba-4.1.7-make_pidl_lsa_struct_public.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 101c93f1e54095f8e115e33a66ec1127ead207da Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <ab@samba.org>
-Date: Tue, 18 Mar 2014 19:41:38 +0200
-Subject: [PATCH] lsa.idl: define lsa.ForestTrustCollisionInfo and
- ForestTrustCollisionRecord as public structs
-
-For Python bindings PIDL wants the struct to be defined as public if we
-want to use __ndr_print/pack/unpack.
-
-Define the [public] attribute to ForestTrustCollisionInfo/Record to
-allow easier debugging when there is collision in establishing a trust.
-
-This change does not affect C code as NDR functions are always
-generated, only not exposed in Python bindings.
-
-https://bugzilla.samba.org/show_bug.cgi?id=10504
-
-Signed-off-by: Alexander Bokovoy <ab@samba.org>
-Reviewed-by: Jelmer Vernooij <jelmer@samba.org>
-
-Autobuild-User(master): Alexander Bokovoy <ab@samba.org>
-Autobuild-Date(master): Mon Mar 24 12:44:50 CET 2014 on sn-devel-104
-
-(cherry picked from commit 59767911bded48388c27d5f9cd2ff1346a1c01a6)
----
- librpc/idl/lsa.idl | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/librpc/idl/lsa.idl b/librpc/idl/lsa.idl
-index d8f2649..80efbd5 100644
---- a/librpc/idl/lsa.idl
-+++ b/librpc/idl/lsa.idl
-@@ -1328,14 +1328,14 @@ import "misc.idl", "security.idl";
- [default] uint32 flags;
- } lsa_ForestTrustCollisionFlags;
-
-- typedef struct {
-+ typedef [public] struct {
- uint32 index;
- lsa_ForestTrustCollisionRecordType type;
- [switch_is(type)] lsa_ForestTrustCollisionFlags flags;
- lsa_String name;
- } lsa_ForestTrustCollisionRecord;
-
-- typedef struct {
-+ typedef [public] struct {
- uint32 count;
- [size_is(count)] lsa_ForestTrustCollisionRecord **entries;
- } lsa_ForestTrustCollisionInfo;
---
-1.8.5.3
-
diff --git a/SOURCES/samba-4.1.9-file_open.patch b/SOURCES/samba-4.1.9-file_open.patch
deleted file mode 100644
index e4bf77d..0000000
--- a/SOURCES/samba-4.1.9-file_open.patch
+++ /dev/null
@@ -1,116 +0,0 @@
-From d038b70b159fd133060ead0bed8d70b654594b03 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 24 Jun 2014 14:19:30 -0700
-Subject: [PATCH 1/2] s3: smbd - Prevent file truncation on an open that fails
- with share mode violation.
-
-Fix from Volker, really - just tidied up a little.
-The S_ISFIFO check may not be strictly neccessary,
-but doesn't hurt (might make the code a bit more complex
-than it needs to be).
-
-Fixes bug #10671 - Samba file corruption as a result of failed lock check.
-
-https://bugzilla.samba.org/show_bug.cgi?id=10671
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-(cherry picked from commit 31b3427a417217e5e869baafdf63e633efc39d12)
-[ddiss@samba.org: 4.1 backport]
----
- source3/smbd/open.c | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 5f7bff9..72b8b59 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -839,8 +839,11 @@ static NTSTATUS open_file(files_struct *fsp,
- }
- }
-
-- /* Actually do the open */
-- status = fd_open_atomic(conn, fsp, local_flags,
-+ /*
-+ * Actually do the open - if O_TRUNC is needed handle it
-+ * below under the share mode lock.
-+ */
-+ status = fd_open_atomic(conn, fsp, local_flags & ~O_TRUNC,
- unx_mode, p_file_created);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3,("Error opening file %s (%s) (local_flags=%d) "
-@@ -2646,6 +2649,21 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
- return status;
- }
-
-+ /* Should we atomically (to the client at least) truncate ? */
-+ if (!new_file_created) {
-+ if (flags2 & O_TRUNC) {
-+ if (!S_ISFIFO(fsp->fsp_name->st.st_ex_mode)) {
-+ int ret = vfs_set_filelen(fsp, 0);
-+ if (ret != 0) {
-+ status = map_nt_error_from_unix(errno);
-+ TALLOC_FREE(lck);
-+ fd_close(fsp);
-+ return status;
-+ }
-+ }
-+ }
-+ }
-+
- grant_fsp_oplock_type(fsp,
- oplock_request,
- got_level2_oplock,
---
-1.8.4.5
-
-
-From 906812aad2d1fec04076259f1d5332220b95221a Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Wed, 25 Jun 2014 08:36:47 +0000
-Subject: [PATCH 2/2] smbd: Remove 2 indentation levels
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: David Disseldorp <ddiss@samba.org>
-(cherry picked from commit 1dc5c20c8f7d8aa96fa0601bf5bf6dc69fb79d9f)
----
- source3/smbd/open.c | 22 +++++++++++-----------
- 1 file changed, 11 insertions(+), 11 deletions(-)
-
-diff --git a/source3/smbd/open.c b/source3/smbd/open.c
-index 72b8b59..16d4307 100644
---- a/source3/smbd/open.c
-+++ b/source3/smbd/open.c
-@@ -2650,17 +2650,17 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn,
- }
-
- /* Should we atomically (to the client at least) truncate ? */
-- if (!new_file_created) {
-- if (flags2 & O_TRUNC) {
-- if (!S_ISFIFO(fsp->fsp_name->st.st_ex_mode)) {
-- int ret = vfs_set_filelen(fsp, 0);
-- if (ret != 0) {
-- status = map_nt_error_from_unix(errno);
-- TALLOC_FREE(lck);
-- fd_close(fsp);
-- return status;
-- }
-- }
-+ if ((!new_file_created) &&
-+ (flags2 & O_TRUNC) &&
-+ (!S_ISFIFO(fsp->fsp_name->st.st_ex_mode))) {
-+ int ret;
-+
-+ ret = vfs_set_filelen(fsp, 0);
-+ if (ret != 0) {
-+ status = map_nt_error_from_unix(errno);
-+ TALLOC_FREE(lck);
-+ fd_close(fsp);
-+ return status;
- }
- }
-
---
-1.8.4.5
-
diff --git a/SOURCES/samba-4.1.x-CVE-2013-4496.patch b/SOURCES/samba-4.1.x-CVE-2013-4496.patch
deleted file mode 100644
index 7529025..0000000
--- a/SOURCES/samba-4.1.x-CVE-2013-4496.patch
+++ /dev/null
@@ -1,1118 +0,0 @@
-From c129261c506c6b941630fd7f4bc72820eb272761 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 1 Nov 2013 14:55:44 +1300
-Subject: [PATCH 1/4] CVE-2013-4496:s3-samr: Block attempts to crack passwords
- via repeated password changes
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/rpc_server/samr/srv_samr_chgpasswd.c | 55 ++++++++++++++++
- source3/rpc_server/samr/srv_samr_nt.c | 90 +++++++++++++++++++++-----
- 2 files changed, 129 insertions(+), 16 deletions(-)
-
-diff --git a/source3/rpc_server/samr/srv_samr_chgpasswd.c b/source3/rpc_server/samr/srv_samr_chgpasswd.c
-index db1f459..1c9c33a 100644
---- a/source3/rpc_server/samr/srv_samr_chgpasswd.c
-+++ b/source3/rpc_server/samr/srv_samr_chgpasswd.c
-@@ -1106,6 +1106,8 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
- struct samu *sampass = NULL;
- NTSTATUS nt_status;
- bool ret = false;
-+ bool updated_badpw = false;
-+ NTSTATUS update_login_attempts_status;
-
- if (!(sampass = samu_new(NULL))) {
- return NT_STATUS_NO_MEMORY;
-@@ -1121,6 +1123,13 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
- return NT_STATUS_NO_SUCH_USER;
- }
-
-+ /* Quit if the account was locked out. */
-+ if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
-+ DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", user));
-+ TALLOC_FREE(sampass);
-+ return NT_STATUS_ACCOUNT_LOCKED_OUT;
-+ }
-+
- nt_status = check_oem_password(user,
- password_encrypted_with_lm_hash,
- old_lm_hash_encrypted,
-@@ -1129,6 +1138,52 @@ NTSTATUS pass_oem_change(char *user, const char *rhost,
- sampass,
- &new_passwd);
-
-+ /*
-+ * Notify passdb backend of login success/failure. If not
-+ * NT_STATUS_OK the backend doesn't like the login
-+ */
-+ update_login_attempts_status = pdb_update_login_attempts(sampass,
-+ NT_STATUS_IS_OK(nt_status));
-+
-+ if (!NT_STATUS_IS_OK(nt_status)) {
-+ bool increment_bad_pw_count = false;
-+
-+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) &&
-+ (pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
-+ NT_STATUS_IS_OK(update_login_attempts_status))
-+ {
-+ increment_bad_pw_count = true;
-+ }
-+
-+ if (increment_bad_pw_count) {
-+ pdb_increment_bad_password_count(sampass);
-+ updated_badpw = true;
-+ } else {
-+ pdb_update_bad_password_count(sampass,
-+ &updated_badpw);
-+ }
-+ } else {
-+
-+ if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
-+ (pdb_get_bad_password_count(sampass) > 0)){
-+ pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
-+ pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
-+ updated_badpw = true;
-+ }
-+ }
-+
-+ if (updated_badpw) {
-+ NTSTATUS update_status;
-+ become_root();
-+ update_status = pdb_update_sam_account(sampass);
-+ unbecome_root();
-+
-+ if (!NT_STATUS_IS_OK(update_status)) {
-+ DEBUG(1, ("Failed to modify entry: %s\n",
-+ nt_errstr(update_status)));
-+ }
-+ }
-+
- if (!NT_STATUS_IS_OK(nt_status)) {
- TALLOC_FREE(sampass);
- return nt_status;
-diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
-index b366eda..98e8bea 100644
---- a/source3/rpc_server/samr/srv_samr_nt.c
-+++ b/source3/rpc_server/samr/srv_samr_nt.c
-@@ -1722,9 +1722,11 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- NTSTATUS status;
- bool ret = false;
- struct samr_user_info *uinfo;
-- struct samu *pwd;
-+ struct samu *pwd = NULL;
- struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
- struct samr_Password lm_pwd, nt_pwd;
-+ bool updated_badpw = false;
-+ NTSTATUS update_login_attempts_status;
-
- uinfo = policy_handle_find(p, r->in.user_handle,
- SAMR_USER_ACCESS_SET_PASSWORD, NULL,
-@@ -1736,6 +1738,15 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
- sid_string_dbg(&uinfo->sid)));
-
-+ /* basic sanity checking on parameters. Do this before any database ops */
-+ if (!r->in.lm_present || !r->in.nt_present ||
-+ !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
-+ !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
-+ /* we should really handle a change with lm not
-+ present */
-+ return NT_STATUS_INVALID_PARAMETER_MIX;
-+ }
-+
- if (!(pwd = samu_new(NULL))) {
- return NT_STATUS_NO_MEMORY;
- }
-@@ -1749,6 +1760,14 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- return NT_STATUS_WRONG_PASSWORD;
- }
-
-+ /* Quit if the account was locked out. */
-+ if (pdb_get_acct_ctrl(pwd) & ACB_AUTOLOCK) {
-+ DEBUG(3, ("Account for user %s was locked out.\n",
-+ pdb_get_username(pwd)));
-+ status = NT_STATUS_ACCOUNT_LOCKED_OUT;
-+ goto out;
-+ }
-+
- {
- const uint8_t *lm_pass, *nt_pass;
-
-@@ -1757,29 +1776,19 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
-
- if (!lm_pass || !nt_pass) {
- status = NT_STATUS_WRONG_PASSWORD;
-- goto out;
-+ goto update_login;
- }
-
- memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
- memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
- }
-
-- /* basic sanity checking on parameters. Do this before any database ops */
-- if (!r->in.lm_present || !r->in.nt_present ||
-- !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
-- !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
-- /* we should really handle a change with lm not
-- present */
-- status = NT_STATUS_INVALID_PARAMETER_MIX;
-- goto out;
-- }
--
- /* decrypt and check the new lm hash */
- D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
- D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
-- goto out;
-+ goto update_login;
- }
-
- /* decrypt and check the new nt hash */
-@@ -1787,7 +1796,7 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
- if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
-- goto out;
-+ goto update_login;
- }
-
- /* The NT Cross is not required by Win2k3 R2, but if present
-@@ -1796,7 +1805,7 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
-- goto out;
-+ goto update_login;
- }
- }
-
-@@ -1806,7 +1815,7 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
- status = NT_STATUS_WRONG_PASSWORD;
-- goto out;
-+ goto update_login;
- }
- }
-
-@@ -1817,6 +1826,55 @@ NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- }
-
- status = pdb_update_sam_account(pwd);
-+
-+update_login:
-+
-+ /*
-+ * Notify passdb backend of login success/failure. If not
-+ * NT_STATUS_OK the backend doesn't like the login
-+ */
-+ update_login_attempts_status = pdb_update_login_attempts(pwd,
-+ NT_STATUS_IS_OK(status));
-+
-+ if (!NT_STATUS_IS_OK(status)) {
-+ bool increment_bad_pw_count = false;
-+
-+ if (NT_STATUS_EQUAL(status,NT_STATUS_WRONG_PASSWORD) &&
-+ (pdb_get_acct_ctrl(pwd) & ACB_NORMAL) &&
-+ NT_STATUS_IS_OK(update_login_attempts_status))
-+ {
-+ increment_bad_pw_count = true;
-+ }
-+
-+ if (increment_bad_pw_count) {
-+ pdb_increment_bad_password_count(pwd);
-+ updated_badpw = true;
-+ } else {
-+ pdb_update_bad_password_count(pwd,
-+ &updated_badpw);
-+ }
-+ } else {
-+
-+ if ((pdb_get_acct_ctrl(pwd) & ACB_NORMAL) &&
-+ (pdb_get_bad_password_count(pwd) > 0)){
-+ pdb_set_bad_password_count(pwd, 0, PDB_CHANGED);
-+ pdb_set_bad_password_time(pwd, 0, PDB_CHANGED);
-+ updated_badpw = true;
-+ }
-+ }
-+
-+ if (updated_badpw) {
-+ NTSTATUS update_status;
-+ become_root();
-+ update_status = pdb_update_sam_account(pwd);
-+ unbecome_root();
-+
-+ if (!NT_STATUS_IS_OK(update_status)) {
-+ DEBUG(1, ("Failed to modify entry: %s\n",
-+ nt_errstr(update_status)));
-+ }
-+ }
-+
- out:
- TALLOC_FREE(pwd);
-
---
-1.7.9.5
-
-
-From fab5ee090e2e4765441b82e17a6cbb98523f6943 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Tue, 5 Nov 2013 14:04:20 +0100
-Subject: [PATCH 2/4] CVE-2013-4496:s3:auth: fix memory leak in the
- ACCOUNT_LOCKED_OUT case.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
----
- source3/auth/check_samsec.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
-index 7ed8cc2..94f30b1 100644
---- a/source3/auth/check_samsec.c
-+++ b/source3/auth/check_samsec.c
-@@ -408,6 +408,7 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
- /* Quit if the account was locked out. */
- if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
- DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
-+ TALLOC_FREE(sampass);
- return NT_STATUS_ACCOUNT_LOCKED_OUT;
- }
-
---
-1.7.9.5
-
-
-From bf3443c12f2a67481eb2e45ca41b906c438d06da Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Tue, 5 Nov 2013 16:16:46 +1300
-Subject: [PATCH 3/4] CVE-2013-4496:samr: Remove ChangePasswordUser
-
-This old password change mechanism does not provide the plaintext to
-validate against password complexity, and it is not used by modern
-clients.
-
-The missing features in both implementations (by design) were:
-
- - the password complexity checks (no plaintext)
- - the minimum password length (no plaintext)
-
-Additionally, the source3 version did not check:
-
- - the minimum password age
- - pdb_get_pass_can_change() which checks the security
- descriptor for the 'user cannot change password' setting.
- - the password history
- - the output of the 'passwd program' if 'unix passwd sync = yes'.
-
-Finally, the mechanism was almost useless, as it was incorrectly
-only made available to administrative users with permission
-to reset the password. It is removed here so that it is not
-mistakenly reinstated in the future.
-
-Andrew Bartlett
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/rpc_server/samr/srv_samr_nt.c | 169 +-------------------
- source3/smbd/lanman.c | 254 -------------------------------
- source4/rpc_server/samr/samr_password.c | 145 +-----------------
- source4/torture/rpc/samr.c | 6 +
- 4 files changed, 20 insertions(+), 554 deletions(-)
-
-diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c
-index 98e8bea..99f03ec 100644
---- a/source3/rpc_server/samr/srv_samr_nt.c
-+++ b/source3/rpc_server/samr/srv_samr_nt.c
-@@ -1713,172 +1713,19 @@ NTSTATUS _samr_LookupNames(struct pipes_struct *p,
- }
-
- /****************************************************************
-- _samr_ChangePasswordUser
-+ _samr_ChangePasswordUser.
-+
-+ So old it is just not worth implementing
-+ because it does not supply a plaintext and so we can't do password
-+ complexity checking and cannot update other services that use a
-+ plaintext password via passwd chat/pam password change/ldap password
-+ sync.
- ****************************************************************/
-
- NTSTATUS _samr_ChangePasswordUser(struct pipes_struct *p,
- struct samr_ChangePasswordUser *r)
- {
-- NTSTATUS status;
-- bool ret = false;
-- struct samr_user_info *uinfo;
-- struct samu *pwd = NULL;
-- struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
-- struct samr_Password lm_pwd, nt_pwd;
-- bool updated_badpw = false;
-- NTSTATUS update_login_attempts_status;
--
-- uinfo = policy_handle_find(p, r->in.user_handle,
-- SAMR_USER_ACCESS_SET_PASSWORD, NULL,
-- struct samr_user_info, &status);
-- if (!NT_STATUS_IS_OK(status)) {
-- return status;
-- }
--
-- DEBUG(5,("_samr_ChangePasswordUser: sid:%s\n",
-- sid_string_dbg(&uinfo->sid)));
--
-- /* basic sanity checking on parameters. Do this before any database ops */
-- if (!r->in.lm_present || !r->in.nt_present ||
-- !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
-- !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
-- /* we should really handle a change with lm not
-- present */
-- return NT_STATUS_INVALID_PARAMETER_MIX;
-- }
--
-- if (!(pwd = samu_new(NULL))) {
-- return NT_STATUS_NO_MEMORY;
-- }
--
-- become_root();
-- ret = pdb_getsampwsid(pwd, &uinfo->sid);
-- unbecome_root();
--
-- if (!ret) {
-- TALLOC_FREE(pwd);
-- return NT_STATUS_WRONG_PASSWORD;
-- }
--
-- /* Quit if the account was locked out. */
-- if (pdb_get_acct_ctrl(pwd) & ACB_AUTOLOCK) {
-- DEBUG(3, ("Account for user %s was locked out.\n",
-- pdb_get_username(pwd)));
-- status = NT_STATUS_ACCOUNT_LOCKED_OUT;
-- goto out;
-- }
--
-- {
-- const uint8_t *lm_pass, *nt_pass;
--
-- lm_pass = pdb_get_lanman_passwd(pwd);
-- nt_pass = pdb_get_nt_passwd(pwd);
--
-- if (!lm_pass || !nt_pass) {
-- status = NT_STATUS_WRONG_PASSWORD;
-- goto update_login;
-- }
--
-- memcpy(&lm_pwd.hash, lm_pass, sizeof(lm_pwd.hash));
-- memcpy(&nt_pwd.hash, nt_pass, sizeof(nt_pwd.hash));
-- }
--
-- /* decrypt and check the new lm hash */
-- D_P16(lm_pwd.hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
-- D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
-- if (memcmp(checkHash.hash, lm_pwd.hash, 16) != 0) {
-- status = NT_STATUS_WRONG_PASSWORD;
-- goto update_login;
-- }
--
-- /* decrypt and check the new nt hash */
-- D_P16(nt_pwd.hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
-- D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
-- if (memcmp(checkHash.hash, nt_pwd.hash, 16) != 0) {
-- status = NT_STATUS_WRONG_PASSWORD;
-- goto update_login;
-- }
--
-- /* The NT Cross is not required by Win2k3 R2, but if present
-- check the nt cross hash */
-- if (r->in.cross1_present && r->in.nt_cross) {
-- D_P16(lm_pwd.hash, r->in.nt_cross->hash, checkHash.hash);
-- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
-- status = NT_STATUS_WRONG_PASSWORD;
-- goto update_login;
-- }
-- }
--
-- /* The LM Cross is not required by Win2k3 R2, but if present
-- check the lm cross hash */
-- if (r->in.cross2_present && r->in.lm_cross) {
-- D_P16(nt_pwd.hash, r->in.lm_cross->hash, checkHash.hash);
-- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
-- status = NT_STATUS_WRONG_PASSWORD;
-- goto update_login;
-- }
-- }
--
-- if (!pdb_set_nt_passwd(pwd, new_ntPwdHash.hash, PDB_CHANGED) ||
-- !pdb_set_lanman_passwd(pwd, new_lmPwdHash.hash, PDB_CHANGED)) {
-- status = NT_STATUS_ACCESS_DENIED;
-- goto out;
-- }
--
-- status = pdb_update_sam_account(pwd);
--
--update_login:
--
-- /*
-- * Notify passdb backend of login success/failure. If not
-- * NT_STATUS_OK the backend doesn't like the login
-- */
-- update_login_attempts_status = pdb_update_login_attempts(pwd,
-- NT_STATUS_IS_OK(status));
--
-- if (!NT_STATUS_IS_OK(status)) {
-- bool increment_bad_pw_count = false;
--
-- if (NT_STATUS_EQUAL(status,NT_STATUS_WRONG_PASSWORD) &&
-- (pdb_get_acct_ctrl(pwd) & ACB_NORMAL) &&
-- NT_STATUS_IS_OK(update_login_attempts_status))
-- {
-- increment_bad_pw_count = true;
-- }
--
-- if (increment_bad_pw_count) {
-- pdb_increment_bad_password_count(pwd);
-- updated_badpw = true;
-- } else {
-- pdb_update_bad_password_count(pwd,
-- &updated_badpw);
-- }
-- } else {
--
-- if ((pdb_get_acct_ctrl(pwd) & ACB_NORMAL) &&
-- (pdb_get_bad_password_count(pwd) > 0)){
-- pdb_set_bad_password_count(pwd, 0, PDB_CHANGED);
-- pdb_set_bad_password_time(pwd, 0, PDB_CHANGED);
-- updated_badpw = true;
-- }
-- }
--
-- if (updated_badpw) {
-- NTSTATUS update_status;
-- become_root();
-- update_status = pdb_update_sam_account(pwd);
-- unbecome_root();
--
-- if (!NT_STATUS_IS_OK(update_status)) {
-- DEBUG(1, ("Failed to modify entry: %s\n",
-- nt_errstr(update_status)));
-- }
-- }
--
-- out:
-- TALLOC_FREE(pwd);
--
-- return status;
-+ return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*******************************************************************
-diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
-index e6b9530..1b734a7 100644
---- a/source3/smbd/lanman.c
-+++ b/source3/smbd/lanman.c
-@@ -2948,259 +2948,6 @@ static bool api_NetRemoteTOD(struct smbd_server_connection *sconn,
- }
-
- /****************************************************************************
-- Set the user password.
--*****************************************************************************/
--
--static bool api_SetUserPassword(struct smbd_server_connection *sconn,
-- connection_struct *conn,uint64_t vuid,
-- char *param, int tpscnt,
-- char *data, int tdscnt,
-- int mdrcnt,int mprcnt,
-- char **rdata,char **rparam,
-- int *rdata_len,int *rparam_len)
--{
-- char *np = get_safe_str_ptr(param,tpscnt,param,2);
-- char *p = NULL;
-- fstring user;
-- fstring pass1,pass2;
-- TALLOC_CTX *mem_ctx = talloc_tos();
-- NTSTATUS status, result;
-- struct rpc_pipe_client *cli = NULL;
-- struct policy_handle connect_handle, domain_handle, user_handle;
-- struct lsa_String domain_name;
-- struct dom_sid2 *domain_sid;
-- struct lsa_String names;
-- struct samr_Ids rids;
-- struct samr_Ids types;
-- struct samr_Password old_lm_hash;
-- struct samr_Password new_lm_hash;
-- int errcode = NERR_badpass;
-- uint32_t rid;
-- int encrypted;
-- int min_pwd_length;
-- struct dcerpc_binding_handle *b = NULL;
--
-- /* Skip 2 strings. */
-- p = skip_string(param,tpscnt,np);
-- p = skip_string(param,tpscnt,p);
--
-- if (!np || !p) {
-- return False;
-- }
--
-- /* Do we have a string ? */
-- if (skip_string(param,tpscnt,p) == NULL) {
-- return False;
-- }
-- pull_ascii_fstring(user,p);
--
-- p = skip_string(param,tpscnt,p);
-- if (!p) {
-- return False;
-- }
--
-- memset(pass1,'\0',sizeof(pass1));
-- memset(pass2,'\0',sizeof(pass2));
-- /*
-- * We use 31 here not 32 as we're checking
-- * the last byte we want to access is safe.
-- */
-- if (!is_offset_safe(param,tpscnt,p,31)) {
-- return False;
-- }
-- memcpy(pass1,p,16);
-- memcpy(pass2,p+16,16);
--
-- encrypted = get_safe_SVAL(param,tpscnt,p+32,0,-1);
-- if (encrypted == -1) {
-- errcode = W_ERROR_V(WERR_INVALID_PARAM);
-- goto out;
-- }
--
-- min_pwd_length = get_safe_SVAL(param,tpscnt,p+34,0,-1);
-- if (min_pwd_length == -1) {
-- errcode = W_ERROR_V(WERR_INVALID_PARAM);
-- goto out;
-- }
--
-- *rparam_len = 4;
-- *rparam = smb_realloc_limit(*rparam,*rparam_len);
-- if (!*rparam) {
-- return False;
-- }
--
-- *rdata_len = 0;
--
-- DEBUG(3,("Set password for <%s> (encrypted: %d, min_pwd_length: %d)\n",
-- user, encrypted, min_pwd_length));
--
-- ZERO_STRUCT(connect_handle);
-- ZERO_STRUCT(domain_handle);
-- ZERO_STRUCT(user_handle);
--
-- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
-- conn->session_info,
-- conn->sconn->remote_address,
-- conn->sconn->msg_ctx,
-- &cli);
-- if (!NT_STATUS_IS_OK(status)) {
-- DEBUG(0,("api_SetUserPassword: could not connect to samr: %s\n",
-- nt_errstr(status)));
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
--
-- b = cli->binding_handle;
--
-- status = dcerpc_samr_Connect2(b, mem_ctx,
-- lp_netbios_name(),
-- SAMR_ACCESS_CONNECT_TO_SERVER |
-- SAMR_ACCESS_ENUM_DOMAINS |
-- SAMR_ACCESS_LOOKUP_DOMAIN,
-- &connect_handle,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(result));
-- goto out;
-- }
--
-- init_lsa_String(&domain_name, get_global_sam_name());
--
-- status = dcerpc_samr_LookupDomain(b, mem_ctx,
-- &connect_handle,
-- &domain_name,
-- &domain_sid,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(result));
-- goto out;
-- }
--
-- status = dcerpc_samr_OpenDomain(b, mem_ctx,
-- &connect_handle,
-- SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT,
-- domain_sid,
-- &domain_handle,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(result));
-- goto out;
-- }
--
-- init_lsa_String(&names, user);
--
-- status = dcerpc_samr_LookupNames(b, mem_ctx,
-- &domain_handle,
-- 1,
-- &names,
-- &rids,
-- &types,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(result));
-- goto out;
-- }
--
-- if (rids.count != 1) {
-- errcode = W_ERROR_V(WERR_NO_SUCH_USER);
-- goto out;
-- }
-- if (rids.count != types.count) {
-- errcode = W_ERROR_V(WERR_INVALID_PARAM);
-- goto out;
-- }
-- if (types.ids[0] != SID_NAME_USER) {
-- errcode = W_ERROR_V(WERR_INVALID_PARAM);
-- goto out;
-- }
--
-- rid = rids.ids[0];
--
-- status = dcerpc_samr_OpenUser(b, mem_ctx,
-- &domain_handle,
-- SAMR_USER_ACCESS_CHANGE_PASSWORD,
-- rid,
-- &user_handle,
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(result));
-- goto out;
-- }
--
-- if (encrypted == 0) {
-- E_deshash(pass1, old_lm_hash.hash);
-- E_deshash(pass2, new_lm_hash.hash);
-- } else {
-- ZERO_STRUCT(old_lm_hash);
-- ZERO_STRUCT(new_lm_hash);
-- memcpy(old_lm_hash.hash, pass1, MIN(strlen(pass1), 16));
-- memcpy(new_lm_hash.hash, pass2, MIN(strlen(pass2), 16));
-- }
--
-- status = dcerpc_samr_ChangePasswordUser(b, mem_ctx,
-- &user_handle,
-- true, /* lm_present */
-- &old_lm_hash,
-- &new_lm_hash,
-- false, /* nt_present */
-- NULL, /* old_nt_crypted */
-- NULL, /* new_nt_crypted */
-- false, /* cross1_present */
-- NULL, /* nt_cross */
-- false, /* cross2_present */
-- NULL, /* lm_cross */
-- &result);
-- if (!NT_STATUS_IS_OK(status)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(status));
-- goto out;
-- }
-- if (!NT_STATUS_IS_OK(result)) {
-- errcode = W_ERROR_V(ntstatus_to_werror(result));
-- goto out;
-- }
--
-- errcode = NERR_Success;
-- out:
--
-- if (b && is_valid_policy_hnd(&user_handle)) {
-- dcerpc_samr_Close(b, mem_ctx, &user_handle, &result);
-- }
-- if (b && is_valid_policy_hnd(&domain_handle)) {
-- dcerpc_samr_Close(b, mem_ctx, &domain_handle, &result);
-- }
-- if (b && is_valid_policy_hnd(&connect_handle)) {
-- dcerpc_samr_Close(b, mem_ctx, &connect_handle, &result);
-- }
--
-- memset((char *)pass1,'\0',sizeof(fstring));
-- memset((char *)pass2,'\0',sizeof(fstring));
--
-- SSVAL(*rparam,0,errcode);
-- SSVAL(*rparam,2,0); /* converter word */
-- return(True);
--}
--
--/****************************************************************************
- Set the user password (SamOEM version - gets plaintext).
- ****************************************************************************/
-
-@@ -5797,7 +5544,6 @@ static const struct {
- {"NetServerEnum2", RAP_NetServerEnum2, api_RNetServerEnum2}, /* anon OK */
- {"NetServerEnum3", RAP_NetServerEnum3, api_RNetServerEnum3}, /* anon OK */
- {"WAccessGetUserPerms",RAP_WAccessGetUserPerms,api_WAccessGetUserPerms},
-- {"SetUserPassword", RAP_WUserPasswordSet2, api_SetUserPassword},
- {"WWkstaUserLogon", RAP_WWkstaUserLogon, api_WWkstaUserLogon},
- {"PrintJobInfo", RAP_WPrintJobSetInfo, api_PrintJobInfo},
- {"WPrintDriverEnum", RAP_WPrintDriverEnum, api_WPrintDriverEnum},
-diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
-index 2d9c48a..9d6c921 100644
---- a/source4/rpc_server/samr/samr_password.c
-+++ b/source4/rpc_server/samr/samr_password.c
-@@ -33,150 +33,17 @@
-
- /*
- samr_ChangePasswordUser
-+
-+ So old it is just not worth implementing
-+ because it does not supply a plaintext and so we can't do password
-+ complexity checking and cannot update all the other password hashes.
-+
- */
- NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- struct samr_ChangePasswordUser *r)
- {
-- struct dcesrv_handle *h;
-- struct samr_account_state *a_state;
-- struct ldb_context *sam_ctx;
-- struct ldb_message **res;
-- int ret;
-- struct samr_Password new_lmPwdHash, new_ntPwdHash, checkHash;
-- struct samr_Password *lm_pwd, *nt_pwd;
-- NTSTATUS status = NT_STATUS_OK;
-- const char * const attrs[] = { "dBCSPwd", "unicodePwd" , NULL };
--
-- DCESRV_PULL_HANDLE(h, r->in.user_handle, SAMR_HANDLE_USER);
--
-- a_state = h->data;
--
-- /* basic sanity checking on parameters. Do this before any database ops */
-- if (!r->in.lm_present || !r->in.nt_present ||
-- !r->in.old_lm_crypted || !r->in.new_lm_crypted ||
-- !r->in.old_nt_crypted || !r->in.new_nt_crypted) {
-- /* we should really handle a change with lm not
-- present */
-- return NT_STATUS_INVALID_PARAMETER_MIX;
-- }
--
-- /* Connect to a SAMDB with system privileges for fetching the old pw
-- * hashes. */
-- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
-- dce_call->conn->dce_ctx->lp_ctx,
-- system_session(dce_call->conn->dce_ctx->lp_ctx), 0);
-- if (sam_ctx == NULL) {
-- return NT_STATUS_INVALID_SYSTEM_SERVICE;
-- }
--
-- /* fetch the old hashes */
-- ret = gendb_search_dn(sam_ctx, mem_ctx,
-- a_state->account_dn, &res, attrs);
-- if (ret != 1) {
-- return NT_STATUS_WRONG_PASSWORD;
-- }
--
-- status = samdb_result_passwords(mem_ctx,
-- dce_call->conn->dce_ctx->lp_ctx,
-- res[0], &lm_pwd, &nt_pwd);
-- if (!NT_STATUS_IS_OK(status) || !nt_pwd) {
-- return NT_STATUS_WRONG_PASSWORD;
-- }
--
-- /* decrypt and check the new lm hash */
-- if (lm_pwd) {
-- D_P16(lm_pwd->hash, r->in.new_lm_crypted->hash, new_lmPwdHash.hash);
-- D_P16(new_lmPwdHash.hash, r->in.old_lm_crypted->hash, checkHash.hash);
-- }
--
-- /* decrypt and check the new nt hash */
-- D_P16(nt_pwd->hash, r->in.new_nt_crypted->hash, new_ntPwdHash.hash);
-- D_P16(new_ntPwdHash.hash, r->in.old_nt_crypted->hash, checkHash.hash);
--
-- /* The NT Cross is not required by Win2k3 R2, but if present
-- check the nt cross hash */
-- if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
-- D_P16(lm_pwd->hash, r->in.nt_cross->hash, checkHash.hash);
-- }
--
-- /* The LM Cross is not required by Win2k3 R2, but if present
-- check the lm cross hash */
-- if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
-- D_P16(nt_pwd->hash, r->in.lm_cross->hash, checkHash.hash);
-- }
--
-- /* Start a SAM with user privileges for the password change */
-- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
-- dce_call->conn->dce_ctx->lp_ctx,
-- dce_call->conn->auth_state.session_info, 0);
-- if (sam_ctx == NULL) {
-- return NT_STATUS_INVALID_SYSTEM_SERVICE;
-- }
--
-- /* Start transaction */
-- ret = ldb_transaction_start(sam_ctx);
-- if (ret != LDB_SUCCESS) {
-- DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
-- return NT_STATUS_TRANSACTION_ABORTED;
-- }
--
-- /* Performs the password modification. We pass the old hashes read out
-- * from the database since they were already checked against the user-
-- * provided ones. */
-- status = samdb_set_password(sam_ctx, mem_ctx,
-- a_state->account_dn,
-- a_state->domain_state->domain_dn,
-- NULL, &new_lmPwdHash, &new_ntPwdHash,
-- lm_pwd, nt_pwd, /* this is a user password change */
-- NULL,
-- NULL);
-- if (!NT_STATUS_IS_OK(status)) {
-- ldb_transaction_cancel(sam_ctx);
-- return status;
-- }
--
-- /* decrypt and check the new lm hash */
-- if (lm_pwd) {
-- if (memcmp(checkHash.hash, lm_pwd, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
-- return NT_STATUS_WRONG_PASSWORD;
-- }
-- }
--
-- if (memcmp(checkHash.hash, nt_pwd, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
-- return NT_STATUS_WRONG_PASSWORD;
-- }
--
-- /* The NT Cross is not required by Win2k3 R2, but if present
-- check the nt cross hash */
-- if (r->in.cross1_present && r->in.nt_cross && lm_pwd) {
-- if (memcmp(checkHash.hash, new_ntPwdHash.hash, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
-- return NT_STATUS_WRONG_PASSWORD;
-- }
-- }
--
-- /* The LM Cross is not required by Win2k3 R2, but if present
-- check the lm cross hash */
-- if (r->in.cross2_present && r->in.lm_cross && lm_pwd) {
-- if (memcmp(checkHash.hash, new_lmPwdHash.hash, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
-- return NT_STATUS_WRONG_PASSWORD;
-- }
-- }
--
-- /* And this confirms it in a transaction commit */
-- ret = ldb_transaction_commit(sam_ctx);
-- if (ret != LDB_SUCCESS) {
-- DEBUG(1,("Failed to commit transaction to change password on %s: %s\n",
-- ldb_dn_get_linearized(a_state->account_dn),
-- ldb_errstring(sam_ctx)));
-- return NT_STATUS_TRANSACTION_ABORTED;
-- }
--
-- return NT_STATUS_OK;
-+ return NT_STATUS_NOT_IMPLEMENTED;
- }
-
- /*
-diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
-index a0a5f1a..cdfa2b8 100644
---- a/source4/torture/rpc/samr.c
-+++ b/source4/torture/rpc/samr.c
-@@ -1759,6 +1759,12 @@ static bool test_ChangePasswordUser(struct dcerpc_binding_handle *b,
- torture_comment(tctx, "(%s:%s) old_password[%s] new_password[%s] status[%s]\n",
- __location__, __FUNCTION__,
- oldpass, newpass, nt_errstr(r.out.result));
-+
-+ /* Do not proceed if this call has been removed */
-+ if (NT_STATUS_EQUAL(r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
-+ return true;
-+ }
-+
- if (!NT_STATUS_EQUAL(r.out.result, NT_STATUS_PASSWORD_RESTRICTION)) {
- torture_assert_ntstatus_equal(tctx, r.out.result, NT_STATUS_WRONG_PASSWORD,
- "ChangePasswordUser failed: expected NT_STATUS_WRONG_PASSWORD because we broke the LM hash");
---
-1.7.9.5
-
-
-From b0281ad59d3ba8b32787ce112fb4a83d935c60d1 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Thu, 28 Nov 2013 06:50:01 +1300
-Subject: [PATCH 4/4] CVE-2013-4496:Revert remainder of
- ce895609b04380bfc41e4f8fddc84bd2f9324340
-
-Part of this was removed when ChangePasswordUser was unimplemented,
-but remove the remainder of this flawed commit. Fully check the
-password first, as extract_pw_from_buffer() already does a partial
-check of the password because it needs a correct old password to
-correctly decrypt the length.
-
-Andrew Bartlett
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10245
-
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source4/rpc_server/samr/samr_password.c | 69 ++++++++++++++++---------------
- 1 file changed, 35 insertions(+), 34 deletions(-)
-
-diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
-index 9d6c921..685a8e7 100644
---- a/source4/rpc_server/samr/samr_password.c
-+++ b/source4/rpc_server/samr/samr_password.c
-@@ -142,6 +142,9 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
-
- E_deshash(new_pass, new_lm_hash);
- E_old_pw_hash(new_lm_hash, lm_pwd->hash, lm_verifier.hash);
-+ if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
-+ return NT_STATUS_WRONG_PASSWORD;
-+ }
-
- /* Connect to a SAMDB with user privileges for the password change */
- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
-@@ -173,11 +176,6 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
- return status;
- }
-
-- if (memcmp(lm_verifier.hash, r->in.hash->hash, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
-- return NT_STATUS_WRONG_PASSWORD;
-- }
--
- /* And this confirms it in a transaction commit */
- ret = ldb_transaction_commit(sam_ctx);
- if (ret != LDB_SUCCESS) {
-@@ -267,33 +265,8 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
- goto failed;
- }
-
-- /* Connect to a SAMDB with user privileges for the password change */
-- sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
-- dce_call->conn->dce_ctx->lp_ctx,
-- dce_call->conn->auth_state.session_info, 0);
-- if (sam_ctx == NULL) {
-- return NT_STATUS_INVALID_SYSTEM_SERVICE;
-- }
--
-- ret = ldb_transaction_start(sam_ctx);
-- if (ret != LDB_SUCCESS) {
-- DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
-- return NT_STATUS_TRANSACTION_ABORTED;
-- }
--
-- /* Performs the password modification. We pass the old hashes read out
-- * from the database since they were already checked against the user-
-- * provided ones. */
-- status = samdb_set_password(sam_ctx, mem_ctx,
-- user_dn, NULL,
-- &new_password,
-- NULL, NULL,
-- lm_pwd, nt_pwd, /* this is a user password change */
-- &reason,
-- &dominfo);
--
-- if (!NT_STATUS_IS_OK(status)) {
-- ldb_transaction_cancel(sam_ctx);
-+ if (r->in.nt_verifier == NULL) {
-+ status = NT_STATUS_WRONG_PASSWORD;
- goto failed;
- }
-
-@@ -302,7 +275,6 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
-
- E_old_pw_hash(new_nt_hash, nt_pwd->hash, nt_verifier.hash);
- if (memcmp(nt_verifier.hash, r->in.nt_verifier->hash, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
- status = NT_STATUS_WRONG_PASSWORD;
- goto failed;
- }
-@@ -322,13 +294,42 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
- E_deshash(new_pass, new_lm_hash);
- E_old_pw_hash(new_nt_hash, lm_pwd->hash, lm_verifier.hash);
- if (memcmp(lm_verifier.hash, r->in.lm_verifier->hash, 16) != 0) {
-- ldb_transaction_cancel(sam_ctx);
- status = NT_STATUS_WRONG_PASSWORD;
- goto failed;
- }
- }
- }
-
-+ /* Connect to a SAMDB with user privileges for the password change */
-+ sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
-+ dce_call->conn->dce_ctx->lp_ctx,
-+ dce_call->conn->auth_state.session_info, 0);
-+ if (sam_ctx == NULL) {
-+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
-+ }
-+
-+ ret = ldb_transaction_start(sam_ctx);
-+ if (ret != LDB_SUCCESS) {
-+ DEBUG(1, ("Failed to start transaction: %s\n", ldb_errstring(sam_ctx)));
-+ return NT_STATUS_TRANSACTION_ABORTED;
-+ }
-+
-+ /* Performs the password modification. We pass the old hashes read out
-+ * from the database since they were already checked against the user-
-+ * provided ones. */
-+ status = samdb_set_password(sam_ctx, mem_ctx,
-+ user_dn, NULL,
-+ &new_password,
-+ NULL, NULL,
-+ lm_pwd, nt_pwd, /* this is a user password change */
-+ &reason,
-+ &dominfo);
-+
-+ if (!NT_STATUS_IS_OK(status)) {
-+ ldb_transaction_cancel(sam_ctx);
-+ goto failed;
-+ }
-+
- /* And this confirms it in a transaction commit */
- ret = ldb_transaction_commit(sam_ctx);
- if (ret != LDB_SUCCESS) {
---
-1.7.9.5
-
diff --git a/SOURCES/samba-4.1.x-CVE-2013-6442.patch b/SOURCES/samba-4.1.x-CVE-2013-6442.patch
deleted file mode 100644
index 39f53bf..0000000
--- a/SOURCES/samba-4.1.x-CVE-2013-6442.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 82b1dafad17904bc224b0632486006fe88301b57 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Wed, 18 Dec 2013 13:56:18 -0800
-Subject: [PATCH] CVE-2013-6442: s3:smbcacls - ensure we don't lose an existing
- ACL when setting owner or group owner.
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10327
-Bug 10327 - CVE-2013-6442: smbcacls --chown | --chgrp dacl regression
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Stefan Metzmacher <metze@samba.org>
----
- source3/utils/smbcacls.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
-index 11b7388..e3b7099 100644
---- a/source3/utils/smbcacls.c
-+++ b/source3/utils/smbcacls.c
-@@ -990,7 +990,7 @@ static int owner_set(struct cli_state *cli, enum chown_mode change_mode,
- return EXIT_FAILED;
- }
-
-- sd = make_sec_desc(talloc_tos(),old->revision, old->type,
-+ sd = make_sec_desc(talloc_tos(),old->revision, SEC_DESC_SELF_RELATIVE,
- (change_mode == REQUEST_CHOWN) ? &sid : NULL,
- (change_mode == REQUEST_CHGRP) ? &sid : NULL,
- NULL, NULL, &sd_size);
---
-1.8.5.1
-
diff --git a/SOURCES/samba-4.2.x-fix_gecos_field_with_samlogon.patch b/SOURCES/samba-4.2.x-fix_gecos_field_with_samlogon.patch
new file mode 100644
index 0000000..c1dfc06
--- /dev/null
+++ b/SOURCES/samba-4.2.x-fix_gecos_field_with_samlogon.patch
@@ -0,0 +1,29894 @@
+From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 4 Sep 2014 12:55:53 +0200
+Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
+ uninitialized.
+
+On my system this gets evaluated to 0 so in the end we detect samba to
+be running cause $childpid is set to 0.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Thu Sep 4 17:09:17 CEST 2014 on sn-devel-104
+
+(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
+Signed-off-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
+Autobuild-Date(v4-1-test): Mon Sep 8 23:19:29 CEST 2014 on sn-devel-104
+---
+ selftest/target/Samba.pm | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
+index ab3851f..b0817fd 100644
+--- a/selftest/target/Samba.pm
++++ b/selftest/target/Samba.pm
+@@ -188,7 +188,12 @@ sub get_interface($)
+ sub cleanup_child($$)
+ {
+ my ($pid, $name) = @_;
+- my $childpid = waitpid($pid, WNOHANG);
++ my $childpid = -1;
++
++ if (defined($pid)) {
++ $childpid = waitpid($pid, WNOHANG);
++ }
++
+ if ($childpid == 0) {
+ } elsif ($childpid < 0) {
+ printf STDERR "%s child process %d isn't here any more\n",
+--
+1.9.3
+
+
+From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 12:33:25 +0200
+Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
+ from cli_credentials_get_unparsed_name()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
+---
+ auth/credentials/credentials.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index e636123..e597809 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
+ const char *name;
+
+ if (bind_dn) {
+- name = talloc_reference(mem_ctx, bind_dn);
++ name = talloc_strdup(mem_ctx, bind_dn);
+ } else {
+ cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
+ if (domain && domain[0]) {
+--
+1.9.3
+
+
+From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 12:33:25 +0200
+Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
+ from cli_credentials_get_principal_and_obtained()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
+---
+ auth/credentials/credentials.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index e597809..7a4b081 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
+ }
+ }
+ *obtained = cred->principal_obtained;
+- return talloc_reference(mem_ctx, cred->principal);
++ return talloc_strdup(mem_ctx, cred->principal);
+ }
+
+ /**
+--
+1.9.3
+
+
+From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 12:52:17 +0200
+Subject: [PATCH 005/249] auth/credentials: add
+ cli_credentials_[set_]callback_data*
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
+---
+ auth/credentials/credentials.c | 11 +++++++++++
+ auth/credentials/credentials.h | 8 ++++++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 7a4b081..e6a4710 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
+ return cred;
+ }
+
++_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
++ void *callback_data)
++{
++ cred->priv_data = callback_data;
++}
++
++_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
++{
++ return cred->priv_data;
++}
++
+ /**
+ * Create a new anonymous credential
+ * @param mem_ctx TALLOC_CTX parent for credentials structure
+diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
+index dbc014f..0f498ad 100644
+--- a/auth/credentials/credentials.h
++++ b/auth/credentials/credentials.h
+@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
+ bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
+ const char *(*workstation_cb) (struct cli_credentials *));
+
++void cli_credentials_set_callback_data(struct cli_credentials *cred,
++ void *callback_data);
++void *_cli_credentials_callback_data(struct cli_credentials *cred);
++#define cli_credentials_callback_data(_cred, _type) \
++ talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
++#define cli_credentials_callback_data_void(_cred) \
++ _cli_credentials_callback_data(_cred)
++
+ /**
+ * Return attached NETLOGON credentials
+ */
+--
+1.9.3
+
+
+From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:21:14 +0200
+Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()
+
+This is useful for testing.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
+---
+ auth/credentials/credentials.c | 15 +++++++++++++++
+ auth/credentials/credentials.h | 3 +++
+ 2 files changed, 18 insertions(+)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index e6a4710..c1c6993 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
+ return cred->priv_data;
+ }
+
++_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
++ struct cli_credentials *src)
++{
++ struct cli_credentials *dst;
++
++ dst = talloc(mem_ctx, struct cli_credentials);
++ if (dst == NULL) {
++ return NULL;
++ }
++
++ *dst = *src;
++
++ return dst;
++}
++
+ /**
+ * Create a new anonymous credential
+ * @param mem_ctx TALLOC_CTX parent for credentials structure
+diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
+index 0f498ad..1377bfa 100644
+--- a/auth/credentials/credentials.h
++++ b/auth/credentials/credentials.h
+@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
+ #define cli_credentials_callback_data_void(_cred) \
+ _cli_credentials_callback_data(_cred)
+
++struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
++ struct cli_credentials *src);
++
+ /**
+ * Return attached NETLOGON credentials
+ */
+--
+1.9.3
+
+
+From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:20:13 +0200
+Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
+ = NULL;
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
+---
+ source3/utils/ntlm_auth.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index b3bbaa4..a5e0cd2 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
+
+ /* Ask for a password */
+ x_fprintf(x_stdout, "PW\n");
+- credentials->priv_data = NULL;
+
+ manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
+ talloc_steal(credentials, password);
+--
+1.9.3
+
+
+From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:22:10 +0200
+Subject: [PATCH 008/249] s4:torture/shell: simplify
+ cli_credentials_set_password() call
+
+All we want is to avoid a possible callback...
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
+---
+ source4/torture/shell.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/source4/torture/shell.c b/source4/torture/shell.c
+index d6cc94c..aa85da3 100644
+--- a/source4/torture/shell.c
++++ b/source4/torture/shell.c
+@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
+ * stops the credentials system prompting when we use the "auth"
+ * command to display the current auth parameters.
+ */
+- if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
+- cli_credentials_set_password(cmdline_credentials, "",
+- CRED_SPECIFIED);
+- }
++ cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
+
+ while (1) {
+ cline = smb_readline("torture> ", NULL, NULL);
+--
+1.9.3
+
+
+From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:23:08 +0200
+Subject: [PATCH 009/249] s4:torture/gentest: make use of
+ cli_credentials_get_username()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
+---
+ source4/torture/gentest.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
+index 91b60e2..586a25b 100644
+--- a/source4/torture/gentest.c
++++ b/source4/torture/gentest.c
+@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
+
+ printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
+ servers[i].server_name, servers[i].share_name,
+- servers[i].credentials->username, j);
++ cli_credentials_get_username(servers[i].credentials),
++ j);
+
+ cli_credentials_set_workstation(servers[i].credentials,
+ "gentest", CRED_SPECIFIED);
+--
+1.9.3
+
+
+From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:23:41 +0200
+Subject: [PATCH 010/249] s4:torture/rpc: make use of
+ cli_credentials_set_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
+---
+ source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
+ 1 file changed, 16 insertions(+), 20 deletions(-)
+
+diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
+index e0862d2..8203749 100644
+--- a/source4/torture/rpc/schannel.c
++++ b/source4/torture/rpc/schannel.c
+@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
+ torture_assert(torture, join_ctx != NULL,
+ "Failed to join domain with acct_flags=ACB_WSTRUST");
+
+- credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
+- credentials1->netlogon_creds = NULL;
+- credentials2->netlogon_creds = NULL;
++ credentials2 = cli_credentials_shallow_copy(torture, credentials1);
++ cli_credentials_set_netlogon_creds(credentials1, NULL);
++ cli_credentials_set_netlogon_creds(credentials2, NULL);
+
+ status = dcerpc_parse_binding(torture, binding, &b);
+ torture_assert_ntstatus_ok(torture, status, "Bad binding string");
+@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
+ credentials2, torture->ev, torture->lp_ctx);
+ torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
+
+- credentials1->netlogon_creds = NULL;
+- credentials2->netlogon_creds = NULL;
++ cli_credentials_set_netlogon_creds(credentials1, NULL);
++ cli_credentials_set_netlogon_creds(credentials2, NULL);
+
+ torture_comment(torture, "Testing logon on pipe1\n");
+ if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
+@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
+ s->nprocs = torture_setting_int(torture, "nprocs", 4);
+ s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
+
+- s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
+- cmdline_credentials,
+- sizeof(*s->user1_creds));
++ s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
+ tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
+ if (tmp) {
+ cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
+ }
+- s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
+- cmdline_credentials,
+- sizeof(*s->user1_creds));
++ s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
+ tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
+ if (tmp) {
+ cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
+@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
+ cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
+
+ for (i=0; i < s->nprocs; i++) {
+- s->conns[i].s = s;
+- s->conns[i].index = i;
+- s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
+- s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
++ struct cli_credentials *wks = s->wks_creds1;
++
+ if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
+- memcpy(s->conns[i].wks_creds, s->wks_creds2,
+- talloc_get_size(s->conns[i].wks_creds));
++ wks = s->wks_creds2;
+ }
+- s->conns[i].wks_creds->netlogon_creds = NULL;
++
++ s->conns[i].s = s;
++ s->conns[i].index = i;
++ s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
++ cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
+ }
+
+ status = dcerpc_parse_binding(s, binding, &s->b);
+@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
+
+ /* Just as a test, connect with the new creds */
+
+- talloc_free(s->wks_creds1->netlogon_creds);
+- s->wks_creds1->netlogon_creds = NULL;
++ cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
+
+ status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
+ &ndr_table_netlogon,
+--
+1.9.3
+
+
+From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:24:21 +0200
+Subject: [PATCH 011/249] s4:ntlm_auth: make use of
+ cli_credentials_[set_]callback_data*
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
+---
+ source4/utils/ntlm_auth.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
+index c363c9d..136e238 100644
+--- a/source4/utils/ntlm_auth.c
++++ b/source4/utils/ntlm_auth.c
+@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
+ static const char *get_password(struct cli_credentials *credentials)
+ {
+ char *password = NULL;
+-
++ void *cb = cli_credentials_callback_data_void(credentials);
++
+ /* Ask for a password */
+- mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
+- credentials->priv_data = NULL;
++ mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
++ cli_credentials_set_callback_data(credentials, NULL);
+
+ manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
+ return password;
+@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
+ if (state->set_password) {
+ cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
+ } else {
++ void *cb = (void*)(uintptr_t)mux_id;
++ cli_credentials_set_callback_data(creds, cb);
+ cli_credentials_set_password_callback(creds, get_password);
+- creds->priv_data = (void*)(uintptr_t)mux_id;
+ }
+ if (opt_workstation) {
+ cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
+--
+1.9.3
+
+
+From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 12:41:40 +0200
+Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
+---
+ auth/credentials/credentials.c | 1 +
+ auth/credentials/credentials.h | 101 +++-------------------------
+ auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
+ auth/credentials/credentials_krb5.c | 1 +
+ auth/credentials/credentials_ntlm.c | 1 +
+ auth/credentials/credentials_secrets.c | 1 +
+ 6 files changed, 126 insertions(+), 93 deletions(-)
+ create mode 100644 auth/credentials/credentials_internal.h
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index c1c6993..f334465 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -24,6 +24,7 @@
+ #include "includes.h"
+ #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+ #include "auth/credentials/credentials.h"
++#include "auth/credentials/credentials_internal.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "tevent.h"
+ #include "param/param.h"
+diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
+index 1377bfa..cb09dc3 100644
+--- a/auth/credentials/credentials.h
++++ b/auth/credentials/credentials.h
+@@ -25,9 +25,17 @@
+ #include "../lib/util/data_blob.h"
+ #include "librpc/gen_ndr/misc.h"
+
++struct cli_credentials;
+ struct ccache_container;
+ struct tevent_context;
+ struct netlogon_creds_CredentialState;
++struct ldb_context;
++struct ldb_message;
++struct loadparm_context;
++struct ccache_container;
++struct gssapi_creds_container;
++struct smb_krb5_context;
++struct keytab_container;
+
+ /* In order of priority */
+ enum credentials_obtained {
+@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
+ #define CLI_CRED_NTLM_AUTH 0x08
+ #define CLI_CRED_CLEAR_AUTH 0x10 /* TODO: Push cleartext auth with this flag */
+
+-struct cli_credentials {
+- enum credentials_obtained workstation_obtained;
+- enum credentials_obtained username_obtained;
+- enum credentials_obtained password_obtained;
+- enum credentials_obtained domain_obtained;
+- enum credentials_obtained realm_obtained;
+- enum credentials_obtained ccache_obtained;
+- enum credentials_obtained client_gss_creds_obtained;
+- enum credentials_obtained principal_obtained;
+- enum credentials_obtained keytab_obtained;
+- enum credentials_obtained server_gss_creds_obtained;
+-
+- /* Threshold values (essentially a MAX() over a number of the
+- * above) for the ccache and GSS credentials, to ensure we
+- * regenerate/pick correctly */
+-
+- enum credentials_obtained ccache_threshold;
+- enum credentials_obtained client_gss_creds_threshold;
+-
+- const char *workstation;
+- const char *username;
+- const char *password;
+- const char *old_password;
+- const char *domain;
+- const char *realm;
+- const char *principal;
+- char *salt_principal;
+- char *impersonate_principal;
+- char *self_service;
+- char *target_service;
+-
+- const char *bind_dn;
+-
+- /* Allows authentication from a keytab or similar */
+- struct samr_Password *nt_hash;
+-
+- /* Allows NTLM pass-though authentication */
+- DATA_BLOB lm_response;
+- DATA_BLOB nt_response;
+-
+- struct ccache_container *ccache;
+- struct gssapi_creds_container *client_gss_creds;
+- struct keytab_container *keytab;
+- struct gssapi_creds_container *server_gss_creds;
+-
+- const char *(*workstation_cb) (struct cli_credentials *);
+- const char *(*password_cb) (struct cli_credentials *);
+- const char *(*username_cb) (struct cli_credentials *);
+- const char *(*domain_cb) (struct cli_credentials *);
+- const char *(*realm_cb) (struct cli_credentials *);
+- const char *(*principal_cb) (struct cli_credentials *);
+-
+- /* Private handle for the callback routines to use */
+- void *priv_data;
+-
+- struct netlogon_creds_CredentialState *netlogon_creds;
+- enum netr_SchannelType secure_channel_type;
+- int kvno;
+- time_t password_last_changed_time;
+-
+- struct smb_krb5_context *smb_krb5_context;
+-
+- /* We are flagged to get machine account details from the
+- * secrets.ldb when we are asked for a username or password */
+- bool machine_account_pending;
+- struct loadparm_context *machine_account_pending_lp_ctx;
+-
+- /* Is this a machine account? */
+- bool machine_account;
+-
+- /* Should we be trying to use kerberos? */
+- enum credentials_use_kerberos use_kerberos;
+-
+- /* Should we get a forwardable ticket? */
+- enum credentials_krb_forwardable krb_forwardable;
+-
+- /* gensec features which should be used for connections */
+- uint32_t gensec_features;
+-
+- /* Number of retries left before bailing out */
+- int tries;
+-
+- /* Whether any callback is currently running */
+- bool callback_running;
+-};
+-
+-struct ldb_context;
+-struct ldb_message;
+-struct loadparm_context;
+-struct ccache_container;
+-
+-struct gssapi_creds_container;
+-
+ const char *cli_credentials_get_workstation(struct cli_credentials *cred);
+ bool cli_credentials_set_workstation(struct cli_credentials *cred,
+ const char *val,
+diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
+new file mode 100644
+index 0000000..5a3655b
+--- /dev/null
++++ b/auth/credentials/credentials_internal.h
+@@ -0,0 +1,114 @@
++/*
++ samba -- Unix SMB/CIFS implementation.
++
++ Client credentials structure
++
++ Copyright (C) Jelmer Vernooij 2004-2006
++ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++#ifndef __CREDENTIALS_INTERNAL_H__
++#define __CREDENTIALS_INTERNAL_H__
++
++#include "../lib/util/data_blob.h"
++#include "librpc/gen_ndr/misc.h"
++
++struct cli_credentials {
++ enum credentials_obtained workstation_obtained;
++ enum credentials_obtained username_obtained;
++ enum credentials_obtained password_obtained;
++ enum credentials_obtained domain_obtained;
++ enum credentials_obtained realm_obtained;
++ enum credentials_obtained ccache_obtained;
++ enum credentials_obtained client_gss_creds_obtained;
++ enum credentials_obtained principal_obtained;
++ enum credentials_obtained keytab_obtained;
++ enum credentials_obtained server_gss_creds_obtained;
++
++ /* Threshold values (essentially a MAX() over a number of the
++ * above) for the ccache and GSS credentials, to ensure we
++ * regenerate/pick correctly */
++
++ enum credentials_obtained ccache_threshold;
++ enum credentials_obtained client_gss_creds_threshold;
++
++ const char *workstation;
++ const char *username;
++ const char *password;
++ const char *old_password;
++ const char *domain;
++ const char *realm;
++ const char *principal;
++ char *salt_principal;
++ char *impersonate_principal;
++ char *self_service;
++ char *target_service;
++
++ const char *bind_dn;
++
++ /* Allows authentication from a keytab or similar */
++ struct samr_Password *nt_hash;
++
++ /* Allows NTLM pass-though authentication */
++ DATA_BLOB lm_response;
++ DATA_BLOB nt_response;
++
++ struct ccache_container *ccache;
++ struct gssapi_creds_container *client_gss_creds;
++ struct keytab_container *keytab;
++ struct gssapi_creds_container *server_gss_creds;
++
++ const char *(*workstation_cb) (struct cli_credentials *);
++ const char *(*password_cb) (struct cli_credentials *);
++ const char *(*username_cb) (struct cli_credentials *);
++ const char *(*domain_cb) (struct cli_credentials *);
++ const char *(*realm_cb) (struct cli_credentials *);
++ const char *(*principal_cb) (struct cli_credentials *);
++
++ /* Private handle for the callback routines to use */
++ void *priv_data;
++
++ struct netlogon_creds_CredentialState *netlogon_creds;
++ enum netr_SchannelType secure_channel_type;
++ int kvno;
++ time_t password_last_changed_time;
++
++ struct smb_krb5_context *smb_krb5_context;
++
++ /* We are flagged to get machine account details from the
++ * secrets.ldb when we are asked for a username or password */
++ bool machine_account_pending;
++ struct loadparm_context *machine_account_pending_lp_ctx;
++
++ /* Is this a machine account? */
++ bool machine_account;
++
++ /* Should we be trying to use kerberos? */
++ enum credentials_use_kerberos use_kerberos;
++
++ /* Should we get a forwardable ticket? */
++ enum credentials_krb_forwardable krb_forwardable;
++
++ /* gensec features which should be used for connections */
++ uint32_t gensec_features;
++
++ /* Number of retries left before bailing out */
++ int tries;
++
++ /* Whether any callback is currently running */
++ bool callback_running;
++};
++
++#endif /* __CREDENTIALS_INTERNAL_H__ */
+diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
+index ec6a695..489a959 100644
+--- a/auth/credentials/credentials_krb5.c
++++ b/auth/credentials/credentials_krb5.c
+@@ -26,6 +26,7 @@
+ #include "system/gssapi.h"
+ #include "auth/kerberos/kerberos.h"
+ #include "auth/credentials/credentials.h"
++#include "auth/credentials/credentials_internal.h"
+ #include "auth/credentials/credentials_proto.h"
+ #include "auth/credentials/credentials_krb5.h"
+ #include "auth/kerberos/kerberos_credentials.h"
+diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
+index 8f143bf..8c6be39 100644
+--- a/auth/credentials/credentials_ntlm.c
++++ b/auth/credentials/credentials_ntlm.c
+@@ -26,6 +26,7 @@
+ #include "../lib/crypto/crypto.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "auth/credentials/credentials.h"
++#include "auth/credentials/credentials_internal.h"
+
+ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
+ int *flags,
+diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
+index 27ee607..678d167 100644
+--- a/auth/credentials/credentials_secrets.c
++++ b/auth/credentials/credentials_secrets.c
+@@ -28,6 +28,7 @@
+ #include "param/secrets.h"
+ #include "system/filesys.h"
+ #include "auth/credentials/credentials.h"
++#include "auth/credentials/credentials_internal.h"
+ #include "auth/credentials/credentials_proto.h"
+ #include "auth/credentials/credentials_krb5.h"
+ #include "auth/kerberos/kerberos_util.h"
+--
+1.9.3
+
+
+From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 13:39:17 +0200
+Subject: [PATCH 013/249] auth/credentials: get the old password from
+ secrets.tdb
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
+---
+ auth/credentials/credentials_secrets.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
+index 678d167..6c1cded 100644
+--- a/auth/credentials/credentials_secrets.c
++++ b/auth/credentials/credentials_secrets.c
+@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
+ bool secrets_tdb_password_more_recent;
+ time_t secrets_tdb_lct = 0;
+ char *secrets_tdb_password = NULL;
++ char *secrets_tdb_old_password = NULL;
+ char *keystr;
+ char *keystr_upper = NULL;
+ char *secrets_tdb;
+@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
+ if (NT_STATUS_IS_OK(status)) {
+ secrets_tdb_password = (char *)dbuf.dptr;
+ }
++ keystr = talloc_asprintf(tmp_ctx, "%s/%s",
++ SECRETS_MACHINE_PASSWORD_PREV,
++ domain);
++ keystr_upper = strupper_talloc(tmp_ctx, keystr);
++ status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
++ &dbuf);
++ if (NT_STATUS_IS_OK(status)) {
++ secrets_tdb_old_password = (char *)dbuf.dptr;
++ }
+ }
+
+ filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER,
+@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
+ if (secrets_tdb_password_more_recent) {
+ char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
+ cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
++ cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
+ cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
+ cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
+ } else if (!NT_STATUS_IS_OK(status)) {
+--
+1.9.3
+
+
+From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 14:25:54 +0200
+Subject: [PATCH 014/249] auth/credentials: simplify password_tries state
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
+---
+ auth/credentials/credentials.c | 19 ++++++++++++++-----
+ auth/credentials/credentials_internal.h | 2 +-
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index f334465..4ac5356 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
+
+ cred->machine_account = false;
+
+- cred->tries = 3;
++ cred->password_tries = 0;
+
+ cred->callback_running = false;
+
+@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
+ enum credentials_obtained obtained)
+ {
+ if (obtained >= cred->password_obtained) {
++ cred->password_tries = 0;
+ cred->password = talloc_strdup(cred, val);
+ if (cred->password) {
+ /* Don't print the actual password in talloc memory dumps */
+@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
+ const char *(*password_cb) (struct cli_credentials *))
+ {
+ if (cred->password_obtained < CRED_CALLBACK) {
++ cred->password_tries = 3;
+ cred->password_cb = password_cb;
+ cred->password_obtained = CRED_CALLBACK;
+ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
+@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
+ if (cred->password_obtained != CRED_CALLBACK_RESULT) {
+ return false;
+ }
+-
+- cred->password_obtained = CRED_CALLBACK;
+
+- cred->tries--;
++ if (cred->password_tries == 0) {
++ return false;
++ }
++
++ cred->password_tries--;
+
+- return (cred->tries > 0);
++ if (cred->password_tries == 0) {
++ return false;
++ }
++
++ cred->password_obtained = CRED_CALLBACK;
++ return true;
+ }
+
+ _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx,
+diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
+index 5a3655b..f2f79b9 100644
+--- a/auth/credentials/credentials_internal.h
++++ b/auth/credentials/credentials_internal.h
+@@ -105,7 +105,7 @@ struct cli_credentials {
+ uint32_t gensec_features;
+
+ /* Number of retries left before bailing out */
+- int tries;
++ uint32_t password_tries;
+
+ /* Whether any callback is currently running */
+ bool callback_running;
+--
+1.9.3
+
+
+From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 31 Jul 2013 14:32:36 +0200
+Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
+ callback
+
+We only do this if it's still CRED_CALLBACK after the callback,
+this allowes the callback to overwrite it.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
+Autobuild-Date(master): Mon Aug 5 09:36:05 CEST 2013 on sn-devel-104
+(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
+---
+ auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
+ 1 file changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 4ac5356..be497bc 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
+ cred->callback_running = true;
+ cred->username = cred->username_cb(cred);
+ cred->callback_running = false;
+- cred->username_obtained = CRED_SPECIFIED;
+- cli_credentials_invalidate_ccache(cred, cred->username_obtained);
++ if (cred->username_obtained == CRED_CALLBACK) {
++ cred->username_obtained = CRED_CALLBACK_RESULT;
++ cli_credentials_invalidate_ccache(cred, cred->username_obtained);
++ }
+ }
+
+ return cred->username;
+@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
+ cred->callback_running = true;
+ cred->principal = cred->principal_cb(cred);
+ cred->callback_running = false;
+- cred->principal_obtained = CRED_SPECIFIED;
+- cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
++ if (cred->principal_obtained == CRED_CALLBACK) {
++ cred->principal_obtained = CRED_CALLBACK_RESULT;
++ cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
++ }
+ }
+
+ if (cred->principal_obtained < cred->username_obtained
+@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
+ cred->callback_running = true;
+ cred->password = cred->password_cb(cred);
+ cred->callback_running = false;
+- cred->password_obtained = CRED_CALLBACK_RESULT;
+- cli_credentials_invalidate_ccache(cred, cred->password_obtained);
++ if (cred->password_obtained == CRED_CALLBACK) {
++ cred->password_obtained = CRED_CALLBACK_RESULT;
++ cli_credentials_invalidate_ccache(cred, cred->password_obtained);
++ }
+ }
+
+ return cred->password;
+@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
+ cred->callback_running = true;
+ cred->domain = cred->domain_cb(cred);
+ cred->callback_running = false;
+- cred->domain_obtained = CRED_SPECIFIED;
+- cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
++ if (cred->domain_obtained == CRED_CALLBACK) {
++ cred->domain_obtained = CRED_CALLBACK_RESULT;
++ cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
++ }
+ }
+
+ return cred->domain;
+@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
+ cred->callback_running = true;
+ cred->realm = cred->realm_cb(cred);
+ cred->callback_running = false;
+- cred->realm_obtained = CRED_SPECIFIED;
+- cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
++ if (cred->realm_obtained == CRED_CALLBACK) {
++ cred->realm_obtained = CRED_CALLBACK_RESULT;
++ cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
++ }
+ }
+
+ return cred->realm;
+@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
+ cred->callback_running = true;
+ cred->workstation = cred->workstation_cb(cred);
+ cred->callback_running = false;
+- cred->workstation_obtained = CRED_SPECIFIED;
++ if (cred->workstation_obtained == CRED_CALLBACK) {
++ cred->workstation_obtained = CRED_CALLBACK_RESULT;
++ }
+ }
+
+ return cred->workstation;
+--
+1.9.3
+
+
+From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:02:59 +0200
+Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
+ connect_dst_pipe().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
+---
+ source3/utils/net_proto.h | 2 +-
+ source3/utils/net_rpc.c | 4 ++--
+ source3/utils/net_rpc_printer.c | 10 +++++-----
+ source3/utils/net_util.c | 4 ++--
+ 4 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
+index 3f99e14..03fb312 100644
+--- a/source3/utils/net_proto.h
++++ b/source3/utils/net_proto.h
+@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
+ const char *server_name);
+ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
+ struct rpc_pipe_client **pp_pipe_hnd,
+- const struct ndr_syntax_id *interface);
++ const struct ndr_interface_table *table);
+ int net_use_krb_machine_account(struct net_context *c);
+ int net_use_machine_account(struct net_context *c);
+ bool net_find_server(struct net_context *c,
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index c5c4d6c..4503f59 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
+
+ /* connect destination PI_SRVSVC */
+ nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
+- &ndr_table_srvsvc.syntax_id);
++ &ndr_table_srvsvc);
+ if (!NT_STATUS_IS_OK(nt_status))
+ return nt_status;
+
+@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
+
+ /* connect destination PI_SRVSVC */
+ nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
+- &ndr_table_srvsvc.syntax_id);
++ &ndr_table_srvsvc);
+ if (!NT_STATUS_IS_OK(nt_status))
+ return nt_status;
+
+diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
+index ba34de1..1e42e6f 100644
+--- a/source3/utils/net_rpc_printer.c
++++ b/source3/utils/net_rpc_printer.c
+@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
+
+ /* connect destination PI_SPOOLSS */
+ nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
+- &ndr_table_spoolss.syntax_id);
++ &ndr_table_spoolss);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
+
+ /* connect destination PI_SPOOLSS */
+ nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
+- &ndr_table_spoolss.syntax_id);
++ &ndr_table_spoolss);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
+ DEBUG(3,("copying printer-drivers\n"));
+
+ nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
+- &ndr_table_spoolss.syntax_id);
++ &ndr_table_spoolss);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
+
+ /* connect destination PI_SPOOLSS */
+ nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
+- &ndr_table_spoolss.syntax_id);
++ &ndr_table_spoolss);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
+
+ /* connect destination PI_SPOOLSS */
+ nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
+- &ndr_table_spoolss.syntax_id);
++ &ndr_table_spoolss);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
+index 9c4a77e..a4282ec 100644
+--- a/source3/utils/net_util.c
++++ b/source3/utils/net_util.c
+@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
+ **/
+ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
+ struct rpc_pipe_client **pp_pipe_hnd,
+- const struct ndr_syntax_id *interface)
++ const struct ndr_interface_table *table)
+ {
+ NTSTATUS nt_status;
+ char *server_name = SMB_STRDUP("127.0.0.1");
+@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
+ return nt_status;
+ }
+
+- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
++ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("couldn't not initialize pipe\n"));
+--
+1.9.3
+
+
+From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:24:42 +0200
+Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
+ cli_rpc_pipe_open_krb5().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
+---
+ source3/rpc_client/cli_pipe.h | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index bf785fb..34ae542 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ const char *domain,
+ struct rpc_pipe_client **presult);
+
+-NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
+- enum dcerpc_transport_t transport,
+- enum dcerpc_AuthLevel auth_level,
+- const char *service_princ,
+- const char *username,
+- const char *password,
+- struct rpc_pipe_client **presult);
+-
+ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *cli,
+ DATA_BLOB *session_key);
+--
+1.9.3
+
+
+From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:08:16 +0200
+Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
+ libnetapi_get_binding_handle().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
+---
+ source3/lib/netapi/cm.c | 4 ++--
+ source3/lib/netapi/file.c | 6 +++---
+ source3/lib/netapi/getdc.c | 6 +++---
+ source3/lib/netapi/netapi_private.h | 3 ++-
+ source3/lib/netapi/netlogon.c | 4 ++--
+ source3/lib/netapi/serverinfo.c | 6 +++---
+ source3/lib/netapi/share.c | 10 +++++-----
+ source3/lib/netapi/shutdown.c | 4 ++--
+ 8 files changed, 22 insertions(+), 21 deletions(-)
+
+diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
+index da3d2e1..c3ae19f 100644
+--- a/source3/lib/netapi/cm.c
++++ b/source3/lib/netapi/cm.c
+@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+
+ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
+ const char *server_name,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct dcerpc_binding_handle **binding_handle)
+ {
+ struct rpc_pipe_client *pipe_cli;
+@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
+
+ *binding_handle = NULL;
+
+- result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
++ result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
+ if (!W_ERROR_IS_OK(result)) {
+ return result;
+ }
+diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
+index 1e406d2..551f9ff 100644
+--- a/source3/lib/netapi/file.c
++++ b/source3/lib/netapi/file.c
+@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
+index 3b26d46..ae976f1 100644
+--- a/source3/lib/netapi/getdc.c
++++ b/source3/lib/netapi/getdc.c
+@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
+ void *buffer;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_netlogon.syntax_id,
++ &ndr_table_netlogon,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
+ void *buffer;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_netlogon.syntax_id,
++ &ndr_table_netlogon,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_netlogon.syntax_id,
++ &ndr_table_netlogon,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
+index 349287b..62aa7ef 100644
+--- a/source3/lib/netapi/netapi_private.h
++++ b/source3/lib/netapi/netapi_private.h
+@@ -30,6 +30,7 @@
+ return fn ## _r(ctx, r);
+
+ struct dcerpc_binding_handle;
++struct ndr_interface_table;
+
+ struct libnetapi_private_ctx {
+ struct {
+@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+ struct rpc_pipe_client **presult);
+ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
+ const char *server_name,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct dcerpc_binding_handle **binding_handle);
+ WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
+ struct rpc_pipe_client *pipe_cli,
+diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
+index a046fb7..136cb48 100644
+--- a/source3/lib/netapi/netlogon.c
++++ b/source3/lib/netapi/netlogon.c
+@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_netlogon.syntax_id,
++ &ndr_table_netlogon,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_netlogon.syntax_id,
++ &ndr_table_netlogon,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
+index 046b693..b2a84d1 100644
+--- a/source3/lib/netapi/serverinfo.c
++++ b/source3/lib/netapi/serverinfo.c
+@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
+index d12fa1c..090e1a9 100644
+--- a/source3/lib/netapi/share.c
++++ b/source3/lib/netapi/share.c
+@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
+ ZERO_STRUCT(info_ctr);
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
+index 78bc2fc..9e1e8e1 100644
+--- a/source3/lib/netapi/shutdown.c
++++ b/source3/lib/netapi/shutdown.c
+@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_initshutdown.syntax_id,
++ &ndr_table_initshutdown,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
+- &ndr_table_initshutdown.syntax_id,
++ &ndr_table_initshutdown,
+ &b);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+--
+1.9.3
+
+
+From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:10:13 +0200
+Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
+ libnetapi_open_pipe().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
+---
+ source3/lib/netapi/cm.c | 8 ++++----
+ source3/lib/netapi/group.c | 18 +++++++++---------
+ source3/lib/netapi/joindomain.c | 10 +++++-----
+ source3/lib/netapi/localgroup.c | 14 +++++++-------
+ source3/lib/netapi/netapi_private.h | 2 +-
+ source3/lib/netapi/user.c | 22 +++++++++++-----------
+ 6 files changed, 37 insertions(+), 37 deletions(-)
+
+diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
+index c3ae19f..dd1f1e3 100644
+--- a/source3/lib/netapi/cm.c
++++ b/source3/lib/netapi/cm.c
+@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
+
+ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+ const char *server_name,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct rpc_pipe_client *result = NULL;
+@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+ return werr;
+ }
+
+- status = pipe_cm_open(ctx, ipc, interface, &result);
++ status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
+- get_pipe_name_from_syntax(talloc_tos(), interface),
++ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+ get_friendly_nt_error_msg(status));
+ return WERR_DEST_NOT_FOUND;
+ }
+@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
+
+ *binding_handle = NULL;
+
+- result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
++ result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
+ if (!W_ERROR_IS_OK(result)) {
+ return result;
+ }
+diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
+index b806fc4..6d9b248 100644
+--- a/source3/lib/netapi/group.c
++++ b/source3/lib/netapi/group.c
+@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
+
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
+index b6fb57a..d8e624f 100644
+--- a/source3/lib/netapi/joindomain.c
++++ b/source3/lib/netapi/joindomain.c
+@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
+ DATA_BLOB session_key;
+
+ werr = libnetapi_open_pipe(ctx, r->in.server,
+- &ndr_table_wkssvc.syntax_id,
++ &ndr_table_wkssvc,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
+ DATA_BLOB session_key;
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_wkssvc.syntax_id,
++ &ndr_table_wkssvc,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_wkssvc.syntax_id,
++ &ndr_table_wkssvc,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
+ DATA_BLOB session_key;
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_wkssvc.syntax_id,
++ &ndr_table_wkssvc,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
+ DATA_BLOB session_key;
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_wkssvc.syntax_id,
++ &ndr_table_wkssvc,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
+index 17cab68..241970d 100644
+--- a/source3/lib/netapi/localgroup.c
++++ b/source3/lib/netapi/localgroup.c
+@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
+ ZERO_STRUCT(alias_handle);
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
+ ZERO_STRUCT(alias_handle);
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
+ ZERO_STRUCT(alias_handle);
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
+ ZERO_STRUCT(alias_handle);
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
+
+ if (r->in.level == 3) {
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
+index 62aa7ef..897cf3d 100644
+--- a/source3/lib/netapi/netapi_private.h
++++ b/source3/lib/netapi/netapi_private.h
+@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
+ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
+ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+ const char *server_name,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult);
+ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
+ const char *server_name,
+diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
+index a971e2d..4a39f69 100644
+--- a/source3/lib/netapi/user.c
++++ b/source3/lib/netapi/user.c
+@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
+ ZERO_STRUCT(user_handle);
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+
+ if (!W_ERROR_IS_OK(werr)) {
+@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
+ }
+
+ werr = libnetapi_open_pipe(ctx, r->in.server_name,
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &pipe_cli);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+--
+1.9.3
+
+
+From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:13:26 +0200
+Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
+ pipe_cm() and friends.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
+---
+ source3/lib/netapi/cm.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
+index dd1f1e3..8551521 100644
+--- a/source3/lib/netapi/cm.c
++++ b/source3/lib/netapi/cm.c
+@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
+ ********************************************************************/
+
+ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct client_pipe_connection *p;
+@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
+
+ if (strequal(ipc_remote_name, p->pipe->desthost)
+ && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
+- interface)) {
++ &table->syntax_id)) {
+ *presult = p->pipe;
+ return NT_STATUS_OK;
+ }
+@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
+
+ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
+ struct client_ipc_connection *ipc,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct client_pipe_connection *p;
+@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
++ status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(p);
+ return status;
+@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
+
+ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
+ struct client_ipc_connection *ipc,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+- if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
++ if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
+ return NT_STATUS_OK;
+ }
+
+- return pipe_cm_connect(ctx, ipc, interface, presult);
++ return pipe_cm_connect(ctx, ipc, table, presult);
+ }
+
+ /********************************************************************
+@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+ return werr;
+ }
+
+- status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
++ status = pipe_cm_open(ctx, ipc, table, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+--
+1.9.3
+
+
+From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:16:59 +0200
+Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_pipe_open_ncalrpc().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
+---
+ source3/librpc/rpc/dcerpc_ep.c | 2 +-
+ source3/rpc_client/cli_pipe.c | 4 ++--
+ source3/rpc_client/cli_pipe.h | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
+index bb080c5..410caa7 100644
+--- a/source3/librpc/rpc/dcerpc_ep.c
++++ b/source3/librpc/rpc/dcerpc_ep.c
+@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
+
+ status = rpc_pipe_open_ncalrpc(tmp_ctx,
+ ncalrpc_sock,
+- &ndr_table_epmapper.syntax_id,
++ &ndr_table_epmapper,
+ &cli);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 385ae25..427b628 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
+ Create a rpc pipe client struct, connecting to a unix domain socket
+ ********************************************************************/
+ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct rpc_pipe_client *result;
+@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- result->abstract_syntax = *abstract_syntax;
++ result->abstract_syntax = table->syntax_id;
+ result->transfer_syntax = ndr_transfer_syntax_ndr;
+
+ result->desthost = get_myname(result);
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 34ae542..3415db0 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult);
+
+ struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
+--
+1.9.3
+
+
+From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 17 May 2013 16:44:05 +0200
+Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_pipe_open_interface().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
+---
+ source3/printing/nt_printing_migrate_internal.c | 2 +-
+ source3/printing/printspoolss.c | 4 +--
+ source3/rpc_server/rpc_ncacn_np.c | 8 +++---
+ source3/rpc_server/rpc_ncacn_np.h | 2 +-
+ source3/smbd/lanman.c | 34 ++++++++++++-------------
+ source3/smbd/reply.c | 2 +-
+ 6 files changed, 26 insertions(+), 26 deletions(-)
+
+diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
+index 200db07f..6bc7ea2 100644
+--- a/source3/printing/nt_printing_migrate_internal.c
++++ b/source3/printing/nt_printing_migrate_internal.c
+@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
+ }
+
+ status = rpc_pipe_open_interface(tmp_ctx,
+- &ndr_table_winreg.syntax_id,
++ &ndr_table_winreg,
+ session_info,
+ NULL,
+ msg_ctx,
+diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
+index fc1e9c1..0507e83 100644
+--- a/source3/printing/printspoolss.c
++++ b/source3/printing/printspoolss.c
+@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
+ * a job id */
+
+ status = rpc_pipe_open_interface(fsp->conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ fsp->conn->session_info,
+ fsp->conn->sconn->remote_address,
+ fsp->conn->sconn->msg_ctx,
+@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
+ rap_jobid_delete(print_file->svcname, print_file->jobid);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
+index b4602a9..7389b3e 100644
+--- a/source3/rpc_server/rpc_ncacn_np.c
++++ b/source3/rpc_server/rpc_ncacn_np.c
+@@ -758,7 +758,7 @@ done:
+ */
+
+ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
+- const struct ndr_syntax_id *syntax,
++ const struct ndr_interface_table *table,
+ const struct auth_session_info *session_info,
+ const struct tsocket_address *remote_address,
+ struct messaging_context *msg_ctx,
+@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
++ pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
+ if (pipe_name == NULL) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
+ switch (pipe_mode) {
+ case RPC_SERVICE_MODE_EMBEDDED:
+ status = rpc_pipe_open_internal(tmp_ctx,
+- syntax, session_info,
++ &table->syntax_id, session_info,
+ remote_address, msg_ctx,
+ &cli);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
+ * to spoolssd. */
+
+ status = rpc_pipe_open_external(tmp_ctx,
+- pipe_name, syntax,
++ pipe_name, &table->syntax_id,
+ session_info,
+ &cli);
+ if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
+index 586d61b..67cd8a1 100644
+--- a/source3/rpc_server/rpc_ncacn_np.h
++++ b/source3/rpc_server/rpc_ncacn_np.h
+@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
+ struct messaging_context *msg_ctx,
+ struct dcerpc_binding_handle **binding_handle);
+ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
+- const struct ndr_syntax_id *syntax,
++ const struct ndr_interface_table *table,
+ const struct auth_session_info *session_info,
+ const struct tsocket_address *remote_address,
+ struct messaging_context *msg_ctx,
+diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
+index d0dae36..3c488ec 100644
+--- a/source3/smbd/lanman.c
++++ b/source3/smbd/lanman.c
+@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
+ }
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
+ }
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
+ return false;
+ }
+
+- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
++ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
+ }
+
+ status = rpc_pipe_open_interface(
+- talloc_tos(), &ndr_table_samr.syntax_id,
++ talloc_tos(), &ndr_table_samr,
+ conn->session_info, conn->sconn->remote_address,
+ conn->sconn->msg_ctx, &samr_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
+ endp = *rdata + *rdata_len;
+
+ status = rpc_pipe_open_interface(
+- talloc_tos(), &ndr_table_samr.syntax_id,
++ talloc_tos(), &ndr_table_samr,
+ conn->session_info, conn->sconn->remote_address,
+ conn->sconn->msg_ctx, &samr_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
+ endp = *rdata + *rdata_len;
+
+ status = rpc_pipe_open_interface(
+- talloc_tos(), &ndr_table_samr.syntax_id,
++ talloc_tos(), &ndr_table_samr,
+ conn->session_info, conn->sconn->remote_address,
+ conn->sconn->msg_ctx, &samr_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
+ memcpy(password.data, data, 516);
+ memcpy(hash.hash, data+516, 16);
+
+- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
++ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
+ p = *rdata;
+ p2 = p + struct_len;
+
+- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
++ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(domain_handle);
+ ZERO_STRUCT(user_handle);
+
+- status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
++ status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
+ queuecnt = 0;
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
+ }
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_srvsvc.syntax_id,
++ &ndr_table_srvsvc,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 3f5b950..eace557 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
+ ZERO_STRUCT(handle);
+
+ status = rpc_pipe_open_interface(conn,
+- &ndr_table_spoolss.syntax_id,
++ &ndr_table_spoolss,
+ conn->session_info,
+ conn->sconn->remote_address,
+ conn->sconn->msg_ctx,
+--
+1.9.3
+
+
+From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:03:23 +0200
+Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
+ cli_rpc_pipe_open_schannel().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
+---
+ source3/auth/auth_domain.c | 2 +-
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/rpc_client/cli_pipe_schannel.c | 4 ++--
+ source3/rpcclient/rpcclient.c | 2 +-
+ source3/utils/net_rpc.c | 2 +-
+ 5 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index 286c75c..a375f11 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
+ if (lp_client_schannel()) {
+ /* We also setup the creds chain in the open_schannel call. */
+ result = cli_rpc_pipe_open_schannel(
+- *cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
++ *cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
+ } else {
+ result = cli_rpc_pipe_open_noauth(
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 3415db0..d17322a 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index c275720..8bc01a5 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+ ****************************************************************************/
+
+ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
++ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
+ &result);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index d204d7f..6b6478e 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ break;
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ ntresult = cli_rpc_pipe_open_schannel(
+- cli, &cmd_entry->table->syntax_id,
++ cli, cmd_entry->table,
+ default_transport,
+ pipe_default_auth_level,
+ get_cmdline_auth_info_domain(auth_info),
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 4503f59..dab9fcd 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
+ &ndr_table_netlogon.syntax_id))) {
+ /* Always try and create an schannel netlogon pipe. */
+ nt_status = cli_rpc_pipe_open_schannel(
+- cli, &table->syntax_id, NCACN_NP,
++ cli, table, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+--
+1.9.3
+
+
+From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:08:33 +0200
+Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
+ cli_rpc_pipe_open_ntlmssp_auth_schannel().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
+---
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/rpc_client/cli_pipe_schannel.c | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index d17322a..7026692 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index 8bc01a5..261a768 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
+ ****************************************************************************/
+
+ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
++ cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
+ &result);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+--
+1.9.3
+
+
+From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:17:24 +0200
+Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
+ cli_rpc_pipe_open_schannel_with_key().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
+---
+ source3/libnet/libnet_join.c | 2 +-
+ source3/rpc_client/cli_pipe.c | 6 +++---
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/rpc_client/cli_pipe_schannel.c | 4 ++--
+ source3/utils/net_rpc_join.c | 4 ++--
+ source3/winbindd/winbindd_cm.c | 8 ++++----
+ 6 files changed, 13 insertions(+), 13 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 1418385..9f47f3b 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
++ cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 427b628..34cef32 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
+ ****************************************************************************/
+
+ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct pipe_auth_data *auth;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open(cli, transport, interface, &result);
++ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ "for domain %s and bound using schannel.\n",
+- get_pipe_name_from_syntax(talloc_tos(), interface),
++ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+ result->desthost, domain));
+
+ *presult = result;
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 7026692..65bfbc8 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index 261a768..784e63f 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
++ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
+ &result);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
++ cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
+ &result);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
+index 56799cd..4b43769 100644
+--- a/source3/utils/net_rpc_join.c
++++ b/source3/utils/net_rpc_join.c
+@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
+ }
+
+ ntret = cli_rpc_pipe_open_schannel_with_key(
+- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
++ cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain, &netlogon_pipe->dc, &pipe_hnd);
+
+@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+ struct rpc_pipe_client *netlogon_schannel_pipe;
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
++ cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
+ &netlogon_schannel_pipe);
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 61917db..f17fc68 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ goto anonymous;
+ }
+ status = cli_rpc_pipe_open_schannel_with_key
+- (conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
++ (conn->cli, &ndr_table_samr, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name, &p_creds, &conn->samr_pipe);
+
+@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ NCACN_IP_TCP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name,
+@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ goto anonymous;
+ }
+ result = cli_rpc_pipe_open_schannel_with_key
+- (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
++ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name, &p_creds, &conn->lsa_pipe);
+
+@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ */
+
+ result = cli_rpc_pipe_open_schannel_with_key(
+- conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
++ conn->cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
+ &conn->netlogon_pipe);
+
+--
+1.9.3
+
+
+From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:29:28 +0200
+Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
+ cli_rpc_pipe_open_noauth().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
+---
+ source3/auth/auth_domain.c | 2 +-
+ source3/client/client.c | 2 +-
+ source3/lib/netapi/cm.c | 2 +-
+ source3/libnet/libnet_join.c | 8 ++++----
+ source3/libsmb/libsmb_dir.c | 2 +-
+ source3/libsmb/libsmb_server.c | 2 +-
+ source3/libsmb/passchange.c | 4 ++--
+ source3/libsmb/trustdom_cache.c | 2 +-
+ source3/libsmb/trusts_util.c | 2 +-
+ source3/rpc_client/cli_pipe.c | 4 ++--
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/rpc_client/cli_pipe_schannel.c | 2 +-
+ source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +-
+ source3/rpcclient/cmd_spoolss.c | 2 +-
+ source3/rpcclient/cmd_test.c | 4 ++--
+ source3/rpcclient/rpcclient.c | 2 +-
+ source3/torture/test_async_echo.c | 2 +-
+ source3/utils/net_ads.c | 2 +-
+ source3/utils/net_rpc.c | 20 ++++++++++----------
+ source3/utils/net_rpc_join.c | 6 +++---
+ source3/utils/net_rpc_shell.c | 2 +-
+ source3/utils/net_rpc_trust.c | 2 +-
+ source3/utils/net_util.c | 8 ++++----
+ source3/utils/netlookup.c | 2 +-
+ source3/utils/smbcacls.c | 7 +++----
+ source3/utils/smbcquotas.c | 2 +-
+ source3/utils/smbtree.c | 2 +-
+ source3/winbindd/winbindd_cm.c | 10 +++++-----
+ 28 files changed, 54 insertions(+), 55 deletions(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index a375f11..54ee5a1 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
+ } else {
+ result = cli_rpc_pipe_open_noauth(
+- *cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
++ *cli, &ndr_table_netlogon, &netlogon_pipe);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+diff --git a/source3/client/client.c b/source3/client/client.c
+index ab46cb8..dafc5f0 100644
+--- a/source3/client/client.c
++++ b/source3/client/client.c
+@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
+ int i;
+ struct dcerpc_binding_handle *b;
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
+ &pipe_hnd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
+index 8551521..1cfdccf 100644
+--- a/source3/lib/netapi/cm.c
++++ b/source3/lib/netapi/cm.c
+@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
++ status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(p);
+ return status;
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 9f47f3b..324c8f3 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
+ goto done;
+ }
+
+- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
+@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+ fstring trust_passwd;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
+
+ /* Open the domain */
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
+@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
+
+ /* Open the domain */
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
+diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
+index 87e10d8..3a07f11 100644
+--- a/source3/libsmb/libsmb_dir.c
++++ b/source3/libsmb/libsmb_dir.c
+@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
+ struct dcerpc_binding_handle *b;
+
+ /* Open the server service pipe */
+- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
+diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
+index d4254da..dff0062 100644
+--- a/source3/libsmb/libsmb_server.c
++++ b/source3/libsmb/libsmb_server.c
+@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
+ ipc_srv->cli = ipc_cli;
+
+ nt_status = cli_rpc_pipe_open_noauth(
+- ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
++ ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("cli_nt_session_open fail!\n"));
+ errno = ENOTSUP;
+diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
+index 3933833..9736ada 100644
+--- a/source3/libsmb/passchange.c
++++ b/source3/libsmb/passchange.c
+@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
+ * way.
+ */
+ result = cli_rpc_pipe_open_noauth(
+- cli, &ndr_table_samr.syntax_id, &pipe_hnd);
++ cli, &ndr_table_samr, &pipe_hnd);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
+ result = NT_STATUS_UNSUCCESSFUL;
+
+ /* OK, this is ugly, but... try an anonymous pipe. */
+- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
++ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
+ &pipe_hnd);
+
+ if ( NT_STATUS_IS_OK(result) &&
+diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
+index 8789d30..dadc751 100644
+--- a/source3/libsmb/trustdom_cache.c
++++ b/source3/libsmb/trustdom_cache.c
+@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
+
+ /* open the LSARPC_PIPE */
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index 0d039bc..6156ba0 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
+ /* Shouldn't we open this with schannel ? JRA. */
+
+ nt_status = cli_rpc_pipe_open_noauth(
+- cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
++ cli, &ndr_table_netlogon, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
+ dc_name, nt_errstr(nt_status)));
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 34cef32..1137abd 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ ****************************************************************************/
+
+ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
+- interface, presult);
++ &table->syntax_id, presult);
+ }
+
+ /****************************************************************************
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 65bfbc8..9aae61a 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
+ struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
+
+ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index 784e63f..bc672ef 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+ &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+index 335647b..c12cd05 100644
+--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
+ * Now start the NT Domain stuff :-).
+ */
+
+- ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
++ ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
+ remote_machine, nt_errstr(ret)));
+diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
+index 5c499d4..fb011f8 100644
+--- a/source3/rpcclient/cmd_spoolss.c
++++ b/source3/rpcclient/cmd_spoolss.c
+@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
+ if ( !NT_STATUS_IS_OK(nt_status) )
+ return WERR_GENERAL_FAILURE;
+
+- nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
+ &cli2);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ printf("failed to open spoolss pipe on server %s (%s)\n",
+diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
+index 591ae8c..367dc71 100644
+--- a/source3/rpcclient/cmd_test.c
++++ b/source3/rpcclient/cmd_test.c
+@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
+ d_printf("testme\n");
+
+ status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
+- &ndr_table_samr.syntax_id,
++ &ndr_table_samr,
+ &samr_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 6b6478e..e3b35bb 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
+ goto error;
+ }
+
+- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &lsapipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
+diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
+index 6df95dd..f21daa4 100644
+--- a/source3/torture/test_async_echo.c
++++ b/source3/torture/test_async_echo.c
+@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
+ printf("torture_open_connection failed\n");
+ goto fail;
+ }
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
+ &p);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("Could not open echo pipe: %s\n", nt_errstr(status));
+diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
+index 5699943..89eebf3 100644
+--- a/source3/utils/net_ads.c
++++ b/source3/utils/net_ads.c
+@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
+ SAFE_FREE(srv_cn_escaped);
+ SAFE_FREE(printername_escaped);
+
+- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
++ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
+ servername);
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index dab9fcd..69ff14d 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
+ union lsa_PolicyInformation *info = NULL;
+ struct dcerpc_binding_handle *b;
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
+@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
+ c->opt_password, &pipe_hnd);
+ } else {
+ nt_status = cli_rpc_pipe_open_noauth(
+- cli, &table->syntax_id,
++ cli, table,
+ &pipe_hnd);
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
+ NTSTATUS result;
+ enum netr_SchannelType sec_channel_type;
+
+- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
++ result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
+@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
+ NTSTATUS status, result;
+ struct dcerpc_binding_handle *b;
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
+ }
+
+ result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
+@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
+
+ /* Try netr_GetDcName */
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+ &netr);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
+ * Call LsaOpenPolicy and LsaQueryInfo
+ */
+
+- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
+@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
+ return -1;
+ };
+
+- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
+@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
+ return -1;
+ };
+
+- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
+@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
+ /*
+ * Open \PIPE\samr and get needed policy handles
+ */
+- nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
+diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
+index 4b43769..aabbe54 100644
+--- a/source3/utils/net_rpc_join.c
++++ b/source3/utils/net_rpc_join.c
+@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+
+ /* Fetch domain sid */
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
+@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+ }
+
+ /* Create domain user */
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
+@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+
+ /* Now check the whole process from top-to-bottom */
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
+diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
+index 6086066..120cfa6 100644
+--- a/source3/utils/net_rpc_shell.c
++++ b/source3/utils/net_rpc_shell.c
+@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
++ status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_fprintf(stderr, _("Could not open pipe: %s\n"),
+diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
+index 9060700..5e58103 100644
+--- a/source3/utils/net_rpc_trust.c
++++ b/source3/utils/net_rpc_trust.c
+@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
++ status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
+ nt_errstr(status)));
+diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
+index a4282ec..13a0ef1 100644
+--- a/source3/utils/net_util.c
++++ b/source3/utils/net_util.c
+@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
+
+ ZERO_STRUCT(pol);
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
+@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
+ return nt_status;
+ }
+
+- nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
++ nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("couldn't not initialize pipe\n"));
+@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
+ ZERO_STRUCTP(dc_info);
+ ZERO_STRUCT(pol);
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &pipe_hnd);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
+
+ ZERO_STRUCTP(dc_info);
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
+ &dssetup_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
+diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
+index b66c34e..56d3bfe 100644
+--- a/source3/utils/netlookup.c
++++ b/source3/utils/netlookup.c
+@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
+ }
+
+ nt_status = cli_rpc_pipe_open_noauth(cs->cli,
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ &cs->lsapipe);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
+index 23a1192..f092839 100644
+--- a/source3/utils/smbcacls.c
++++ b/source3/utils/smbcacls.c
+@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
+ goto tcon_fail;
+ }
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &p);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
+ goto tcon_fail;
+ }
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &p);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto fail;
+@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
+ struct policy_handle handle;
+ NTSTATUS status, result;
+ TALLOC_CTX *frame = talloc_stackframe();
+- const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
+
+ status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+- status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto tdis;
+ }
+diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
+index bf1f95c..2791b93 100644
+--- a/source3/utils/smbcquotas.c
++++ b/source3/utils/smbcquotas.c
+@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
+ NTSTATUS ret;
+ cli_ipc = connect_one("IPC$");
+ ret = cli_rpc_pipe_open_noauth(cli_ipc,
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ &global_pipe_hnd);
+ if (!NT_STATUS_IS_OK(ret)) {
+ return False;
+diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
+index 40b1f09..5c07b12 100644
+--- a/source3/utils/smbtree.c
++++ b/source3/utils/smbtree.c
+@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
+ return False;
+ }
+
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
++ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
+ &pipe_hnd);
+
+ if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index f17fc68..facef64 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
+ DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
+
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+- &ndr_table_dssetup.syntax_id,
++ &ndr_table_dssetup,
+ &cli);
+
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
+
+ no_dssetup:
+ status = cli_rpc_pipe_open_noauth(domain->conn.cli,
+- &ndr_table_lsarpc.syntax_id, &cli);
++ &ndr_table_lsarpc, &cli);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
+@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ anonymous:
+
+ /* Finally fall back to anonymous. */
+- status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
++ status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
+ &conn->samr_pipe);
+
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ anonymous:
+
+ result = cli_rpc_pipe_open_noauth(conn->cli,
+- &ndr_table_lsarpc.syntax_id,
++ &ndr_table_lsarpc,
+ &conn->lsa_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ result = NT_STATUS_PIPE_NOT_AVAILABLE;
+@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ TALLOC_FREE(conn->netlogon_pipe);
+
+ result = cli_rpc_pipe_open_noauth(conn->cli,
+- &ndr_table_netlogon.syntax_id,
++ &ndr_table_netlogon,
+ &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+--
+1.9.3
+
+
+From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:33:03 +0200
+Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
+ cli_rpc_pipe_open_noauth_transport().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
+---
+ source3/rpc_client/cli_pipe.c | 13 +++++++------
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/rpcclient/rpcclient.c | 2 +-
+ 3 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 1137abd..4523ab7 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
+
+ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct rpc_pipe_client *result;
+ struct pipe_auth_data *auth;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open(cli, transport, interface, &result);
++ status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ status = rpc_pipe_bind(result, auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ int lvl = 0;
+- if (ndr_syntax_id_equal(interface,
++ if (ndr_syntax_id_equal(&table->syntax_id,
+ &ndr_table_dssetup.syntax_id)) {
+ /* non AD domains just don't have this pipe, avoid
+ * level 0 statement in that case - gd */
+@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ }
+ DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
+ "%s failed with error %s\n",
+- get_pipe_name_from_syntax(talloc_tos(), interface),
++ get_pipe_name_from_syntax(talloc_tos(),
++ &table->syntax_id),
+ nt_errstr(status) ));
+ TALLOC_FREE(result);
+ return status;
+@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+
+ DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
+ "%s and bound anonymously.\n",
+- get_pipe_name_from_syntax(talloc_tos(), interface),
++ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+ result->desthost));
+
+ *presult = result;
+@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
+ struct rpc_pipe_client **presult)
+ {
+ return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
+- &table->syntax_id, presult);
++ table, presult);
+ }
+
+ /****************************************************************************
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 9aae61a..f37f8a9 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
+
+ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index e3b35bb..c23ff2d 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ case DCERPC_AUTH_TYPE_NONE:
+ ntresult = cli_rpc_pipe_open_noauth_transport(
+ cli, default_transport,
+- &cmd_entry->table->syntax_id,
++ cmd_entry->table,
+ &cmd_entry->rpc_pipe);
+ break;
+ case DCERPC_AUTH_TYPE_SPNEGO:
+--
+1.9.3
+
+
+From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:38:01 +0200
+Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
+ cli_rpc_pipe_open().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
+---
+ source3/rpc_client/cli_pipe.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 4523ab7..4dc7345 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
+
+ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+- const struct ndr_syntax_id *interface,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ switch (transport) {
+@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
+ return rpc_pipe_open_tcp(NULL,
+ smbXcli_conn_remote_name(cli->conn),
+ smbXcli_conn_remote_sockaddr(cli->conn),
+- interface, presult);
++ &table->syntax_id, presult);
+ case NCACN_NP:
+- return rpc_pipe_open_np(cli, interface, presult);
++ return rpc_pipe_open_np(cli, &table->syntax_id, presult);
+ default:
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ struct pipe_auth_data *auth;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
++ status = cli_rpc_pipe_open(cli, transport, table, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
+
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
++ status = cli_rpc_pipe_open(cli, transport, table, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct pipe_auth_data *auth;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
++ status = cli_rpc_pipe_open(cli, transport, table, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
++ status = cli_rpc_pipe_open(cli, transport, table, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+--
+1.9.3
+
+
+From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:40:45 +0200
+Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_pipe_open_np().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
+---
+ source3/rpc_client/cli_pipe.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 4dc7345..0347d76 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
+ ****************************************************************************/
+
+ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct rpc_pipe_client *result;
+@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- result->abstract_syntax = *abstract_syntax;
++ result->abstract_syntax = table->syntax_id;
+ result->transfer_syntax = ndr_transfer_syntax_ndr;
+ result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
+ result->srv_name_slash = talloc_asprintf_strupper_m(
+@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- status = rpc_transport_np_init(result, cli, abstract_syntax,
++ status = rpc_transport_np_init(result, cli, &table->syntax_id,
+ &result->transport);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(result);
+@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
+ smbXcli_conn_remote_sockaddr(cli->conn),
+ &table->syntax_id, presult);
+ case NCACN_NP:
+- return rpc_pipe_open_np(cli, &table->syntax_id, presult);
++ return rpc_pipe_open_np(cli, table, presult);
+ default:
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+--
+1.9.3
+
+
+From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:44:00 +0200
+Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_pipe_open_tcp().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
+---
+ source3/rpc_client/cli_pipe.c | 8 ++++----
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/torture/rpc_open_tcp.c | 2 +-
+ 3 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 0347d76..46adf69 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2663,19 +2663,19 @@ done:
+ */
+ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
+ const struct sockaddr_storage *addr,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ NTSTATUS status;
+ uint16_t port = 0;
+
+- status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
++ status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
+- abstract_syntax, presult);
++ &table->syntax_id, presult);
+ }
+
+ /********************************************************************
+@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
+ return rpc_pipe_open_tcp(NULL,
+ smbXcli_conn_remote_name(cli->conn),
+ smbXcli_conn_remote_sockaddr(cli->conn),
+- &table->syntax_id, presult);
++ table, presult);
+ case NCACN_NP:
+ return rpc_pipe_open_np(cli, table, presult);
+ default:
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index f37f8a9..6fcc587 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
+ const char *host,
+ const struct sockaddr_storage *ss_addr,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
+diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
+index d29f4cf..cd27b5f 100644
+--- a/source3/torture/rpc_open_tcp.c
++++ b/source3/torture/rpc_open_tcp.c
+@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
+ }
+
+ status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
+- &((*table)->syntax_id),
++ *table,
+ &rpc_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
+--
+1.9.3
+
+
+From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:46:07 +0200
+Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_pipe_get_tcp_port().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
+---
+ source3/rpc_client/cli_pipe.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 46adf69..15e77db 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
+ */
+ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
+ const struct sockaddr_storage *addr,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ uint16_t *pport)
+ {
+ NTSTATUS status;
+@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
+ goto done;
+ }
+
+- if (ndr_syntax_id_equal(abstract_syntax,
++ if (ndr_syntax_id_equal(&table->syntax_id,
+ &ndr_table_epmapper.syntax_id)) {
+ *pport = 135;
+ return NT_STATUS_OK;
+@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
+ }
+
+ map_binding->transport = NCACN_IP_TCP;
+- map_binding->object = *abstract_syntax;
++ map_binding->object = table->syntax_id;
+ map_binding->host = host; /* needed? */
+ map_binding->endpoint = "0"; /* correct? needed? */
+
+@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
+ status = dcerpc_epm_Map(epm_handle,
+ tmp_ctx,
+ discard_const_p(struct GUID,
+- &(abstract_syntax->uuid)),
++ &(table->syntax_id.uuid)),
+ map_tower,
+ entry_handle,
+ max_towers,
+@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
+ NTSTATUS status;
+ uint16_t port = 0;
+
+- status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
++ status = rpc_pipe_get_tcp_port(host, addr, table, &port);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+--
+1.9.3
+
+
+From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:47:16 +0200
+Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_pipe_open_tcp_port().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
+---
+ source3/rpc_client/cli_pipe.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 15e77db..1b2955f 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
+ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
+ const struct sockaddr_storage *ss_addr,
+ uint16_t port,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_pipe_client **presult)
+ {
+ struct rpc_pipe_client *result;
+@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- result->abstract_syntax = *abstract_syntax;
++ result->abstract_syntax = table->syntax_id;
+ result->transfer_syntax = ndr_transfer_syntax_ndr;
+
+ result->desthost = talloc_strdup(result, host);
+@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
+
+ /* open the connection to the endpoint mapper */
+ status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
+- &ndr_table_epmapper.syntax_id,
++ &ndr_table_epmapper,
+ &epm_pipe);
+
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
+ }
+
+ return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
+- &table->syntax_id, presult);
++ table, presult);
+ }
+
+ /********************************************************************
+--
+1.9.3
+
+
+From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:52:05 +0200
+Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_transport_np_init().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
+---
+ source3/rpc_client/cli_pipe.c | 2 +-
+ source3/rpc_client/rpc_transport.h | 2 +-
+ source3/rpc_client/rpc_transport_np.c | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 1b2955f..1fa8d91 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- status = rpc_transport_np_init(result, cli, &table->syntax_id,
++ status = rpc_transport_np_init(result, cli, table,
+ &result->transport);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(result);
+diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
+index bc115dd..2b4a323 100644
+--- a/source3/rpc_client/rpc_transport.h
++++ b/source3/rpc_client/rpc_transport.h
+@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_cli_transport **presult);
+ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_cli_transport **presult);
+
+ /* The following definitions come from rpc_client/rpc_transport_sock.c */
+diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
+index f0696ad..7bd1ca3 100644
+--- a/source3/rpc_client/rpc_transport_np.c
++++ b/source3/rpc_client/rpc_transport_np.c
+@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
+ }
+
+ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
+- const struct ndr_syntax_id *abstract_syntax,
++ const struct ndr_interface_table *table,
+ struct rpc_cli_transport **presult)
+ {
+ TALLOC_CTX *frame = talloc_stackframe();
+@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
+ goto fail;
+ }
+
+- req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
++ req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
+ if (req == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+--
+1.9.3
+
+
+From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Fri, 24 May 2013 13:56:53 +0200
+Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
+ rpc_transport_np_init_send().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
+---
+ source3/rpc_client/rpc_transport.h | 2 +-
+ source3/rpc_client/rpc_transport_np.c | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
+index 2b4a323..72e7609 100644
+--- a/source3/rpc_client/rpc_transport.h
++++ b/source3/rpc_client/rpc_transport.h
+@@ -84,7 +84,7 @@ struct cli_state;
+ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+- const struct ndr_syntax_id *abstract_syntax);
++ const struct ndr_interface_table *table);
+ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
+ TALLOC_CTX *mem_ctx,
+ struct rpc_cli_transport **presult);
+diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
+index 7bd1ca3..c0f313e 100644
+--- a/source3/rpc_client/rpc_transport_np.c
++++ b/source3/rpc_client/rpc_transport_np.c
+@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
+ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct cli_state *cli,
+- const struct ndr_syntax_id *abstract_syntax)
++ const struct ndr_interface_table *table)
+ {
+ struct tevent_req *req;
+ struct rpc_transport_np_init_state *state;
+@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
+ state->ev = ev;
+ state->cli = cli;
+ state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
+- state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
++ state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
+ if (tevent_req_nomem(state->pipe_name, req)) {
+ return tevent_req_post(req, ev);
+ }
+@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
+ goto fail;
+ }
+
+- req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
++ req = rpc_transport_np_init_send(frame, ev, cli, table);
+ if (req == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto fail;
+--
+1.9.3
+
+
+From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 24 Sep 2008 11:04:42 +0200
+Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
+---
+ source3/librpc/idl/libnet_join.idl | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
+index 4f28bb6..ac0a350 100644
+--- a/source3/librpc/idl/libnet_join.idl
++++ b/source3/librpc/idl/libnet_join.idl
+@@ -21,6 +21,7 @@ interface libnetjoin
+ [in,ref] string *domain_name,
+ [in] string account_ou,
+ [in] string admin_account,
++ [in] string admin_domain,
+ [in,noprint] string admin_password,
+ [in] string machine_password,
+ [in] wkssvc_joinflags join_flags,
+@@ -51,6 +52,7 @@ interface libnetjoin
+ [in] string domain_name,
+ [in] string account_ou,
+ [in] string admin_account,
++ [in] string admin_domain,
+ [in,noprint] string admin_password,
+ [in] string machine_password,
+ [in] wkssvc_joinflags unjoin_flags,
+--
+1.9.3
+
+
+From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 24 Sep 2008 11:05:37 +0200
+Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
+---
+ source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
+ 1 file changed, 26 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 324c8f3..2253079 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
+
+ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
+ const char *user,
++ const char *domain,
+ const char *pass,
+ bool use_kerberos,
+ struct cli_state **cli)
+@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
+ NULL, 0,
+ "IPC$", "IPC",
+ user,
+- NULL,
++ domain,
+ pass,
+ flags,
+ SMB_SIGNING_DEFAULT);
+@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
+
+ status = libnet_join_connect_dc_ipc(r->in.dc_name,
+ r->in.admin_account,
++ r->in.admin_domain,
+ r->in.admin_password,
+ r->in.use_kerberos,
+ cli);
+@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
+
+ status = libnet_join_connect_dc_ipc(r->in.dc_name,
+ r->in.admin_account,
++ r->in.admin_domain,
+ r->in.admin_password,
+ r->in.use_kerberos,
+ &cli);
+@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
+ return WERR_SETUP_DOMAIN_CONTROLLER;
+ }
+
++ if (!r->in.admin_domain) {
++ char *admin_domain = NULL;
++ char *admin_account = NULL;
++ split_domain_user(mem_ctx,
++ r->in.admin_account,
++ &admin_domain,
++ &admin_account);
++ r->in.admin_domain = admin_domain;
++ r->in.admin_account = admin_account;
++ }
++
+ if (!secrets_init()) {
+ libnet_join_set_error_string(mem_ctx, r,
+ "Unable to open secrets database");
+@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
+ return WERR_SETUP_DOMAIN_CONTROLLER;
+ }
+
++ if (!r->in.admin_domain) {
++ char *admin_domain = NULL;
++ char *admin_account = NULL;
++ split_domain_user(mem_ctx,
++ r->in.admin_account,
++ &admin_domain,
++ &admin_account);
++ r->in.admin_domain = admin_domain;
++ r->in.admin_account = admin_account;
++ }
++
+ if (!secrets_init()) {
+ libnet_unjoin_set_error_string(mem_ctx, r,
+ "Unable to open secrets database");
+--
+1.9.3
+
+
+From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 6 Nov 2008 11:40:03 +0100
+Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
+---
+ source3/libnet/libnet_join.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 2253079..b731d9b 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
+ return WERR_INVALID_PARAM;
+ }
+
++ if (strlen(r->in.machine_name) > 15) {
++ libnet_join_set_error_string(mem_ctx, r,
++ "Our netbios name can be at most 15 chars long, "
++ "\"%s\" is %u chars long\n",
++ r->in.machine_name,
++ (unsigned int)strlen(r->in.machine_name));
++ return WERR_INVALID_PARAM;
++ }
++
+ if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
+ &r->in.domain_name,
+ &r->in.dc_name)) {
+--
+1.9.3
+
+
+From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 6 Nov 2008 13:37:45 +0100
+Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
+ libnetjoin.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
+---
+ source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
+ 1 file changed, 84 insertions(+), 98 deletions(-)
+
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 69ff14d..720e9d2 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -37,6 +37,8 @@
+ #include "secrets.h"
+ #include "lib/netapi/netapi.h"
+ #include "lib/netapi/netapi_net.h"
++#include "librpc/gen_ndr/libnet_join.h"
++#include "libnet/libnet_join.h"
+ #include "rpc_client/init_lsa.h"
+ #include "../libcli/security/security.h"
+ #include "libsmb/libsmb.h"
+@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
+ }
+
+ /**
+- * Join a domain, the old way.
++ * Join a domain, the old way. This function exists to allow
++ * the message to be displayed when oldjoin was explicitly
++ * requested, but not when it was implied by "net rpc join".
+ *
+ * This uses 'machinename' as the inital password, and changes it.
+ *
+ * The password should be created with 'server manager' or equiv first.
+ *
+- * All parameters are provided by the run_rpc_command function, except for
+- * argc, argv which are passed through.
+- *
+- * @param domain_sid The domain sid acquired from the remote server.
+- * @param cli A cli_state connected to the server.
+- * @param mem_ctx Talloc context, destroyed on completion of the function.
+ * @param argc Standard main() style argc.
+ * @param argv Standard main() style argv. Initial components are already
+ * stripped.
+ *
+- * @return Normal NTSTATUS return.
++ * @return A shell status integer (0 for success).
+ **/
+
+-static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
+- const struct dom_sid *domain_sid,
+- const char *domain_name,
+- struct cli_state *cli,
+- struct rpc_pipe_client *pipe_hnd,
+- TALLOC_CTX *mem_ctx,
+- int argc,
+- const char **argv)
++static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
+ {
++ struct libnet_JoinCtx *r = NULL;
++ TALLOC_CTX *mem_ctx;
++ WERROR werr;
++ const char *domain = lp_workgroup(); /* FIXME */
++ bool modify_config = lp_config_backend_is_registry();
++ enum netr_SchannelType sec_chan_type;
++ char *pw = NULL;
+
+- fstring trust_passwd;
+- unsigned char orig_trust_passwd_hash[16];
+- NTSTATUS result;
+- enum netr_SchannelType sec_channel_type;
++ if (c->display_usage) {
++ d_printf("Usage:\n"
++ "net rpc oldjoin\n"
++ " Join a domain the old way\n");
++ return 0;
++ }
+
+- result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+- &pipe_hnd);
+- if (!NT_STATUS_IS_OK(result)) {
+- DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
+- "error was %s\n",
+- smbXcli_conn_remote_name(cli->conn),
+- nt_errstr(result) ));
+- return result;
++ mem_ctx = talloc_init("net_rpc_oldjoin");
++ if (!mem_ctx) {
++ return -1;
++ }
++
++ werr = libnet_init_JoinCtx(mem_ctx, &r);
++ if (!W_ERROR_IS_OK(werr)) {
++ goto fail;
+ }
+
+ /*
+@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
+ a BDC, the server must agree that we are a BDC.
+ */
+ if (argc >= 0) {
+- sec_channel_type = get_sec_channel_type(argv[0]);
++ sec_chan_type = get_sec_channel_type(argv[0]);
+ } else {
+- sec_channel_type = get_sec_channel_type(NULL);
++ sec_chan_type = get_sec_channel_type(NULL);
+ }
+
+- fstrcpy(trust_passwd, lp_netbios_name());
+- if (!strlower_m(trust_passwd)) {
+- return NT_STATUS_UNSUCCESSFUL;
++ if (!c->msg_ctx) {
++ d_fprintf(stderr, _("Could not initialise message context. "
++ "Try running as root\n"));
++ werr = WERR_ACCESS_DENIED;
++ goto fail;
+ }
+
+- /*
+- * Machine names can be 15 characters, but the max length on
+- * a password is 14. --jerry
+- */
+-
+- trust_passwd[14] = '\0';
+-
+- E_md4hash(trust_passwd, orig_trust_passwd_hash);
+-
+- result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
+- lp_netbios_name(),
+- orig_trust_passwd_hash,
+- sec_channel_type);
+-
+- if (NT_STATUS_IS_OK(result))
+- printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
++ pw = talloc_strndup(r, lp_netbios_name(), 14);
++ if (pw == NULL) {
++ werr = WERR_NOMEM;
++ goto fail;
++ }
+
++ r->in.msg_ctx = c->msg_ctx;
++ r->in.domain_name = domain;
++ r->in.secure_channel_type = sec_chan_type;
++ r->in.dc_name = c->opt_host;
++ r->in.admin_account = "";
++ r->in.admin_password = strlower_talloc(r, pw);
++ if (r->in.admin_password == NULL) {
++ werr = WERR_NOMEM;
++ goto fail;
++ }
++ r->in.debug = true;
++ r->in.modify_config = modify_config;
++ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
++ WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
++ WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
+
+- if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
+- DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
+- result = NT_STATUS_UNSUCCESSFUL;
++ werr = libnet_Join(mem_ctx, r);
++ if (!W_ERROR_IS_OK(werr)) {
++ goto fail;
+ }
+
+- return result;
+-}
++ /* Check the short name of the domain */
+
+-/**
+- * Join a domain, the old way.
+- *
+- * @param argc Standard main() style argc.
+- * @param argv Standard main() style argv. Initial components are already
+- * stripped.
+- *
+- * @return A shell status integer (0 for success).
+- **/
++ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
++ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
++ d_printf("domain name obtained from the server.\n");
++ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
++ d_printf("You should set \"workgroup = %s\" in %s.\n",
++ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
++ }
+
+-static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
+-{
+- return run_rpc_command(c, NULL, &ndr_table_netlogon,
+- NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
+- rpc_oldjoin_internals,
+- argc, argv);
+-}
++ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
+
+-/**
+- * Join a domain, the old way. This function exists to allow
+- * the message to be displayed when oldjoin was explicitly
+- * requested, but not when it was implied by "net rpc join".
+- *
+- * @param argc Standard main() style argc.
+- * @param argv Standard main() style argv. Initial components are already
+- * stripped.
+- *
+- * @return A shell status integer (0 for success).
+- **/
++ if (r->out.dns_domain_name) {
++ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
++ r->out.dns_domain_name);
++ } else {
++ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
++ r->out.netbios_domain_name);
++ }
+
+-static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
+-{
+- int rc = -1;
++ TALLOC_FREE(mem_ctx);
+
+- if (c->display_usage) {
+- d_printf( "%s\n"
+- "net rpc oldjoin\n"
+- " %s\n",
+- _("Usage:"),
+- _("Join a domain the old way"));
+- return 0;
+- }
++ return 0;
+
+- rc = net_rpc_perform_oldjoin(c, argc, argv);
++fail:
++ /* issue an overall failure message at the end. */
++ d_fprintf(stderr, _("Failed to join domain: %s\n"),
++ r && r->out.error_string ? r->out.error_string :
++ get_friendly_werror_msg(werr));
+
+- if (rc) {
+- d_fprintf(stderr, _("Failed to join domain\n"));
+- }
++ TALLOC_FREE(mem_ctx);
+
+- return rc;
++ return -1;
+ }
+
+ /**
+@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
+ return -1;
+ }
+
+- if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
++ if ((net_rpc_oldjoin(c, argc, argv) == 0))
+ return 0;
+
+ return net_rpc_join_newstyle(c, argc, argv);
+--
+1.9.3
+
+
+From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 13 Jun 2013 19:12:27 +0200
+Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
+ libnet_join_joindomain_rpc_unsecure()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
+---
+ source3/libnet/libnet_join.c | 15 +--------------
+ 1 file changed, 1 insertion(+), 14 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index b731d9b..d8ec235 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *pipe_hnd = NULL;
+ unsigned char orig_trust_passwd_hash[16];
+ unsigned char new_trust_passwd_hash[16];
+- fstring trust_passwd;
+ NTSTATUS status;
+
+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+ E_md4hash(r->in.machine_password, new_trust_passwd_hash);
+
+ /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
+- fstrcpy(trust_passwd, r->in.admin_password);
+- if (!strlower_m(trust_passwd)) {
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- /*
+- * Machine names can be 15 characters, but the max length on
+- * a password is 14. --jerry
+- */
+-
+- trust_passwd[14] = '\0';
+-
+- E_md4hash(trust_passwd, orig_trust_passwd_hash);
++ E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
+
+ status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
+ r->in.machine_name,
+--
+1.9.3
+
+
+From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 3 Feb 2009 20:10:05 +0100
+Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
+---
+ source3/utils/net_proto.h | 2 +-
+ source3/utils/net_rpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++
+ source3/utils/net_rpc_join.c | 29 -------------------
+ 3 files changed, 67 insertions(+), 30 deletions(-)
+
+diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
+index 03fb312..d791708 100644
+--- a/source3/utils/net_proto.h
++++ b/source3/utils/net_proto.h
+@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
+ int argc,
+ const char **argv);
+ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
++int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
+ int net_rpc_join(struct net_context *c, int argc, const char **argv);
+ NTSTATUS rpc_info_internals(struct net_context *c,
+ const struct dom_sid *domain_sid,
+@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
+ const char *server,
+ const struct sockaddr_storage *server_ss);
+ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
+-int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
+
+ /* The following definitions come from utils/net_rpc_printer.c */
+
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 720e9d2..592be44 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -438,6 +438,72 @@ fail:
+ }
+
+ /**
++ * check that a join is OK
++ *
++ * @return A shell status integer (0 for success)
++ *
++ **/
++int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
++{
++ NTSTATUS status;
++ TALLOC_CTX *mem_ctx;
++ const char *domain = c->opt_target_workgroup;
++ const char *dc = c->opt_host;
++
++ if (c->display_usage) {
++ d_printf("Usage\n"
++ "net rpc testjoin\n"
++ " Test if a join is OK\n");
++ return 0;
++ }
++
++ mem_ctx = talloc_init("net_rpc_testjoin");
++ if (!mem_ctx) {
++ return -1;
++ }
++
++ if (!dc) {
++ struct netr_DsRGetDCNameInfo *info;
++
++ if (!c->msg_ctx) {
++ d_fprintf(stderr, _("Could not initialise message context. "
++ "Try running as root\n"));
++ talloc_destroy(mem_ctx);
++ return -1;
++ }
++
++ status = dsgetdcname(mem_ctx,
++ c->msg_ctx,
++ domain,
++ NULL,
++ NULL,
++ DS_RETURN_DNS_NAME,
++ &info);
++ if (!NT_STATUS_IS_OK(status)) {
++ talloc_destroy(mem_ctx);
++ return -1;
++ }
++
++ dc = strip_hostname(info->dc_unc);
++ }
++
++ /* Display success or failure */
++ status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
++ c->opt_kerberos);
++ if (!NT_STATUS_IS_OK(status)) {
++ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
++ domain, nt_errstr(status));
++ talloc_destroy(mem_ctx);
++ return -1;
++ }
++
++ printf("Join to '%s' is OK\n",domain);
++ talloc_destroy(mem_ctx);
++
++ return 0;
++}
++
++/**
+ * 'net rpc join' entrypoint.
+ * @param argc Standard main() style argc.
+ * @param argv Standard main() style argv. Initial components are already
+diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
+index aabbe54..ee39a5c 100644
+--- a/source3/utils/net_rpc_join.c
++++ b/source3/utils/net_rpc_join.c
+@@ -561,32 +561,3 @@ done:
+
+ return retval;
+ }
+-
+-/**
+- * check that a join is OK
+- *
+- * @return A shell status integer (0 for success)
+- *
+- **/
+-int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
+-{
+- NTSTATUS nt_status;
+-
+- if (c->display_usage) {
+- d_printf(_("Usage\n"
+- "net rpc testjoin\n"
+- " Test if a join is OK\n"));
+- return 0;
+- }
+-
+- /* Display success or failure */
+- nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
+- c->opt_target_workgroup, nt_errstr(nt_status));
+- return -1;
+- }
+-
+- printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
+- return 0;
+-}
+--
+1.9.3
+
+
+From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 3 Feb 2009 20:21:05 +0100
+Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
+---
+ source3/utils/net_proto.h | 8 +---
+ source3/utils/net_rpc.c | 106 ++++++++++++++++++++++++++++++++++++++++++++++
+ source3/wscript_build | 2 +-
+ 3 files changed, 108 insertions(+), 8 deletions(-)
+
+diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
+index d791708..1809ba9 100644
+--- a/source3/utils/net_proto.h
++++ b/source3/utils/net_proto.h
+@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
+ const char **argv);
+ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
+ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
++int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
+ int net_rpc_join(struct net_context *c, int argc, const char **argv);
+ NTSTATUS rpc_info_internals(struct net_context *c,
+ const struct dom_sid *domain_sid,
+@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
+
+ int net_rpc_audit(struct net_context *c, int argc, const char **argv);
+
+-/* The following definitions come from utils/net_rpc_join.c */
+-
+-NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
+- const char *server,
+- const struct sockaddr_storage *server_ss);
+-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
+-
+ /* The following definitions come from utils/net_rpc_printer.c */
+
+ NTSTATUS net_copy_fileattr(struct net_context *c,
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 592be44..6358460 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
+ }
+
+ /**
++ * Join a domain using the administrator username and password
++ *
++ * @param argc Standard main() style argc
++ * @param argc Standard main() style argv. Initial components are already
++ * stripped. Currently not used.
++ * @return A shell status integer (0 for success)
++ *
++ **/
++
++int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
++{
++ struct libnet_JoinCtx *r = NULL;
++ TALLOC_CTX *mem_ctx;
++ WERROR werr;
++ const char *domain = lp_workgroup(); /* FIXME */
++ bool modify_config = lp_config_backend_is_registry();
++ enum netr_SchannelType sec_chan_type;
++
++ if (c->display_usage) {
++ d_printf("Usage:\n"
++ "net rpc join\n"
++ " Join a domain the new way\n");
++ return 0;
++ }
++
++ mem_ctx = talloc_init("net_rpc_join_newstyle");
++ if (!mem_ctx) {
++ return -1;
++ }
++
++ werr = libnet_init_JoinCtx(mem_ctx, &r);
++ if (!W_ERROR_IS_OK(werr)) {
++ goto fail;
++ }
++
++ /*
++ check what type of join - if the user want's to join as
++ a BDC, the server must agree that we are a BDC.
++ */
++ if (argc >= 0) {
++ sec_chan_type = get_sec_channel_type(argv[0]);
++ } else {
++ sec_chan_type = get_sec_channel_type(NULL);
++ }
++
++ if (!c->msg_ctx) {
++ d_fprintf(stderr, _("Could not initialise message context. "
++ "Try running as root\n"));
++ werr = WERR_ACCESS_DENIED;
++ goto fail;
++ }
++
++ r->in.msg_ctx = c->msg_ctx;
++ r->in.domain_name = domain;
++ r->in.secure_channel_type = sec_chan_type;
++ r->in.dc_name = c->opt_host;
++ r->in.admin_account = c->opt_user_name;
++ r->in.admin_password = net_prompt_pass(c, c->opt_user_name);
++ r->in.debug = true;
++ r->in.use_kerberos = c->opt_kerberos;
++ r->in.modify_config = modify_config;
++ r->in.join_flags = WKSSVC_JOIN_FLAGS_JOIN_TYPE |
++ WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
++ WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
++
++ werr = libnet_Join(mem_ctx, r);
++ if (!W_ERROR_IS_OK(werr)) {
++ goto fail;
++ }
++
++ /* Check the short name of the domain */
++
++ if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
++ d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
++ d_printf("domain name obtained from the server.\n");
++ d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
++ d_printf("You should set \"workgroup = %s\" in %s.\n",
++ r->out.netbios_domain_name, get_dyn_CONFIGFILE());
++ }
++
++ d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
++
++ if (r->out.dns_domain_name) {
++ d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
++ r->out.dns_domain_name);
++ } else {
++ d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
++ r->out.netbios_domain_name);
++ }
++
++ TALLOC_FREE(mem_ctx);
++
++ return 0;
++
++fail:
++ /* issue an overall failure message at the end. */
++ d_printf("Failed to join domain: %s\n",
++ r && r->out.error_string ? r->out.error_string :
++ get_friendly_werror_msg(werr));
++
++ TALLOC_FREE(mem_ctx);
++
++ return -1;
++}
++
++/**
+ * 'net rpc join' entrypoint.
+ * @param argc Standard main() style argc.
+ * @param argv Standard main() style argv. Initial components are already
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 9461b05..0bf84e2 100755
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
+
+ NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
+ utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
+- utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
++ utils/net_time.c utils/net_lookup.c
+ utils/net_cache.c utils/net_groupmap.c
+ utils/net_idmap.c utils/net_idmap_check.c
+ utils/interact.c
+--
+1.9.3
+
+
+From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 15 Jul 2013 13:28:34 +0200
+Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
+ if NET_FLAGS_EXPECT_FALLBACK is passed
+
+"net rpc join" tries net_rpc_oldjoin() first and falls back to
+net_rpc_join_newstyle(). We should not print the join failed
+if just net_rpc_oldjoin() failed.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
+---
+ source3/utils/net.h | 1 +
+ source3/utils/net_proto.h | 1 -
+ source3/utils/net_rpc.c | 15 +++++++++++++--
+ 3 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/source3/utils/net.h b/source3/utils/net.h
+index 2056d89..e97734a 100644
+--- a/source3/utils/net.h
++++ b/source3/utils/net.h
+@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
+ #define NET_FLAGS_SIGN 0x00000040 /* sign RPC connection */
+ #define NET_FLAGS_SEAL 0x00000080 /* seal RPC connection */
+ #define NET_FLAGS_TCP 0x00000100 /* use ncacn_ip_tcp */
++#define NET_FLAGS_EXPECT_FALLBACK 0x00000200 /* the caller will fallback */
+
+ /* net share operation modes */
+ #define NET_MODE_SHARE_MIGRATE 1
+diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
+index 1809ba9..25e9db2 100644
+--- a/source3/utils/net_proto.h
++++ b/source3/utils/net_proto.h
+@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
+ const char **argv);
+ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
+ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
+-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
+ int net_rpc_join(struct net_context *c, int argc, const char **argv);
+ NTSTATUS rpc_info_internals(struct net_context *c,
+ const struct dom_sid *domain_sid,
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 6358460..dff8801 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
+ return 0;
+
+ fail:
++ if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
++ goto cleanup;
++ }
++
+ /* issue an overall failure message at the end. */
+ d_fprintf(stderr, _("Failed to join domain: %s\n"),
+ r && r->out.error_string ? r->out.error_string :
+ get_friendly_werror_msg(werr));
+
++cleanup:
+ TALLOC_FREE(mem_ctx);
+
+ return -1;
+@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
+ *
+ **/
+
+-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
++static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+ {
+ struct libnet_JoinCtx *r = NULL;
+ TALLOC_CTX *mem_ctx;
+@@ -623,6 +628,8 @@ fail:
+
+ int net_rpc_join(struct net_context *c, int argc, const char **argv)
+ {
++ int ret;
++
+ if (c->display_usage) {
+ d_printf("%s\n%s",
+ _("Usage:"),
+@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
+ return -1;
+ }
+
+- if ((net_rpc_oldjoin(c, argc, argv) == 0))
++ c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
++ ret = net_rpc_oldjoin(c, argc, argv);
++ c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
++ if (ret == 0) {
+ return 0;
++ }
+
+ return net_rpc_join_newstyle(c, argc, argv);
+ }
+--
+1.9.3
+
+
+From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 16 Jul 2013 10:07:30 +0200
+Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
+ without AES support
+
+LogonGetCapabilities() only works on the credential chain if
+the server supports AES, so we need to work on a temporary copy
+until we know the server replied a valid return authenticator.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
+---
+ source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
+index 1480486..130ebeb 100644
+--- a/source4/librpc/rpc/dcerpc_schannel.c
++++ b/source4/librpc/rpc/dcerpc_schannel.c
+@@ -385,6 +385,7 @@ struct auth_schannel_state {
+ struct loadparm_context *lp_ctx;
+ uint8_t auth_level;
+ struct netlogon_creds_CredentialState *creds_state;
++ struct netlogon_creds_CredentialState save_creds_state;
+ struct netr_Authenticator auth;
+ struct netr_Authenticator return_auth;
+ union netr_Capabilities capabilities;
+@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
+ s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
+ if (composite_nomem(s->creds_state, c)) return;
+
+- netlogon_creds_client_authenticator(s->creds_state, &s->auth);
++ s->save_creds_state = *s->creds_state;
++ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
+
+ s->c.in.server_name = talloc_asprintf(c,
+ "\\\\%s",
+@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
+ }
+
+ /* verify credentials */
+- if (!netlogon_creds_client_check(s->creds_state,
++ if (!netlogon_creds_client_check(&s->save_creds_state,
+ &s->c.out.return_authenticator->cred)) {
+ composite_error(c, NT_STATUS_UNSUCCESSFUL);
+ return;
+ }
+
++ *s->creds_state = s->save_creds_state;
++
+ if (!NT_STATUS_IS_OK(s->c.out.result)) {
+ composite_error(c, s->c.out.result);
+ return;
+--
+1.9.3
+
+
+From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 22 Mar 2013 15:07:10 +0100
+Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
+---
+ source3/rpcclient/rpcclient.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index c23ff2d..9bf296e 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+
+ /* Create mem_ctx */
+
+- if (!(mem_ctx = talloc_init("do_cmd"))) {
++ if (!(mem_ctx = talloc_stackframe())) {
+ DEBUG(0, ("talloc_init() failed\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ "auth type %u\n",
+ cmd_entry->table->name,
+ pipe_default_auth_type ));
++ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (!NT_STATUS_IS_OK(ntresult)) {
+ DEBUG(0, ("Could not initialise %s. Error was %s\n",
+ cmd_entry->table->name,
+ nt_errstr(ntresult) ));
++ talloc_free(mem_ctx);
+ return ntresult;
+ }
+
+@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ trust_password, &machine_account,
+ &sec_channel_type))
+ {
++ talloc_free(mem_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ if (!NT_STATUS_IS_OK(ntresult)) {
+ DEBUG(0, ("Could not initialise credentials for %s.\n",
+ cmd_entry->table->name));
++ talloc_free(mem_ctx);
+ return ntresult;
+ }
+ }
+@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+
+ /* Cleanup */
+
+- talloc_destroy(mem_ctx);
++ talloc_free(mem_ctx);
+
+ return ntresult;
+ }
+--
+1.9.3
+
+
+From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 24 Apr 2013 12:36:04 +0200
+Subject: [PATCH 045/249] libcli/auth: make
+ netlogon_creds_crypt_samlogon_validation more robust
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
+---
+ libcli/auth/credentials.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index fb77ede..5c8b25b 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
+ bool encrypt)
+ {
+ static const char zeros[16];
+-
+ struct netr_SamBaseInfo *base = NULL;
++
++ if (validation == NULL) {
++ return;
++ }
++
+ switch (validation_level) {
+ case 2:
+ if (validation->sam2) {
+--
+1.9.3
+
+
+From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 14 Jun 2013 09:47:50 +0200
+Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
+ netlogon_creds_crypt_samlogon_validation()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
+---
+ libcli/auth/credentials.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index 5c8b25b..2e9c87e 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
+ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+- bool encrypt)
++ bool do_encrypt)
+ {
+ static const char zeros[16];
+ struct netr_SamBaseInfo *base = NULL;
+@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
+ if (memcmp(base->key.key, zeros,
+ sizeof(base->key.key)) != 0) {
+- if (encrypt) {
++ if (do_encrypt) {
+ netlogon_creds_aes_encrypt(creds,
+ base->key.key,
+ sizeof(base->key.key));
+@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
+
+ if (memcmp(base->LMSessKey.key, zeros,
+ sizeof(base->LMSessKey.key)) != 0) {
+- if (encrypt) {
++ if (do_encrypt) {
+ netlogon_creds_aes_encrypt(creds,
+ base->LMSessKey.key,
+ sizeof(base->LMSessKey.key));
+@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
+ /* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
+ if (memcmp(base->LMSessKey.key, zeros,
+ sizeof(base->LMSessKey.key)) != 0) {
+- if (encrypt) {
++ if (do_encrypt) {
+ netlogon_creds_des_encrypt_LMKey(creds,
+ &base->LMSessKey);
+ } else {
+--
+1.9.3
+
+
+From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 17:01:00 +0200
+Subject: [PATCH 047/249] libcli/auth: add
+ netlogon_creds_[de|en]crypt_samlogon_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
+---
+ libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
+ libcli/auth/proto.h | 6 +++
+ 2 files changed, 124 insertions(+)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index 2e9c87e..78a8d7a 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
+ validation, true);
+ }
+
++static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
++ enum netr_LogonInfoClass level,
++ union netr_LogonLevel *logon,
++ bool encrypt)
++{
++ static const char zeros[16];
++
++ if (logon == NULL) {
++ return;
++ }
++
++ switch (level) {
++ case NetlogonInteractiveInformation:
++ case NetlogonInteractiveTransitiveInformation:
++ case NetlogonServiceInformation:
++ case NetlogonServiceTransitiveInformation:
++ if (logon->password == NULL) {
++ return;
++ }
++
++ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ uint8_t *h;
++
++ h = logon->password->lmpassword.hash;
++ if (memcmp(h, zeros, 16) != 0) {
++ if (encrypt) {
++ netlogon_creds_aes_encrypt(creds, h, 16);
++ } else {
++ netlogon_creds_aes_decrypt(creds, h, 16);
++ }
++ }
++
++ h = logon->password->ntpassword.hash;
++ if (memcmp(h, zeros, 16) != 0) {
++ if (encrypt) {
++ netlogon_creds_aes_encrypt(creds, h, 16);
++ } else {
++ netlogon_creds_aes_decrypt(creds, h, 16);
++ }
++ }
++ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
++ uint8_t *h;
++
++ h = logon->password->lmpassword.hash;
++ if (memcmp(h, zeros, 16) != 0) {
++ netlogon_creds_arcfour_crypt(creds, h, 16);
++ }
++
++ h = logon->password->ntpassword.hash;
++ if (memcmp(h, zeros, 16) != 0) {
++ netlogon_creds_arcfour_crypt(creds, h, 16);
++ }
++ } else {
++ struct samr_Password *p;
++
++ p = &logon->password->lmpassword;
++ if (memcmp(p->hash, zeros, 16) != 0) {
++ if (encrypt) {
++ netlogon_creds_des_encrypt(creds, p);
++ } else {
++ netlogon_creds_des_decrypt(creds, p);
++ }
++ }
++ p = &logon->password->ntpassword;
++ if (memcmp(p->hash, zeros, 16) != 0) {
++ if (encrypt) {
++ netlogon_creds_des_encrypt(creds, p);
++ } else {
++ netlogon_creds_des_decrypt(creds, p);
++ }
++ }
++ }
++ break;
++
++ case NetlogonNetworkInformation:
++ case NetlogonNetworkTransitiveInformation:
++ break;
++
++ case NetlogonGenericInformation:
++ if (logon->generic == NULL) {
++ return;
++ }
++
++ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ if (encrypt) {
++ netlogon_creds_aes_encrypt(creds,
++ logon->generic->data,
++ logon->generic->length);
++ } else {
++ netlogon_creds_aes_decrypt(creds,
++ logon->generic->data,
++ logon->generic->length);
++ }
++ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
++ netlogon_creds_arcfour_crypt(creds,
++ logon->generic->data,
++ logon->generic->length);
++ } else {
++ /* Using DES to verify kerberos tickets makes no sense */
++ }
++ break;
++ }
++}
++
++void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
++ enum netr_LogonInfoClass level,
++ union netr_LogonLevel *logon)
++{
++ netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
++}
++
++void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
++ enum netr_LogonInfoClass level,
++ union netr_LogonLevel *logon)
++{
++ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
++}
++
+ /*
+ copy a netlogon_creds_CredentialState struct
+ */
+diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
+index 6bc18d7..110e039 100644
+--- a/libcli/auth/proto.h
++++ b/libcli/auth/proto.h
+@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
+ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
+ uint16_t validation_level,
+ union netr_Validation *validation);
++void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
++ enum netr_LogonInfoClass level,
++ union netr_LogonLevel *logon);
++void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
++ enum netr_LogonInfoClass level,
++ union netr_LogonLevel *logon);
+
+ /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
+
+--
+1.9.3
+
+
+From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 24 Apr 2013 12:53:27 +0200
+Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()
+
+This can be used before netlogon_creds_encrypt_samlogon_logon()
+in order to keep the provided buffers unchanged.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
+---
+ libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
+ libcli/auth/proto.h | 3 ++
+ 2 files changed, 76 insertions(+)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index 78a8d7a..1f664d3 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
+ netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
+ }
+
++union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
++ enum netr_LogonInfoClass level,
++ const union netr_LogonLevel *in)
++{
++ union netr_LogonLevel *out;
++
++ if (in == NULL) {
++ return NULL;
++ }
++
++ out = talloc(mem_ctx, union netr_LogonLevel);
++ if (out == NULL) {
++ return NULL;
++ }
++
++ *out = *in;
++
++ switch (level) {
++ case NetlogonInteractiveInformation:
++ case NetlogonInteractiveTransitiveInformation:
++ case NetlogonServiceInformation:
++ case NetlogonServiceTransitiveInformation:
++ if (in->password == NULL) {
++ return out;
++ }
++
++ out->password = talloc(out, struct netr_PasswordInfo);
++ if (out->password == NULL) {
++ talloc_free(out);
++ return NULL;
++ }
++ *out->password = *in->password;
++
++ return out;
++
++ case NetlogonNetworkInformation:
++ case NetlogonNetworkTransitiveInformation:
++ break;
++
++ case NetlogonGenericInformation:
++ if (in->generic == NULL) {
++ return out;
++ }
++
++ out->generic = talloc(out, struct netr_GenericInfo);
++ if (out->generic == NULL) {
++ talloc_free(out);
++ return NULL;
++ }
++ *out->generic = *in->generic;
++
++ if (in->generic->data == NULL) {
++ return out;
++ }
++
++ if (in->generic->length == 0) {
++ return out;
++ }
++
++ out->generic->data = talloc_memdup(out->generic,
++ in->generic->data,
++ in->generic->length);
++ if (out->generic->data == NULL) {
++ talloc_free(out);
++ return NULL;
++ }
++
++ return out;
++ }
++
++ return out;
++}
++
+ /*
+ copy a netlogon_creds_CredentialState struct
+ */
+diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
+index 110e039..0c319d3 100644
+--- a/libcli/auth/proto.h
++++ b/libcli/auth/proto.h
+@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
+ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
+ enum netr_LogonInfoClass level,
+ union netr_LogonLevel *logon);
++union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
++ enum netr_LogonInfoClass level,
++ const union netr_LogonLevel *in);
+
+ /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c */
+
+--
+1.9.3
+
+
+From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 24 Apr 2013 16:00:18 +0200
+Subject: [PATCH 049/249] s4:netlogon: make use of
+ netlogon_creds_decrypt_samlogon_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
+ 1 file changed, 6 insertions(+), 22 deletions(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 70239a4..c41cd02 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
+ user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info);
+
++ netlogon_creds_decrypt_samlogon_logon(creds,
++ r->in.logon_level,
++ r->in.logon);
++
+ switch (r->in.logon_level) {
+ case NetlogonInteractiveInformation:
+ case NetlogonServiceInformation:
+ case NetlogonInteractiveTransitiveInformation:
+ case NetlogonServiceTransitiveInformation:
+- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- netlogon_creds_aes_decrypt(creds,
+- r->in.logon->password->lmpassword.hash,
+- sizeof(r->in.logon->password->lmpassword.hash));
+- netlogon_creds_aes_decrypt(creds,
+- r->in.logon->password->ntpassword.hash,
+- sizeof(r->in.logon->password->ntpassword.hash));
+- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+- netlogon_creds_arcfour_crypt(creds,
+- r->in.logon->password->lmpassword.hash,
+- sizeof(r->in.logon->password->lmpassword.hash));
+- netlogon_creds_arcfour_crypt(creds,
+- r->in.logon->password->ntpassword.hash,
+- sizeof(r->in.logon->password->ntpassword.hash));
+- } else {
+- netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
+- netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
+- }
+
+ /* TODO: we need to deny anonymous access here */
+ nt_status = auth_context_create(mem_ctx,
+@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
+ case NetlogonGenericInformation:
+ {
+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- netlogon_creds_aes_decrypt(creds,
+- r->in.logon->generic->data, r->in.logon->generic->length);
++ /* OK */
+ } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+- netlogon_creds_arcfour_crypt(creds,
+- r->in.logon->generic->data, r->in.logon->generic->length);
++ /* OK */
+ } else {
+ /* Using DES to verify kerberos tickets makes no sense */
+ return NT_STATUS_INVALID_PARAMETER;
+--
+1.9.3
+
+
+From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 24 Apr 2013 16:00:44 +0200
+Subject: [PATCH 050/249] s3:netlogon: make use of
+ netlogon_creds_decrypt_samlogon_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
+ 1 file changed, 21 insertions(+), 24 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index e5ca474..09857b6 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
+ struct auth_context *auth_context = NULL;
+ const char *fn;
+
++#ifdef DEBUG_PASSWORD
++ logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
++ r->in.logon_level,
++ r->in.logon);
++ if (logon == NULL) {
++ logon = r->in.logon;
++ }
++#endif
++
+ switch (p->opnum) {
+ case NDR_NETR_LOGONSAMLOGON:
+ fn = "_netr_LogonSamLogon";
+@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
+
+ status = NT_STATUS_OK;
+
++ netlogon_creds_decrypt_samlogon_logon(creds,
++ r->in.logon_level,
++ logon);
++
+ switch (r->in.logon_level) {
+ case NetlogonNetworkInformation:
+ case NetlogonNetworkTransitiveInformation:
+@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
+ uint8_t chal[8];
+
+ #ifdef DEBUG_PASSWORD
+- DEBUG(100,("lm owf password:"));
+- dump_data(100, logon->password->lmpassword.hash, 16);
+-
+- DEBUG(100,("nt owf password:"));
+- dump_data(100, logon->password->ntpassword.hash, 16);
+-#endif
+- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- netlogon_creds_aes_decrypt(creds,
+- logon->password->lmpassword.hash,
+- 16);
+- netlogon_creds_aes_decrypt(creds,
+- logon->password->ntpassword.hash,
+- 16);
+- } else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+- netlogon_creds_arcfour_crypt(creds,
+- logon->password->lmpassword.hash,
+- 16);
+- netlogon_creds_arcfour_crypt(creds,
+- logon->password->ntpassword.hash,
+- 16);
+- } else {
+- netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
+- netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
++ if (logon != r->in.logon) {
++ DEBUG(100,("lm owf password:"));
++ dump_data(100,
++ r->in.logon->password->lmpassword.hash, 16);
++
++ DEBUG(100,("nt owf password:"));
++ dump_data(100,
++ r->in.logon->password->ntpassword.hash, 16);
+ }
+
+-#ifdef DEBUG_PASSWORD
+ DEBUG(100,("decrypt of lm owf password:"));
+ dump_data(100, logon->password->lmpassword.hash, 16);
+
+--
+1.9.3
+
+
+From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 18:27:57 +0200
+Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
+ static
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
+---
+ source3/rpc_client/cli_pipe.c | 9 +++++----
+ source3/rpc_client/cli_pipe.h | 6 ------
+ 2 files changed, 5 insertions(+), 10 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 1fa8d91..66fa2d2 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+-NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
+- enum dcerpc_AuthLevel auth_level,
+- struct netlogon_creds_CredentialState *creds,
+- struct pipe_auth_data **presult)
++static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
++ const char *domain,
++ enum dcerpc_AuthLevel auth_level,
++ struct netlogon_creds_CredentialState *creds,
++ struct pipe_auth_data **presult)
+ {
+ struct schannel_state *schannel_auth;
+ struct pipe_auth_data *result;
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 6fcc587..8eb6040 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
+ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
+ struct pipe_auth_data **presult);
+
+-NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+- const char *domain,
+- enum dcerpc_AuthLevel auth_level,
+- struct netlogon_creds_CredentialState *creds,
+- struct pipe_auth_data **presult);
+-
+ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
+ const char *host,
+ const struct sockaddr_storage *ss_addr,
+--
+1.9.3
+
+
+From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 18:29:31 +0200
+Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
+ netlogon_creds_copy() in rpccli_schannel_bind_data()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
+---
+ source3/rpc_client/cli_pipe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 66fa2d2..afe8030 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+
+ schannel_auth->state = SCHANNEL_STATE_START;
+ schannel_auth->initiator = true;
+- schannel_auth->creds = netlogon_creds_copy(result, creds);
++ schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
++ if (schannel_auth->creds == NULL) {
++ goto fail;
++ }
+
+ result->auth_ctx = schannel_auth;
+ *presult = result;
+--
+1.9.3
+
+
+From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 19:43:58 +0200
+Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
+ cli_rpc_pipe_open_schannel_with_key()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
+---
+ source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
+ 1 file changed, 15 insertions(+), 15 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index afe8030..ec804e7 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+ struct netlogon_creds_CredentialState **pdc,
+- struct rpc_pipe_client **presult)
++ struct rpc_pipe_client **_rpccli)
+ {
+- struct rpc_pipe_client *result;
+- struct pipe_auth_data *auth;
++ struct rpc_pipe_client *rpccli;
++ struct pipe_auth_data *rpcauth;
+ NTSTATUS status;
+
+- status = cli_rpc_pipe_open(cli, transport, table, &result);
++ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+- status = rpccli_schannel_bind_data(result, domain, auth_level,
+- *pdc, &auth);
++ status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
++ *pdc, &rpcauth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
+ nt_errstr(status)));
+- TALLOC_FREE(result);
++ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+- status = rpc_pipe_bind(result, auth);
++ status = rpc_pipe_bind(rpccli, rpcauth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
+ "cli_rpc_pipe_bind failed with error %s\n",
+ nt_errstr(status) ));
+- TALLOC_FREE(result);
++ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ * The credentials on a new netlogon pipe are the ones we are passed
+ * in - copy them over
+ */
+- if (result->dc == NULL) {
+- result->dc = netlogon_creds_copy(result, *pdc);
+- if (result->dc == NULL) {
+- TALLOC_FREE(result);
++ if (rpccli->dc == NULL) {
++ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
++ if (rpccli->dc == NULL) {
++ TALLOC_FREE(rpccli);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ "for domain %s and bound using schannel.\n",
+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+- result->desthost, domain));
++ rpccli->desthost, domain));
+
+- *presult = result;
++ *_rpccli = rpccli;
+ return NT_STATUS_OK;
+ }
+
+--
+1.9.3
+
+
+From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 20:26:54 +0200
+Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
+---
+ source3/include/client.h | 1 -
+ source3/libsmb/cliconnect.c | 5 -----
+ 2 files changed, 6 deletions(-)
+
+diff --git a/source3/include/client.h b/source3/include/client.h
+index 3f92d6d..59fb104 100644
+--- a/source3/include/client.h
++++ b/source3/include/client.h
+@@ -72,7 +72,6 @@ struct cli_state {
+ int timeout; /* in milliseconds. */
+ int initialised;
+ int win95;
+- bool is_guestlogin;
+ /* What the server offered. */
+ uint32_t server_posix_capabilities;
+ /* What the client requested. */
+diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
+index 13e7704..81bc028 100644
+--- a/source3/libsmb/cliconnect.c
++++ b/source3/libsmb/cliconnect.c
+@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
+ p = bytes;
+
+ cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
+
+ status = smb_bytes_talloc_string(cli,
+ inhdr,
+@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
+ p = bytes;
+
+ cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
+
+ status = smb_bytes_talloc_string(cli,
+ inhdr,
+@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
+ p = bytes;
+
+ cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
+
+ status = smb_bytes_talloc_string(cli,
+ inhdr,
+@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
+ p = bytes;
+
+ cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
+
+ status = smb_bytes_talloc_string(cli,
+ inhdr,
+@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
+ state->inbuf = in;
+ inhdr = in + NBT_HDR_SIZE;
+ cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
+- cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
+
+ blob_length = SVAL(vwv+3, 0);
+ if (blob_length > num_bytes) {
+--
+1.9.3
+
+
+From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jun 2013 09:41:52 +0200
+Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
+---
+ source3/auth/auth_domain.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index 54ee5a1..06078e2 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+
+ if (!lp_client_schannel()) {
+ /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ enum netr_SchannelType sec_chan_type = 0;
+ unsigned char machine_pwd[16];
+ const char *account_name;
+--
+1.9.3
+
+
+From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jun 2013 09:41:52 +0200
+Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
+---
+ source3/libnet/libnet_join.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index d8ec235..c1eccda 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ const char *dc_name,
+ const bool use_kerberos)
+ {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ struct cli_state *cli = NULL;
+ struct rpc_pipe_client *pipe_hnd = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+--
+1.9.3
+
+
+From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jun 2013 09:41:52 +0200
+Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
+---
+ source3/rpc_client/cli_netlogon.c | 3 ++-
+ source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 3d6a3e1..5e8a2fc 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ if (!cli->dc) {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ result = rpccli_netlogon_setup_creds(cli,
+ cli->desthost, /* server name */
+ lp_workgroup(), /* domain */
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index bc672ef..de745c0 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+ const char *password,
+ struct rpc_pipe_client **presult)
+ {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct rpc_pipe_client *result = NULL;
+ NTSTATUS status;
+@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ const char *domain,
+ struct rpc_pipe_client **presult)
+ {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ struct rpc_pipe_client *result = NULL;
+ NTSTATUS status;
+--
+1.9.3
+
+
+From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 15 Jun 2013 09:41:52 +0200
+Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
+---
+ source3/rpcclient/cmd_netlogon.c | 3 ++-
+ source3/rpcclient/rpcclient.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 01d6da4..d92434b 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS result;
+ const char *server_name = cli->desthost;
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ struct netr_Authenticator clnt_creds, srv_cred;
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+ unsigned char trust_passwd_hash[16];
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 9bf296e..cb7b70f 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+
+ if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
+ &ndr_table_netlogon.syntax_id)) {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
++ NETLOGON_NEG_SUPPORTS_AES;
+ enum netr_SchannelType sec_channel_type;
+ uchar trust_password[16];
+ const char *machine_account;
+--
+1.9.3
+
+
+From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 19:57:09 +0200
+Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
+ rpc_pipe_bind_step_two_done()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
+---
+ source3/rpc_client/cli_pipe.c | 19 +++++++------------
+ 1 file changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index ec804e7..c354a6f 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
+ status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+ TALLOC_FREE(subreq);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+- if (state->cli->dc && state->cli->dc->negotiate_flags &
+- NETLOGON_NEG_SUPPORTS_AES) {
++ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ DEBUG(5, ("AES is not supported and the error was %s\n",
+ nt_errstr(status)));
+ tevent_req_nterror(req,
+@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
+ return;
+ }
+
+- TALLOC_FREE(state->cli->dc);
+- state->cli->dc = talloc_steal(state->cli, state->creds);
+-
+ if (!NT_STATUS_IS_OK(state->r.out.result)) {
+ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
+ nt_errstr(state->r.out.result)));
+@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
+ return;
+ }
+
+- if (state->creds->negotiate_flags !=
+- state->r.out.capabilities->server_capabilities) {
+- DEBUG(0, ("The client capabilities don't match the server "
+- "capabilities: local[0x%08X] remote[0x%08X]\n",
+- state->creds->negotiate_flags,
+- state->capabilities.server_capabilities));
++ if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
++ DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
++ "but AES was not negotiated - downgrade detected",
++ state->cli->desthost));
+ tevent_req_nterror(req,
+ NT_STATUS_INVALID_NETWORK_RESPONSE);
+ return;
+ }
+
+- /* TODO: Add downgrade dectection. */
++ TALLOC_FREE(state->cli->dc);
++ state->cli->dc = talloc_move(state->cli, &state->creds);
+
+ tevent_req_done(req);
+ return;
+--
+1.9.3
+
+
+From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 19:45:52 +0200
+Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
+ rpc_pipe_bind
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
+---
+ source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index c354a6f..eb172db 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ return status;
+ }
+
++ /*
++ * The credentials on a new netlogon pipe are the ones we are passed
++ * in - copy them over
++ *
++ * This may get overwritten... in rpc_pipe_bind()...
++ */
++ rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
++ if (rpccli->dc == NULL) {
++ TALLOC_FREE(rpccli);
++ return NT_STATUS_NO_MEMORY;
++ }
++
+ status = rpc_pipe_bind(rpccli, rpcauth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
+@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ return status;
+ }
+
+- /*
+- * The credentials on a new netlogon pipe are the ones we are passed
+- * in - copy them over
+- */
+- if (rpccli->dc == NULL) {
+- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
+- if (rpccli->dc == NULL) {
+- TALLOC_FREE(rpccli);
+- return NT_STATUS_NO_MEMORY;
+- }
+- }
+-
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ "for domain %s and bound using schannel.\n",
+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+--
+1.9.3
+
+
+From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 19:34:13 +0200
+Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
+ cli_rpc_pipe_open_schannel_with_key()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
+---
+ source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 101 insertions(+)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index eb172db..314eb92 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct rpc_pipe_client *rpccli;
+ struct pipe_auth_data *rpcauth;
+ NTSTATUS status;
++ NTSTATUS result;
++ struct netlogon_creds_CredentialState save_creds;
++ struct netr_Authenticator auth;
++ struct netr_Authenticator return_auth;
++ union netr_Capabilities capabilities;
+
+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ return status;
+ }
+
++ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
++ goto done;
++ }
++
++ save_creds = *rpccli->dc;
++ ZERO_STRUCT(return_auth);
++ ZERO_STRUCT(capabilities);
++
++ netlogon_creds_client_authenticator(&save_creds, &auth);
++
++ status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
++ talloc_tos(),
++ rpccli->srv_name_slash,
++ save_creds.computer_name,
++ &auth, &return_auth,
++ 1, &capabilities,
++ &result);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ DEBUG(5, ("AES was negotiated and the error was %s - "
++ "downgrade detected\n",
++ nt_errstr(status)));
++ TALLOC_FREE(rpccli);
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++
++ /* This is probably an old Samba Version */
++ DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
++ nt_errstr(status)));
++ goto done;
++ }
++
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
++ nt_errstr(status)));
++ TALLOC_FREE(rpccli);
++ return status;
++ }
++
++ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
++ if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ /* This means AES isn't supported. */
++ DEBUG(5, ("AES was negotiated and the result was %s - "
++ "downgrade detected\n",
++ nt_errstr(result)));
++ TALLOC_FREE(rpccli);
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++
++ /* This is probably an old Windows version */
++ DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
++ nt_errstr(result)));
++ goto done;
++ }
++
++ /*
++ * We need to check the credential state here, cause win2k3 and earlier
++ * returns NT_STATUS_NOT_IMPLEMENTED
++ */
++ if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
++ /*
++ * Server replied with bad credential. Fail.
++ */
++ DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
++ "replied with bad credential\n",
++ rpccli->desthost));
++ TALLOC_FREE(rpccli);
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++ *rpccli->dc = save_creds;
++
++ if (!NT_STATUS_IS_OK(result)) {
++ DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
++ nt_errstr(result)));
++ TALLOC_FREE(rpccli);
++ return result;
++ }
++
++ if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
++ /* This means AES isn't supported. */
++ DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
++ "was OK - downgrade detected\n"));
++ TALLOC_FREE(rpccli);
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++
++ if (save_creds.negotiate_flags != capabilities.server_capabilities) {
++ DEBUG(0, ("The client capabilities don't match the server "
++ "capabilities: local[0x%08X] remote[0x%08X]\n",
++ save_creds.negotiate_flags,
++ capabilities.server_capabilities));
++ TALLOC_FREE(rpccli);
++ return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ }
++
++done:
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ "for domain %s and bound using schannel.\n",
+ get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+--
+1.9.3
+
+
+From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 18:30:36 +0200
+Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
+ from rpc_pipe_bind*
+
+It's done in the caller now.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
+---
+ source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
+ 1 file changed, 1 insertion(+), 149 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 314eb92..cba055a 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
+ DATA_BLOB rpc_out;
+ bool auth3;
+ uint32_t rpc_call_id;
+- struct netr_Authenticator auth;
+- struct netr_Authenticator return_auth;
+- struct netlogon_creds_CredentialState *creds;
+- union netr_Capabilities capabilities;
+- struct netr_LogonGetCapabilities r;
+ };
+
+ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
+-static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
+ static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *credentials);
+@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
+
+ case DCERPC_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
++ case DCERPC_AUTH_TYPE_SCHANNEL:
+ /* Bind complete. */
+ tevent_req_done(req);
+ return;
+
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+- rpc_pipe_bind_step_two_trigger(req);
+- return;
+-
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_KRB5:
+@@ -1763,145 +1754,6 @@ err_out:
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ }
+
+-static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
+-
+-static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
+-{
+- struct rpc_pipe_bind_state *state =
+- tevent_req_data(req,
+- struct rpc_pipe_bind_state);
+- struct dcerpc_binding_handle *b = state->cli->binding_handle;
+- struct schannel_state *schannel_auth =
+- talloc_get_type_abort(state->cli->auth->auth_ctx,
+- struct schannel_state);
+- struct tevent_req *subreq;
+-
+- if (schannel_auth == NULL ||
+- !ndr_syntax_id_equal(&state->cli->abstract_syntax,
+- &ndr_table_netlogon.syntax_id)) {
+- tevent_req_done(req);
+- return;
+- }
+-
+- ZERO_STRUCT(state->return_auth);
+-
+- state->creds = netlogon_creds_copy(state, schannel_auth->creds);
+- if (state->creds == NULL) {
+- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+- return;
+- }
+-
+- netlogon_creds_client_authenticator(state->creds, &state->auth);
+-
+- state->r.in.server_name = state->cli->srv_name_slash;
+- state->r.in.computer_name = state->creds->computer_name;
+- state->r.in.credential = &state->auth;
+- state->r.in.query_level = 1;
+- state->r.in.return_authenticator = &state->return_auth;
+-
+- state->r.out.capabilities = &state->capabilities;
+- state->r.out.return_authenticator = &state->return_auth;
+-
+- subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
+- state->ev,
+- b,
+- &state->r);
+- if (subreq == NULL) {
+- tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+- return;
+- }
+-
+- tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
+- return;
+-}
+-
+-static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
+-{
+- struct tevent_req *req =
+- tevent_req_callback_data(subreq,
+- struct tevent_req);
+- struct rpc_pipe_bind_state *state =
+- tevent_req_data(req,
+- struct rpc_pipe_bind_state);
+- NTSTATUS status;
+-
+- status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
+- TALLOC_FREE(subreq);
+- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- DEBUG(5, ("AES is not supported and the error was %s\n",
+- nt_errstr(status)));
+- tevent_req_nterror(req,
+- NT_STATUS_INVALID_NETWORK_RESPONSE);
+- return;
+- }
+-
+- /* This is probably NT */
+- DEBUG(5, ("We are checking against an NT - %s\n",
+- nt_errstr(status)));
+- tevent_req_done(req);
+- return;
+- } else if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
+- nt_errstr(status)));
+- tevent_req_nterror(req, status);
+- return;
+- }
+-
+- if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
+- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- /* This means AES isn't supported. */
+- DEBUG(5, ("AES is not supported and the error was %s\n",
+- nt_errstr(state->r.out.result)));
+- tevent_req_nterror(req,
+- NT_STATUS_INVALID_NETWORK_RESPONSE);
+- return;
+- }
+-
+- /* This is probably an old Samba version */
+- DEBUG(5, ("We are checking against an old Samba version - %s\n",
+- nt_errstr(state->r.out.result)));
+- tevent_req_done(req);
+- return;
+- }
+-
+- /* We need to check the credential state here, cause win2k3 and earlier
+- * returns NT_STATUS_NOT_IMPLEMENTED */
+- if (!netlogon_creds_client_check(state->creds,
+- &state->r.out.return_authenticator->cred)) {
+- /*
+- * Server replied with bad credential. Fail.
+- */
+- DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
+- "replied with bad credential\n",
+- state->cli->desthost));
+- tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
+- return;
+- }
+-
+- if (!NT_STATUS_IS_OK(state->r.out.result)) {
+- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
+- nt_errstr(state->r.out.result)));
+- tevent_req_nterror(req, state->r.out.result);
+- return;
+- }
+-
+- if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
+- DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
+- "but AES was not negotiated - downgrade detected",
+- state->cli->desthost));
+- tevent_req_nterror(req,
+- NT_STATUS_INVALID_NETWORK_RESPONSE);
+- return;
+- }
+-
+- TALLOC_FREE(state->cli->dc);
+- state->cli->dc = talloc_move(state->cli, &state->creds);
+-
+- tevent_req_done(req);
+- return;
+-}
+-
+ static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
+ struct rpc_pipe_bind_state *state,
+ DATA_BLOB *auth_token)
+--
+1.9.3
+
+
+From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 25 Apr 2013 19:33:28 +0200
+Subject: [PATCH 063/249] s3:rpc_client: remove unused
+ cli_rpc_pipe_open_ntlmssp_auth_schannel()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
+---
+ source3/rpc_client/cli_pipe.h | 9 ----
+ source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
+ 2 files changed, 89 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 8eb6040..ab99373 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct netlogon_creds_CredentialState **pdc,
+ struct rpc_pipe_client **presult);
+
+-NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+- const struct ndr_interface_table *table,
+- enum dcerpc_transport_t transport,
+- enum dcerpc_AuthLevel auth_level,
+- const char *domain,
+- const char *username,
+- const char *password,
+- struct rpc_pipe_client **presult);
+-
+ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index de745c0..aaae44b 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
+
+ /****************************************************************************
+ Open a named pipe to an SMB server and bind using schannel (bind type 68).
+- Fetch the session key ourselves using a temporary netlogon pipe. This
+- version uses an ntlmssp auth bound netlogon pipe to get the key.
+- ****************************************************************************/
+-
+-static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
+- const char *domain,
+- const char *username,
+- const char *password,
+- uint32 *pneg_flags,
+- struct rpc_pipe_client **presult)
+-{
+- struct rpc_pipe_client *netlogon_pipe = NULL;
+- NTSTATUS status;
+-
+- status = cli_rpc_pipe_open_spnego(
+- cli, &ndr_table_netlogon, NCACN_NP,
+- GENSEC_OID_NTLMSSP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
+- smbXcli_conn_remote_name(cli->conn),
+- domain, username, password, &netlogon_pipe);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
+- pneg_flags);
+- if (!NT_STATUS_IS_OK(status)) {
+- TALLOC_FREE(netlogon_pipe);
+- return status;
+- }
+-
+- *presult = netlogon_pipe;
+- return NT_STATUS_OK;
+-}
+-
+-/****************************************************************************
+- Open a named pipe to an SMB server and bind using schannel (bind type 68).
+- Fetch the session key ourselves using a temporary netlogon pipe. This version
+- uses an ntlmssp bind to get the session key.
+- ****************************************************************************/
+-
+-NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
+- const struct ndr_interface_table *table,
+- enum dcerpc_transport_t transport,
+- enum dcerpc_AuthLevel auth_level,
+- const char *domain,
+- const char *username,
+- const char *password,
+- struct rpc_pipe_client **presult)
+-{
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
+- struct rpc_pipe_client *netlogon_pipe = NULL;
+- struct rpc_pipe_client *result = NULL;
+- NTSTATUS status;
+-
+- status = get_schannel_session_key_auth_ntlmssp(
+- cli, domain, username, password, &neg_flags, &netlogon_pipe);
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
+- "key from server %s for domain %s.\n",
+- smbXcli_conn_remote_name(cli->conn), domain ));
+- return status;
+- }
+-
+- status = cli_rpc_pipe_open_schannel_with_key(
+- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
+- &result);
+-
+- /* Now we've bound using the session key we can close the netlog pipe. */
+- TALLOC_FREE(netlogon_pipe);
+-
+- if (NT_STATUS_IS_OK(status)) {
+- *presult = result;
+- }
+- return status;
+-}
+-
+-/****************************************************************************
+- Open a named pipe to an SMB server and bind using schannel (bind type 68).
+ Fetch the session key ourselves using a temporary netlogon pipe.
+ ****************************************************************************/
+
+--
+1.9.3
+
+
+From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 3 Aug 2013 11:26:13 +0200
+Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
+ before returning NOT_IMPLEMENTED
+
+Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
+---
+ auth/gensec/gensec.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
+index ea62861..9a8f0ef 100644
+--- a/auth/gensec/gensec.c
++++ b/auth/gensec/gensec.c
+@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+ DATA_BLOB *session_key)
+ {
+- if (!gensec_security->ops->session_key) {
+- return NT_STATUS_NOT_IMPLEMENTED;
+- }
+ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+
++ if (!gensec_security->ops->session_key) {
++ return NT_STATUS_NOT_IMPLEMENTED;
++ }
++
+ return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
+ }
+
+--
+1.9.3
+
+
+From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 3 Aug 2013 11:43:58 +0200
+Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
+---
+ auth/gensec/gensec.h | 3 +++
+ auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+)
+
+diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
+index 396a16d..c080861 100644
+--- a/auth/gensec/gensec.h
++++ b/auth/gensec/gensec.h
+@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
+ const char *oid_string);
+ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
+ const char *sasl_name);
++const struct gensec_security_ops *gensec_security_by_auth_type(
++ struct gensec_security *gensec_security,
++ uint32_t auth_type);
+ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx);
+ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index e46f0ee..c2cfa1c 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
+ return NULL;
+ }
+
++_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
++ struct gensec_security *gensec_security,
++ uint32_t auth_type)
++{
++ int i;
++ struct gensec_security_ops **backends;
++ const struct gensec_security_ops *backend;
++ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
++ if (!mem_ctx) {
++ return NULL;
++ }
++ backends = gensec_security_mechs(gensec_security, mem_ctx);
++ for (i=0; backends && backends[i]; i++) {
++ if (!gensec_security_ops_enabled(backends[i], gensec_security))
++ continue;
++ if (backends[i]->auth_type == auth_type) {
++ backend = backends[i];
++ talloc_free(mem_ctx);
++ return backend;
++ }
++ }
++ talloc_free(mem_ctx);
++
++ return NULL;
++}
++
+ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
+ const char *name)
+ {
+--
+1.9.3
+
+
+From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 24 Apr 2013 12:33:28 +0200
+Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
+ NETLOGON SSP as 64bit
+
+See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
+---
+ libcli/auth/schannel.h | 2 +-
+ libcli/auth/schannel_sign.c | 17 +++++++++++++----
+ source3/librpc/rpc/dcerpc_helpers.c | 4 ++--
+ 3 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
+index bfccd95..271b5bb 100644
+--- a/libcli/auth/schannel.h
++++ b/libcli/auth/schannel.h
+@@ -30,7 +30,7 @@ enum schannel_position {
+
+ struct schannel_state {
+ enum schannel_position state;
+- uint32_t seq_num;
++ uint64_t seq_num;
+ bool initiator;
+ struct netlogon_creds_CredentialState *creds;
+ };
+diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
+index 1871da2..6e5d454 100644
+--- a/libcli/auth/schannel_sign.c
++++ b/libcli/auth/schannel_sign.c
+@@ -24,6 +24,17 @@
+ #include "../libcli/auth/schannel.h"
+ #include "../lib/crypto/crypto.h"
+
++#define SETUP_SEQNUM(state, buf, initiator) do { \
++ uint8_t *_buf = buf; \
++ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
++ uint32_t _seq_num_high = (state)->seq_num >> 32; \
++ if (initiator) { \
++ _seq_num_high |= 0x80000000; \
++ } \
++ RSIVAL(_buf, 0, _seq_num_low); \
++ RSIVAL(_buf, 4, _seq_num_high); \
++} while(0)
++
+ static void netsec_offset_and_sizes(struct schannel_state *state,
+ bool do_seal,
+ uint32_t *_min_sig_size,
+@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+ confounder = NULL;
+ }
+
+- RSIVAL(seq_num, 0, state->seq_num);
+- SIVAL(seq_num, 4, state->initiator?0:0x80);
++ SETUP_SEQNUM(state, seq_num, !state->initiator);
+
+ if (do_unseal) {
+ netsec_do_seal(state, seq_num,
+@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+ &checksum_length,
+ &confounder_ofs);
+
+- RSIVAL(seq_num, 0, state->seq_num);
+- SIVAL(seq_num, 4, state->initiator?0x80:0);
++ SETUP_SEQNUM(state, seq_num, state->initiator);
+
+ if (do_seal) {
+ confounder = _confounder;
+diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
+index a55e419..0095990 100644
+--- a/source3/librpc/rpc/dcerpc_helpers.c
++++ b/source3/librpc/rpc/dcerpc_helpers.c
+@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
+- sas->seq_num));
++ DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
++ (unsigned long long)sas->seq_num));
+
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+--
+1.9.3
+
+
+From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 12:53:42 +0200
+Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
+---
+ libcli/auth/schannel_proto.h | 3 +++
+ libcli/auth/schannel_sign.c | 23 +++++++++++++++++++++++
+ 2 files changed, 26 insertions(+)
+
+diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
+index 0414218..da76559 100644
+--- a/libcli/auth/schannel_proto.h
++++ b/libcli/auth/schannel_proto.h
+@@ -28,6 +28,9 @@ struct schannel_state;
+ struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx);
+
++struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState *creds,
++ bool initiator);
+ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+ bool do_unseal,
+ uint8_t *data, size_t length,
+diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
+index 6e5d454..518a6a9 100644
+--- a/libcli/auth/schannel_sign.c
++++ b/libcli/auth/schannel_sign.c
+@@ -35,6 +35,29 @@
+ RSIVAL(_buf, 4, _seq_num_high); \
+ } while(0)
+
++struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState *creds,
++ bool initiator)
++{
++ struct schannel_state *state;
++
++ state = talloc(mem_ctx, struct schannel_state);
++ if (state == NULL) {
++ return NULL;
++ }
++
++ state->state = SCHANNEL_STATE_UPDATE_1;
++ state->initiator = initiator;
++ state->seq_num = 0;
++ state->creds = netlogon_creds_copy(state, creds);
++ if (state->creds == NULL) {
++ talloc_free(state);
++ return NULL;
++ }
++
++ return state;
++}
++
+ static void netsec_offset_and_sizes(struct schannel_state *state,
+ bool do_seal,
+ uint32_t *_min_sig_size,
+--
+1.9.3
+
+
+From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:28:11 +0200
+Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
+---
+ source3/rpc_client/cli_pipe.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index cba055a..9e979b0 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
+- schannel_auth = talloc_zero(result, struct schannel_state);
++ schannel_auth = netsec_create_state(result, creds, true /* initiator */);
+ if (schannel_auth == NULL) {
+ goto fail;
+ }
+
+- schannel_auth->state = SCHANNEL_STATE_START;
+- schannel_auth->initiator = true;
+- schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
+- if (schannel_auth->creds == NULL) {
+- goto fail;
+- }
+-
+ result->auth_ctx = schannel_auth;
+ *presult = result;
+ return NT_STATUS_OK;
+--
+1.9.3
+
+
+From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:28:59 +0200
+Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
+ NL_AUTH_MESSAGE
+
+We need to use the same computer_name value as in the netr_Authenticate3()
+request.
+
+We abuse cli->auth->user_name to pass the value down.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
+---
+ source3/rpc_client/cli_pipe.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 9e979b0..1de71fb 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
+ NTSTATUS status;
+ struct NL_AUTH_MESSAGE r;
+
+- /* Use lp_workgroup() if domain not specified */
++ if (!cli->auth->user_name || !cli->auth->user_name[0]) {
++ return NT_STATUS_INVALID_PARAMETER_MIX;
++ }
+
+ if (!cli->auth->domain || !cli->auth->domain[0]) {
+- cli->auth->domain = talloc_strdup(cli, lp_workgroup());
+- if (cli->auth->domain == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
++ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ /*
+@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
+ r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
+ r.oem_netbios_domain.a = cli->auth->domain;
+- r.oem_netbios_computer.a = lp_netbios_name();
++ r.oem_netbios_computer.a = cli->auth->user_name;
+
+ status = dcerpc_push_schannel_bind(cli, &r, auth_token);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+ result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+ result->auth_level = auth_level;
+
+- result->user_name = talloc_strdup(result, "");
++ result->user_name = talloc_strdup(result, creds->computer_name);
+ result->domain = talloc_strdup(result, domain);
+ if ((result->user_name == NULL) || (result->domain == NULL)) {
+ goto fail;
+--
+1.9.3
+
+
+From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 3 Aug 2013 08:50:54 +0200
+Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
+ cli_get_session_key() for schannel
+
+SCHANNEL connections don't have a user session key,
+they're like anonymous connections.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
+---
+ source3/rpc_client/cli_pipe.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 1de71fb..470469f 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
+ {
+ NTSTATUS status;
+ struct pipe_auth_data *a;
+- struct schannel_state *schannel_auth;
+ struct gensec_security *gensec_security;
+ DATA_BLOB sk = data_blob_null;
+ bool make_dup = false;
+@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
+ }
+
+ switch (cli->auth->auth_type) {
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+- schannel_auth = talloc_get_type_abort(a->auth_ctx,
+- struct schannel_state);
+- sk = data_blob_const(schannel_auth->creds->session_key, 16);
+- make_dup = true;
+- break;
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
+--
+1.9.3
+
+
+From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:33:37 +0200
+Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
+---
+ source3/rpc_server/srv_pipe.c | 12 ++++--------
+ 1 file changed, 4 insertions(+), 8 deletions(-)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 7daff04..9043a14 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
+ */
+
+ become_root();
+- status = schannel_get_creds_state(p, lp_ctx,
+- neg.oem_netbios_computer.a, &creds);
++ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
++ neg.oem_netbios_computer.a, &creds);
+ unbecome_root();
+
+ talloc_unlink(p, lp_ctx);
+@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
+ return False;
+ }
+
+- schannel_auth = talloc_zero(p, struct schannel_state);
++ schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
++ TALLOC_FREE(creds);
+ if (!schannel_auth) {
+- TALLOC_FREE(creds);
+ return False;
+ }
+
+- schannel_auth->state = SCHANNEL_STATE_START;
+- schannel_auth->initiator = false;
+- schannel_auth->creds = creds;
+-
+ /*
+ * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
+ * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
+--
+1.9.3
+
+
+From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:36:30 +0200
+Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
+ schannel_state->seq_num.
+
+This is a layer violation and not needed anymore as we know
+how the seqnum handling works now.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
+---
+ source3/librpc/rpc/dcerpc_helpers.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
+index 0095990..97999d7 100644
+--- a/source3/librpc/rpc/dcerpc_helpers.c
++++ b/source3/librpc/rpc/dcerpc_helpers.c
+@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
+- (unsigned long long)sas->seq_num));
+-
+ switch (auth_level) {
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ status = netsec_outgoing_packet(sas,
+--
+1.9.3
+
+
+From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 10:08:54 +0200
+Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()
+
+We use cli_credentials_get_netlogon_creds() which returns the same value.
+
+dcerpc_schannel_creds() is a layer violation.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
+---
+ source4/libnet/libnet_samsync.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
+index 9629b9f..206d81e 100644
+--- a/source4/libnet/libnet_samsync.c
++++ b/source4/libnet/libnet_samsync.c
+@@ -25,7 +25,6 @@
+ #include "libcli/auth/libcli_auth.h"
+ #include "../libcli/samsync/samsync.h"
+ #include "auth/gensec/gensec.h"
+-#include "auth/gensec/schannel.h"
+ #include "auth/credentials/credentials.h"
+ #include "libcli/auth/schannel.h"
+ #include "librpc/gen_ndr/ndr_netlogon.h"
+@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
+
+ /* get NETLOGON credentials */
+
+- nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
++ creds = cli_credentials_get_netlogon_creds(machine_account);
++ if (creds == NULL) {
++ r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
+ talloc_free(samsync_ctx);
+ return nt_status;
+ }
+--
+1.9.3
+
+
+From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 10:08:54 +0200
+Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()
+
+We use cli_credentials_get_netlogon_creds() which returns the same value.
+
+dcerpc_schannel_creds() is a layer violation.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
+---
+ source4/torture/rpc/samlogon.c | 5 ++---
+ source4/torture/rpc/samr.c | 6 +++---
+ source4/torture/rpc/samsync.c | 11 ++++-------
+ source4/torture/rpc/schannel.c | 6 ++----
+ 4 files changed, 11 insertions(+), 17 deletions(-)
+
+diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
+index 4861038..886ff39 100644
+--- a/source4/torture/rpc/samlogon.c
++++ b/source4/torture/rpc/samlogon.c
+@@ -29,7 +29,6 @@
+ #include "lib/cmdline/popt_common.h"
+ #include "torture/rpc/torture_rpc.h"
+ #include "auth/gensec/gensec.h"
+-#include "auth/gensec/schannel.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "param/param.h"
+
+@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
+ torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
+ talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
+
+- status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
+- if (!NT_STATUS_IS_OK(status)) {
++ creds = cli_credentials_get_netlogon_creds(machine_credentials);
++ if (creds == NULL) {
+ ret = false;
+ goto failed;
+ }
+diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
+index cdfa2b8..d4d64f9 100644
+--- a/source4/torture/rpc/samr.c
++++ b/source4/torture/rpc/samr.c
+@@ -37,7 +37,6 @@
+ #include "torture/rpc/torture_rpc.h"
+ #include "param/param.h"
+ #include "auth/gensec/gensec.h"
+-#include "auth/gensec/schannel.h"
+ #include "auth/gensec/gensec_proto.h"
+ #include "../libcli/auth/schannel.h"
+
+@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
+
+ static bool test_SamLogon(struct torture_context *tctx,
+ struct dcerpc_pipe *p,
++ struct cli_credentials *machine_credentials,
+ struct cli_credentials *test_credentials,
+ NTSTATUS expected_result,
+ bool interactive)
+@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
+ struct netr_Authenticator a;
+ struct dcerpc_binding_handle *b = p->binding_handle;
+
+- torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
++ torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
+
+ if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
+ flags |= CLI_CRED_LANMAN_AUTH;
+@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
+ torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
+ interactive ? "interactive" : "network", acct_name, password);
+
+- if (!test_SamLogon(tctx, p, test_credentials,
++ if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
+ expected_samlogon_result, interactive)) {
+ torture_warning(tctx, "new password did not work\n");
+ ret = false;
+diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
+index 81027d0..15cab73 100644
+--- a/source4/torture/rpc/samsync.c
++++ b/source4/torture/rpc/samsync.c
+@@ -27,7 +27,6 @@
+ #include "system/time.h"
+ #include "torture/rpc/torture_rpc.h"
+ #include "auth/gensec/gensec.h"
+-#include "auth/gensec/schannel.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "libcli/samsync/samsync.h"
+ #include "libcli/security/security.h"
+@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
+ }
+ samsync_state->b = samsync_state->p->binding_handle;
+
+- status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
+- samsync_state, &samsync_state->creds);
+- if (!NT_STATUS_IS_OK(status)) {
++ samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
++ if (samsync_state->creds == NULL) {
+ ret = false;
+ }
+
+@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
+ goto failed;
+ }
+
+- status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
+- samsync_state, &samsync_state->creds_netlogon_wksta);
+- if (!NT_STATUS_IS_OK(status)) {
++ samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
++ if (samsync_state->creds_netlogon_wksta == NULL) {
+ torture_comment(torture, "Failed to obtail schanel creds!\n");
+ ret = false;
+ }
+diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
+index 8203749..0098dcf 100644
+--- a/source4/torture/rpc/schannel.c
++++ b/source4/torture/rpc/schannel.c
+@@ -26,14 +26,12 @@
+ #include "auth/credentials/credentials.h"
+ #include "torture/rpc/torture_rpc.h"
+ #include "lib/cmdline/popt_common.h"
+-#include "auth/gensec/schannel.h"
+ #include "../libcli/auth/schannel.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "libcli/security/security.h"
+ #include "system/filesys.h"
+ #include "param/param.h"
+ #include "librpc/rpc/dcerpc_proto.h"
+-#include "auth/gensec/gensec.h"
+ #include "libcli/composite/composite.h"
+ #include "lib/events/events.h"
+
+@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
+
+ torture_assert_ntstatus_ok(tctx, status, "bind auth");
+
+- status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
+- torture_assert_ntstatus_ok(tctx, status, "schannel creds");
++ creds = cli_credentials_get_netlogon_creds(credentials);
++ torture_assert(tctx, (creds != NULL), "schannel creds");
+
+ /* checks the capabilities */
+ torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
+--
+1.9.3
+
+
+From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 12:31:41 +0200
+Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
+ dcerpc_schannel_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
+---
+ source4/auth/gensec/schannel.c | 23 -----------------------
+ source4/auth/gensec/schannel.h | 26 --------------------------
+ 2 files changed, 49 deletions(-)
+ delete mode 100644 source4/auth/gensec/schannel.h
+
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index e7c545f..10d2565 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -29,7 +29,6 @@
+ #include "../libcli/auth/schannel.h"
+ #include "librpc/rpc/dcerpc.h"
+ #include "param/param.h"
+-#include "auth/gensec/schannel.h"
+ #include "auth/gensec/gensec_toplevel_proto.h"
+
+ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
+@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ }
+
+ /**
+- * Return the struct netlogon_creds_CredentialState.
+- *
+- * Make sure not to call this unless gensec is using schannel...
+- */
+-
+-/* TODO: make this non-public */
+-
+-_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- struct netlogon_creds_CredentialState **creds)
+-{
+- struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
+-
+- *creds = talloc_reference(mem_ctx, state->creds);
+- if (!*creds) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- return NT_STATUS_OK;
+-}
+-
+-
+-/**
+ * Returns anonymous credentials for schannel, matching Win2k3.
+ *
+ */
+diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
+deleted file mode 100644
+index 88a32a7..0000000
+--- a/source4/auth/gensec/schannel.h
++++ /dev/null
+@@ -1,26 +0,0 @@
+-/*
+- Unix SMB/CIFS implementation.
+-
+- dcerpc schannel operations
+-
+- Copyright (C) Andrew Tridgell 2004
+- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+-
+- This program is free software; you can redistribute it and/or modify
+- it under the terms of the GNU General Public License as published by
+- the Free Software Foundation; either version 3 of the License, or
+- (at your option) any later version.
+-
+- This program is distributed in the hope that it will be useful,
+- but WITHOUT ANY WARRANTY; without even the implied warranty of
+- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
+-
+- You should have received a copy of the GNU General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>.
+-*/
+-
+-struct netlogon_creds_CredentialState;
+-NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- struct netlogon_creds_CredentialState **creds);
+--
+1.9.3
+
+
+From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:04:07 +0200
+Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
+ netsec_create_state()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
+---
+ source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
+ 1 file changed, 30 insertions(+), 68 deletions(-)
+
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index 10d2565..3896a41 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
+
+ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
+ {
+- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
+- uint32_t sig_size;
+-
+- sig_size = netsec_outgoing_sig_size(state);
++ struct schannel_state *state =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
+
+- return sig_size;
++ return netsec_outgoing_sig_size(state);
+ }
+
+ static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
+@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out)
+ {
+- struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
++ struct schannel_state *state =
++ talloc_get_type(gensec_security->private_data,
++ struct schannel_state);
+ NTSTATUS status;
+ enum ndr_err_code ndr_err;
+ struct NL_AUTH_MESSAGE bind_schannel;
+@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+- if (state->state != SCHANNEL_STATE_START) {
++ if (state != NULL) {
+ /* we could parse the bind ack, but we don't know what it is yet */
+ return NT_STATUS_OK;
+ }
+
+- state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
+- if (state->creds == NULL) {
++ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
++ if (creds == NULL) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+- /*
+- * We need to create a reference here or we don't get
+- * updates performed on the credentials if we create a
+- * copy.
+- */
+- state->creds = talloc_reference(state, state->creds);
+- if (state->creds == NULL) {
++
++ state = netsec_create_state(gensec_security,
++ creds, true /* initiator */);
++ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
++ gensec_security->private_data = state;
+
+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
+ #if 0
+@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ return status;
+ }
+
+- state->state = SCHANNEL_STATE_UPDATE_1;
+-
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ case GENSEC_SERVER:
+
+- if (state->state != SCHANNEL_STATE_START) {
++ if (state != NULL) {
+ /* no third leg on this protocol */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ return status;
+ }
+
+- state->creds = talloc_steal(state, creds);
++ state = netsec_create_state(gensec_security,
++ creds, false /* not initiator */);
++ if (state == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ gensec_security->private_data = state;
+
+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
+ bind_schannel_ack.Flags = 0;
+@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ return status;
+ }
+
+- state->state = SCHANNEL_STATE_UPDATE_1;
+-
+ return NT_STATUS_OK;
+ }
+ return NT_STATUS_INVALID_PARAMETER;
+@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
+ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
+ }
+
+-static NTSTATUS schannel_start(struct gensec_security *gensec_security)
+-{
+- struct schannel_state *state;
+-
+- state = talloc_zero(gensec_security, struct schannel_state);
+- if (!state) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- state->state = SCHANNEL_STATE_START;
+- gensec_security->private_data = state;
+-
+- return NT_STATUS_OK;
+-}
+-
+ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+ {
+- NTSTATUS status;
+- struct schannel_state *state;
+-
+- status = schannel_start(gensec_security);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- state = (struct schannel_state *)gensec_security->private_data;
+- state->initiator = false;
+-
+ return NT_STATUS_OK;
+ }
+
+ static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
+ {
+- NTSTATUS status;
+- struct schannel_state *state;
+-
+- status = schannel_start(gensec_security);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- state = (struct schannel_state *)gensec_security->private_data;
+- state->initiator = true;
+-
+ return NT_STATUS_OK;
+ }
+
+-
+ static bool schannel_have_feature(struct gensec_security *gensec_security,
+ uint32_t feature)
+ {
+@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
+ const DATA_BLOB *sig)
+ {
+ struct schannel_state *state =
+- talloc_get_type(gensec_security->private_data,
+- struct schannel_state);
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
+
+ return netsec_incoming_packet(state, true,
+ discard_const_p(uint8_t, data),
+@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
+ const DATA_BLOB *sig)
+ {
+ struct schannel_state *state =
+- talloc_get_type(gensec_security->private_data,
+- struct schannel_state);
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
+
+ return netsec_incoming_packet(state, false,
+ discard_const_p(uint8_t, data),
+@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
+ DATA_BLOB *sig)
+ {
+ struct schannel_state *state =
+- talloc_get_type(gensec_security->private_data,
+- struct schannel_state);
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
+
+ return netsec_outgoing_packet(state, mem_ctx, true,
+ data, length, sig);
+@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
+ DATA_BLOB *sig)
+ {
+ struct schannel_state *state =
+- talloc_get_type(gensec_security->private_data,
+- struct schannel_state);
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
+
+ return netsec_outgoing_packet(state, mem_ctx, false,
+ discard_const_p(uint8_t, data),
+--
+1.9.3
+
+
+From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:25:20 +0200
+Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
+ from netlogon_creds_CredentialState
+
+We need to use the same computer_name we used in the netr_Authenticate3
+request.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
+---
+ source4/auth/gensec/schannel.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index 3896a41..91f166b 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
+ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
++ bind_schannel.oem_netbios_computer.a = creds->computer_name;
+ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
+ /* w2k3 refuses us if we use the full DNS workstation?
+ why? perhaps because we don't fill in the dNSHostName
+ attribute in the machine account? */
+- bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
++ bind_schannel.utf8_netbios_computer = creds->computer_name;
+ #else
+ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
+ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+- bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
++ bind_schannel.oem_netbios_computer.a = creds->computer_name;
+ #endif
+
+ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
+--
+1.9.3
+
+
+From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 3 Aug 2013 11:21:32 +0200
+Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
+ not supported
+
+There's a sequence number attached to the connection,
+which needs to be incremented with each message...
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
+---
+ source4/auth/gensec/schannel.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index 91f166b..7fc0c7c 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
+ return true;
+ }
+- if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+- return true;
+- }
+ return false;
+ }
+
+--
+1.9.3
+
+
+From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 3 Aug 2013 11:27:55 +0200
+Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
+ schannel_session_key()
+
+gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
+before calling schannel_session_key(), as we don't provide
+GENSEC_FEATURE_SESSION_KEY.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
+---
+ source4/auth/gensec/schannel.c | 8 --------
+ 1 file changed, 8 deletions(-)
+
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index 7fc0c7c..ebf6469 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
+ return netsec_outgoing_sig_size(state);
+ }
+
+-static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- DATA_BLOB *session_key)
+-{
+- return NT_STATUS_NOT_IMPLEMENTED;
+-}
+-
+ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out)
+@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
+ .sign_packet = schannel_sign_packet,
+ .check_packet = schannel_check_packet,
+ .unseal_packet = schannel_unseal_packet,
+- .session_key = schannel_session_key,
+ .session_info = schannel_session_info,
+ .sig_size = schannel_sig_size,
+ .have_feature = schannel_have_feature,
+--
+1.9.3
+
+
+From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 3 Aug 2013 11:32:31 +0200
+Subject: [PATCH 080/249] s4:gensec/schannel: only require
+ librpc/gen_ndr/dcerpc.h
+
+We just need DCERPC_AUTH_TYPE_SCHANNEL
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
+---
+ source4/auth/gensec/schannel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index ebf6469..e67432c 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -27,7 +27,7 @@
+ #include "auth/gensec/gensec.h"
+ #include "auth/gensec/gensec_proto.h"
+ #include "../libcli/auth/schannel.h"
+-#include "librpc/rpc/dcerpc.h"
++#include "librpc/gen_ndr/dcerpc.h"
+ #include "param/param.h"
+ #include "auth/gensec/gensec_toplevel_proto.h"
+
+--
+1.9.3
+
+
+From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 13:37:54 +0200
+Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
+ private
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
+---
+ libcli/auth/schannel.h | 13 -------------
+ libcli/auth/schannel_sign.c | 12 ++++++++++++
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
+index 271b5bb..c53d68e 100644
+--- a/libcli/auth/schannel.h
++++ b/libcli/auth/schannel.h
+@@ -22,17 +22,4 @@
+
+ #include "libcli/auth/libcli_auth.h"
+ #include "libcli/auth/schannel_state.h"
+-
+-enum schannel_position {
+- SCHANNEL_STATE_START = 0,
+- SCHANNEL_STATE_UPDATE_1
+-};
+-
+-struct schannel_state {
+- enum schannel_position state;
+- uint64_t seq_num;
+- bool initiator;
+- struct netlogon_creds_CredentialState *creds;
+-};
+-
+ #include "libcli/auth/schannel_proto.h"
+diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
+index 518a6a9..88a6e1e 100644
+--- a/libcli/auth/schannel_sign.c
++++ b/libcli/auth/schannel_sign.c
+@@ -24,6 +24,18 @@
+ #include "../libcli/auth/schannel.h"
+ #include "../lib/crypto/crypto.h"
+
++enum schannel_position {
++ SCHANNEL_STATE_START = 0,
++ SCHANNEL_STATE_UPDATE_1
++};
++
++struct schannel_state {
++ enum schannel_position state;
++ uint64_t seq_num;
++ bool initiator;
++ struct netlogon_creds_CredentialState *creds;
++};
++
+ #define SETUP_SEQNUM(state, buf, initiator) do { \
+ uint8_t *_buf = buf; \
+ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
+--
+1.9.3
+
+
+From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 2 Aug 2013 15:42:21 +0200
+Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
+---
+ libcli/auth/schannel_sign.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
+index 88a6e1e..9502cba 100644
+--- a/libcli/auth/schannel_sign.c
++++ b/libcli/auth/schannel_sign.c
+@@ -24,13 +24,7 @@
+ #include "../libcli/auth/schannel.h"
+ #include "../lib/crypto/crypto.h"
+
+-enum schannel_position {
+- SCHANNEL_STATE_START = 0,
+- SCHANNEL_STATE_UPDATE_1
+-};
+-
+ struct schannel_state {
+- enum schannel_position state;
+ uint64_t seq_num;
+ bool initiator;
+ struct netlogon_creds_CredentialState *creds;
+@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
+- state->state = SCHANNEL_STATE_UPDATE_1;
+ state->initiator = initiator;
+ state->seq_num = 0;
+ state->creds = netlogon_creds_copy(state, creds);
+--
+1.9.3
+
+
+From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 07:12:01 +0200
+Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h
+
+We should treat most gensec related structures private.
+
+It's a long way, but this is a start.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
+---
+ auth/gensec/gensec.c | 1 +
+ auth/gensec/gensec.h | 100 ++-------------------------
+ auth/gensec/gensec_internal.h | 127 +++++++++++++++++++++++++++++++++++
+ auth/gensec/gensec_start.c | 1 +
+ auth/gensec/gensec_util.c | 1 +
+ auth/gensec/spnego.c | 1 +
+ auth/ntlmssp/gensec_ntlmssp.c | 1 +
+ auth/ntlmssp/gensec_ntlmssp_server.c | 1 +
+ auth/ntlmssp/ntlmssp.c | 1 +
+ auth/ntlmssp/ntlmssp_client.c | 1 +
+ auth/ntlmssp/ntlmssp_server.c | 1 +
+ source3/libads/authdata.c | 1 +
+ source3/librpc/crypto/gse.c | 1 +
+ source3/libsmb/ntlmssp_wrap.c | 1 +
+ source3/utils/ntlm_auth.c | 1 +
+ source4/auth/gensec/cyrus_sasl.c | 1 +
+ source4/auth/gensec/gensec_gssapi.c | 1 +
+ source4/auth/gensec/gensec_krb5.c | 1 +
+ source4/auth/gensec/pygensec.c | 1 +
+ source4/auth/gensec/schannel.c | 1 +
+ source4/ldap_server/ldap_backend.c | 1 +
+ source4/libcli/ldap/ldap_bind.c | 1 +
+ source4/torture/auth/ntlmssp.c | 1 +
+ source4/utils/ntlm_auth.c | 1 +
+ 24 files changed, 153 insertions(+), 96 deletions(-)
+ create mode 100644 auth/gensec/gensec_internal.h
+
+diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
+index 9a8f0ef..d364a34 100644
+--- a/auth/gensec/gensec.c
++++ b/auth/gensec/gensec.c
+@@ -26,6 +26,7 @@
+ #include "lib/tsocket/tsocket.h"
+ #include "lib/util/tevent_ntstatus.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "librpc/rpc/dcerpc.h"
+
+ /*
+diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
+index c080861..5d39d81 100644
+--- a/auth/gensec/gensec.h
++++ b/auth/gensec/gensec.h
+@@ -76,6 +76,7 @@ struct gensec_settings;
+ struct tevent_context;
+ struct tevent_req;
+ struct smb_krb5_context;
++struct tsocket_address;
+
+ struct gensec_settings {
+ struct loadparm_context *lp_ctx;
+@@ -93,106 +94,13 @@ struct gensec_settings {
+ const char *server_netbios_name;
+ };
+
+-struct gensec_security_ops {
+- const char *name;
+- const char *sasl_name;
+- uint8_t auth_type; /* 0 if not offered on DCE-RPC */
+- const char **oid; /* NULL if not offered by SPNEGO */
+- NTSTATUS (*client_start)(struct gensec_security *gensec_security);
+- NTSTATUS (*server_start)(struct gensec_security *gensec_security);
+- /**
+- Determine if a packet has the right 'magic' for this mechanism
+- */
+- NTSTATUS (*magic)(struct gensec_security *gensec_security,
+- const DATA_BLOB *first_packet);
+- NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+- struct tevent_context *ev,
+- const DATA_BLOB in, DATA_BLOB *out);
+- NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+- uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- DATA_BLOB *sig);
+- NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+- const uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- DATA_BLOB *sig);
+- size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
+- size_t (*max_input_size)(struct gensec_security *gensec_security);
+- size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
+- NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
+- const uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- const DATA_BLOB *sig);
+- NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
+- uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- const DATA_BLOB *sig);
+- NTSTATUS (*wrap)(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- const DATA_BLOB *in,
+- DATA_BLOB *out);
+- NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- const DATA_BLOB *in,
+- DATA_BLOB *out);
+- NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- const DATA_BLOB *in,
+- DATA_BLOB *out,
+- size_t *len_processed);
+- NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- const DATA_BLOB *in,
+- DATA_BLOB *out,
+- size_t *len_processed);
+- NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
+- DATA_BLOB blob, size_t *size);
+- NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
+- DATA_BLOB *session_key);
+- NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
+- struct auth_session_info **session_info);
+- void (*want_feature)(struct gensec_security *gensec_security,
+- uint32_t feature);
+- bool (*have_feature)(struct gensec_security *gensec_security,
+- uint32_t feature);
+- NTTIME (*expire_time)(struct gensec_security *gensec_security);
+- bool enabled;
+- bool kerberos;
+- enum gensec_priority priority;
+-};
+-
+-struct gensec_security_ops_wrapper {
+- const struct gensec_security_ops *op;
+- const char *oid;
+-};
++struct gensec_security_ops;
++struct gensec_security_ops_wrapper;
+
+ #define GENSEC_INTERFACE_VERSION 0
+
+-struct gensec_security {
+- const struct gensec_security_ops *ops;
+- void *private_data;
+- struct cli_credentials *credentials;
+- struct gensec_target target;
+- enum gensec_role gensec_role;
+- bool subcontext;
+- uint32_t want_features;
+- uint32_t max_update_size;
+- uint8_t dcerpc_auth_level;
+- struct tsocket_address *local_addr, *remote_addr;
+- struct gensec_settings *settings;
+-
+- /* When we are a server, this may be filled in to provide an
+- * NTLM authentication backend, and user lookup (such as if no
+- * PAC is found) */
+- struct auth4_context *auth_context;
+-};
+-
+ /* this structure is used by backends to determine the size of some critical types */
+-struct gensec_critical_sizes {
+- int interface_version;
+- int sizeof_gensec_security_ops;
+- int sizeof_gensec_security;
+-};
++struct gensec_critical_sizes;
+ const struct gensec_critical_sizes *gensec_interface_version(void);
+
+ /* Socket wrapper */
+diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
+new file mode 100644
+index 0000000..41b6f0d
+--- /dev/null
++++ b/auth/gensec/gensec_internal.h
+@@ -0,0 +1,127 @@
++/*
++ Unix SMB/CIFS implementation.
++
++ Generic Authentication Interface
++
++ Copyright (C) Andrew Tridgell 2003
++ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#ifndef __GENSEC_INTERNAL_H__
++#define __GENSEC_INTERNAL_H__
++
++struct gensec_security;
++
++struct gensec_security_ops {
++ const char *name;
++ const char *sasl_name;
++ uint8_t auth_type; /* 0 if not offered on DCE-RPC */
++ const char **oid; /* NULL if not offered by SPNEGO */
++ NTSTATUS (*client_start)(struct gensec_security *gensec_security);
++ NTSTATUS (*server_start)(struct gensec_security *gensec_security);
++ /**
++ Determine if a packet has the right 'magic' for this mechanism
++ */
++ NTSTATUS (*magic)(struct gensec_security *gensec_security,
++ const DATA_BLOB *first_packet);
++ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
++ struct tevent_context *ev,
++ const DATA_BLOB in, DATA_BLOB *out);
++ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
++ uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ DATA_BLOB *sig);
++ NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
++ const uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ DATA_BLOB *sig);
++ size_t (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
++ size_t (*max_input_size)(struct gensec_security *gensec_security);
++ size_t (*max_wrapped_size)(struct gensec_security *gensec_security);
++ NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
++ const uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ const DATA_BLOB *sig);
++ NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
++ uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ const DATA_BLOB *sig);
++ NTSTATUS (*wrap)(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ const DATA_BLOB *in,
++ DATA_BLOB *out);
++ NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ const DATA_BLOB *in,
++ DATA_BLOB *out);
++ NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ const DATA_BLOB *in,
++ DATA_BLOB *out,
++ size_t *len_processed);
++ NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ const DATA_BLOB *in,
++ DATA_BLOB *out,
++ size_t *len_processed);
++ NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
++ DATA_BLOB blob, size_t *size);
++ NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
++ DATA_BLOB *session_key);
++ NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
++ struct auth_session_info **session_info);
++ void (*want_feature)(struct gensec_security *gensec_security,
++ uint32_t feature);
++ bool (*have_feature)(struct gensec_security *gensec_security,
++ uint32_t feature);
++ NTTIME (*expire_time)(struct gensec_security *gensec_security);
++ bool enabled;
++ bool kerberos;
++ enum gensec_priority priority;
++};
++
++struct gensec_security_ops_wrapper {
++ const struct gensec_security_ops *op;
++ const char *oid;
++};
++
++struct gensec_security {
++ const struct gensec_security_ops *ops;
++ void *private_data;
++ struct cli_credentials *credentials;
++ struct gensec_target target;
++ enum gensec_role gensec_role;
++ bool subcontext;
++ uint32_t want_features;
++ uint32_t max_update_size;
++ uint8_t dcerpc_auth_level;
++ struct tsocket_address *local_addr, *remote_addr;
++ struct gensec_settings *settings;
++
++ /* When we are a server, this may be filled in to provide an
++ * NTLM authentication backend, and user lookup (such as if no
++ * PAC is found) */
++ struct auth4_context *auth_context;
++};
++
++/* this structure is used by backends to determine the size of some critical types */
++struct gensec_critical_sizes {
++ int interface_version;
++ int sizeof_gensec_security_ops;
++ int sizeof_gensec_security;
++};
++
++#endif /* __GENSEC_H__ */
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index c2cfa1c..34029f5 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -27,6 +27,7 @@
+ #include "librpc/rpc/dcerpc.h"
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "lib/param/param.h"
+ #include "lib/util/tsort.h"
+ #include "lib/util/samba_modules.h"
+diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
+index 64952b1..568128a 100644
+--- a/auth/gensec/gensec_util.c
++++ b/auth/gensec/gensec_util.c
+@@ -22,6 +22,7 @@
+
+ #include "includes.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/common_auth.h"
+ #include "../lib/util/asn1.h"
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index da1fc0e..38a45f8 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -27,6 +27,7 @@
+ #include "librpc/gen_ndr/ndr_dcerpc.h"
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "param/param.h"
+ #include "lib/util/asn1.h"
+
+diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
+index 9e1d8a8..654c0e3 100644
+--- a/auth/ntlmssp/gensec_ntlmssp.c
++++ b/auth/ntlmssp/gensec_ntlmssp.c
+@@ -22,6 +22,7 @@
+ #include "includes.h"
+ #include "auth/ntlmssp/ntlmssp.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/ntlmssp/ntlmssp_private.h"
+
+ NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
+diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
+index f4dfab3..69c56fb 100644
+--- a/auth/ntlmssp/gensec_ntlmssp_server.c
++++ b/auth/ntlmssp/gensec_ntlmssp_server.c
+@@ -31,6 +31,7 @@
+ #include "../libcli/auth/libcli_auth.h"
+ #include "../lib/crypto/crypto.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/common_auth.h"
+ #include "param/param.h"
+
+diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
+index 1a2d662..916b376 100644
+--- a/auth/ntlmssp/ntlmssp.c
++++ b/auth/ntlmssp/ntlmssp.c
+@@ -29,6 +29,7 @@ struct auth_session_info;
+ #include "../libcli/auth/libcli_auth.h"
+ #include "librpc/gen_ndr/ndr_dcerpc.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+
+ /**
+ * Callbacks for NTLMSSP - for both client and server operating modes
+diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
+index fc66a8d..f99257d 100644
+--- a/auth/ntlmssp/ntlmssp_client.c
++++ b/auth/ntlmssp/ntlmssp_client.c
+@@ -29,6 +29,7 @@ struct auth_session_info;
+ #include "../libcli/auth/libcli_auth.h"
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "param/param.h"
+ #include "auth/ntlmssp/ntlmssp_private.h"
+ #include "../librpc/gen_ndr/ndr_ntlmssp.h"
+diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
+index 57179e1..2f3f0bb 100644
+--- a/auth/ntlmssp/ntlmssp_server.c
++++ b/auth/ntlmssp/ntlmssp_server.c
+@@ -28,6 +28,7 @@
+ #include "../libcli/auth/libcli_auth.h"
+ #include "../lib/crypto/crypto.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/common_auth.h"
+
+ /**
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index 2c667a6..582917d 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -30,6 +30,7 @@
+ #include "lib/param/param.h"
+ #include "librpc/crypto/gse.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+ #include "../libcli/auth/spnego.h"
+
+ #ifdef HAVE_KRB5
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 11a5457..8db3cdd 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -26,6 +26,7 @@
+ #include "libads/kerberos_proto.h"
+ #include "auth/common_auth.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/credentials/credentials.h"
+ #include "../librpc/gen_ndr/dcerpc.h"
+
+diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
+index 9ce4b12..46f68ae 100644
+--- a/source3/libsmb/ntlmssp_wrap.c
++++ b/source3/libsmb/ntlmssp_wrap.c
+@@ -23,6 +23,7 @@
+ #include "auth/ntlmssp/ntlmssp_private.h"
+ #include "auth_generic.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/credentials/credentials.h"
+ #include "librpc/rpc/dcerpc.h"
+ #include "lib/param/param.h"
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index a5e0cd2..5fcb60e 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -32,6 +32,7 @@
+ #include "../libcli/auth/spnego.h"
+ #include "auth/ntlmssp/ntlmssp.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/credentials/credentials.h"
+ #include "librpc/crypto/gse.h"
+ #include "smb_krb5.h"
+diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
+index 2e733bf..08dccd6 100644
+--- a/source4/auth/gensec/cyrus_sasl.c
++++ b/source4/auth/gensec/cyrus_sasl.c
+@@ -23,6 +23,7 @@
+ #include "lib/tsocket/tsocket.h"
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/gensec/gensec_proto.h"
+ #include "auth/gensec/gensec_toplevel_proto.h"
+ #include <sasl/sasl.h>
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 4fc544f..63a53bf 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -34,6 +34,7 @@
+ #include "auth/credentials/credentials.h"
+ #include "auth/credentials/credentials_krb5.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/gensec/gensec_proto.h"
+ #include "auth/gensec/gensec_toplevel_proto.h"
+ #include "param/param.h"
+diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
+index fbec64c..ecc3331 100644
+--- a/source4/auth/gensec/gensec_krb5.c
++++ b/source4/auth/gensec/gensec_krb5.c
+@@ -34,6 +34,7 @@
+ #include "auth/credentials/credentials_krb5.h"
+ #include "auth/kerberos/kerberos_credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/gensec/gensec_proto.h"
+ #include "auth/gensec/gensec_toplevel_proto.h"
+ #include "param/param.h"
+diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
+index 02e5ae2..fd6daff 100644
+--- a/source4/auth/gensec/pygensec.c
++++ b/source4/auth/gensec/pygensec.c
+@@ -20,6 +20,7 @@
+ #include "includes.h"
+ #include "param/pyparam.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+ #include "auth/credentials/pycredentials.h"
+ #include "libcli/util/pyerrors.h"
+ #include "python/modules.h"
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+index e67432c..eb2e100 100644
+--- a/source4/auth/gensec/schannel.c
++++ b/source4/auth/gensec/schannel.c
+@@ -25,6 +25,7 @@
+ #include "auth/auth.h"
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/gensec/gensec_proto.h"
+ #include "../libcli/auth/schannel.h"
+ #include "librpc/gen_ndr/dcerpc.h"
+diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
+index 4a195e5..f0da82c 100644
+--- a/source4/ldap_server/ldap_backend.c
++++ b/source4/ldap_server/ldap_backend.c
+@@ -23,6 +23,7 @@
+ #include "../lib/util/dlinklist.h"
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+ #include "param/param.h"
+ #include "smbd/service_stream.h"
+ #include "dsdb/samdb/samdb.h"
+diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
+index b355e18..f0a498b 100644
+--- a/source4/libcli/ldap/ldap_bind.c
++++ b/source4/libcli/ldap/ldap_bind.c
+@@ -27,6 +27,7 @@
+ #include "libcli/ldap/ldap_client.h"
+ #include "lib/tls/tls.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+ #include "auth/gensec/gensec_socket.h"
+ #include "auth/credentials/credentials.h"
+ #include "lib/stream/packet.h"
+diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
+index bdaa65b..45e5889 100644
+--- a/source4/torture/auth/ntlmssp.c
++++ b/source4/torture/auth/ntlmssp.c
+@@ -19,6 +19,7 @@
+
+ #include "includes.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
+ #include "auth/ntlmssp/ntlmssp.h"
+ #include "auth/ntlmssp/ntlmssp_private.h"
+ #include "lib/cmdline/popt_common.h"
+diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
+index 136e238..1e2feb0 100644
+--- a/source4/utils/ntlm_auth.c
++++ b/source4/utils/ntlm_auth.c
+@@ -27,6 +27,7 @@
+ #include <ldb.h>
+ #include "auth/credentials/credentials.h"
+ #include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
+ #include "auth/auth.h"
+ #include "librpc/gen_ndr/ndr_netlogon.h"
+ #include "auth/auth_sam.h"
+--
+1.9.3
+
+
+From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 10:37:26 +0200
+Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
+ gensec_use_kerberos_mechs()
+
+We now always copy.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
+---
+ auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
+ 1 file changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index 34029f5..096ad36 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
+ use_kerberos = cli_credentials_get_kerberos_state(creds);
+ }
+
+- if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
+- if (!talloc_reference(mem_ctx, old_gensec_list)) {
+- return NULL;
+- }
+- return old_gensec_list;
+- }
+-
+ for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
+ /* noop */
+ }
+@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
+ j = 0;
+ for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
+ int oid_idx;
+- bool found_spnego = false;
++ bool keep = false;
++
+ for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
+ if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
+- new_gensec_list[j] = old_gensec_list[i];
+- j++;
+- found_spnego = true;
++ keep = true;
+ break;
+ }
+ }
+- if (found_spnego) {
+- continue;
+- }
++
+ switch (use_kerberos) {
++ case CRED_AUTO_USE_KERBEROS:
++ keep = true;
++ break;
++
+ case CRED_DONT_USE_KERBEROS:
+ if (old_gensec_list[i]->kerberos == false) {
+- new_gensec_list[j] = old_gensec_list[i];
+- j++;
++ keep = true;
+ }
++
+ break;
++
+ case CRED_MUST_USE_KERBEROS:
+ if (old_gensec_list[i]->kerberos == true) {
+- new_gensec_list[j] = old_gensec_list[i];
+- j++;
++ keep = true;
+ }
++
+ break;
+ default:
+ /* Can't happen or invalid parameter */
+ return NULL;
+ }
++
++ if (!keep) {
++ continue;
++ }
++
++ new_gensec_list[j] = old_gensec_list[i];
++ j++;
+ }
+ new_gensec_list[j] = NULL;
+
+--
+1.9.3
+
+
+From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 10:39:16 +0200
+Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
+ gensec_security_mechs()
+
+We now always copy.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
+---
+ auth/gensec/gensec_start.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index 096ad36..00e2759 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
+ struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx)
+ {
+- struct gensec_security_ops **backends;
+- if (!gensec_security) {
+- backends = gensec_security_all();
+- if (!talloc_reference(mem_ctx, backends)) {
+- return NULL;
+- }
+- return backends;
+- } else {
+- struct cli_credentials *creds = gensec_get_credentials(gensec_security);
++ struct cli_credentials *creds = NULL;
++ struct gensec_security_ops **backends = gensec_security_all();
++
++ if (gensec_security != NULL) {
++ creds = gensec_get_credentials(gensec_security);
++
+ if (gensec_security->settings->backends) {
+ backends = gensec_security->settings->backends;
+- } else {
+- backends = gensec_security_all();
+ }
+- if (!creds) {
+- if (!talloc_reference(mem_ctx, backends)) {
+- return NULL;
+- }
+- return backends;
+- }
+- return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
+ }
++
++ return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
++
+ }
+
+ static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
+--
+1.9.3
+
+
+From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 16:12:13 +0200
+Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
+ backends
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
+---
+ auth/gensec/gensec.c | 202 ++++++++++++++++++++++++++++++++----------
+ auth/gensec/gensec_internal.h | 7 ++
+ 2 files changed, 160 insertions(+), 49 deletions(-)
+
+diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
+index d364a34..abcbcb9 100644
+--- a/auth/gensec/gensec.c
++++ b/auth/gensec/gensec.c
+@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
+ const DATA_BLOB in, DATA_BLOB *out)
+ {
+ NTSTATUS status;
++ const struct gensec_security_ops *ops = gensec_security->ops;
++ TALLOC_CTX *frame = NULL;
++ struct tevent_req *subreq = NULL;
++ bool ok;
+
+- status = gensec_security->ops->update(gensec_security, out_mem_ctx,
+- ev, in, out);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
++ if (ops->update_send == NULL) {
+
+- /*
+- * Because callers using the
+- * gensec_start_mech_by_auth_type() never call
+- * gensec_want_feature(), it isn't sensible for them
+- * to have to call gensec_have_feature() manually, and
+- * these are not points of negotiation, but are
+- * asserted by the client
+- */
+- switch (gensec_security->dcerpc_auth_level) {
+- case DCERPC_AUTH_LEVEL_INTEGRITY:
+- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+- DEBUG(0,("Did not manage to negotiate mandetory feature "
+- "SIGN for dcerpc auth_level %u\n",
+- gensec_security->dcerpc_auth_level));
+- return NT_STATUS_ACCESS_DENIED;
+- }
+- break;
+- case DCERPC_AUTH_LEVEL_PRIVACY:
+- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+- DEBUG(0,("Did not manage to negotiate mandetory feature "
+- "SIGN for dcerpc auth_level %u\n",
+- gensec_security->dcerpc_auth_level));
+- return NT_STATUS_ACCESS_DENIED;
++ status = ops->update(gensec_security, out_mem_ctx,
++ ev, in, out);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+- if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+- DEBUG(0,("Did not manage to negotiate mandetory feature "
+- "SEAL for dcerpc auth_level %u\n",
+- gensec_security->dcerpc_auth_level));
+- return NT_STATUS_ACCESS_DENIED;
++
++ /*
++ * Because callers using the
++ * gensec_start_mech_by_auth_type() never call
++ * gensec_want_feature(), it isn't sensible for them
++ * to have to call gensec_have_feature() manually, and
++ * these are not points of negotiation, but are
++ * asserted by the client
++ */
++ switch (gensec_security->dcerpc_auth_level) {
++ case DCERPC_AUTH_LEVEL_INTEGRITY:
++ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
++ DEBUG(0,("Did not manage to negotiate mandetory feature "
++ "SIGN for dcerpc auth_level %u\n",
++ gensec_security->dcerpc_auth_level));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++ break;
++ case DCERPC_AUTH_LEVEL_PRIVACY:
++ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
++ DEBUG(0,("Did not manage to negotiate mandetory feature "
++ "SIGN for dcerpc auth_level %u\n",
++ gensec_security->dcerpc_auth_level));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++ if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
++ DEBUG(0,("Did not manage to negotiate mandetory feature "
++ "SEAL for dcerpc auth_level %u\n",
++ gensec_security->dcerpc_auth_level));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++ break;
++ default:
++ break;
+ }
+- break;
+- default:
+- break;
++
++ return NT_STATUS_OK;
+ }
+
+- return NT_STATUS_OK;
++ frame = talloc_stackframe();
++
++ subreq = ops->update_send(frame, ev, gensec_security, in);
++ if (subreq == NULL) {
++ goto fail;
++ }
++ ok = tevent_req_poll_ntstatus(subreq, ev, &status);
++ if (!ok) {
++ goto fail;
++ }
++ status = ops->update_recv(subreq, out_mem_ctx, out);
++ fail:
++ TALLOC_FREE(frame);
++ return status;
+ }
+
+ struct gensec_update_state {
+- struct tevent_immediate *im;
++ const struct gensec_security_ops *ops;
++ struct tevent_req *subreq;
+ struct gensec_security *gensec_security;
+- DATA_BLOB in;
+ DATA_BLOB out;
++
++ /*
++ * only for sync backends, we should remove this
++ * once all backends are async.
++ */
++ struct tevent_immediate *im;
++ DATA_BLOB in;
+ };
+
+ static void gensec_update_async_trigger(struct tevent_context *ctx,
+ struct tevent_immediate *im,
+ void *private_data);
++static void gensec_update_subreq_done(struct tevent_req *subreq);
++
+ /**
+ * Next state function for the GENSEC state machine async version
+ *
+@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
+- state->gensec_security = gensec_security;
+- state->in = in;
+- state->out = data_blob(NULL, 0);
+- state->im = tevent_create_immediate(state);
+- if (tevent_req_nomem(state->im, req)) {
++ state->ops = gensec_security->ops;
++ state->gensec_security = gensec_security;
++
++ if (state->ops->update_send == NULL) {
++ state->in = in;
++ state->im = tevent_create_immediate(state);
++ if (tevent_req_nomem(state->im, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ tevent_schedule_immediate(state->im, ev,
++ gensec_update_async_trigger,
++ req);
++
++ return req;
++ }
++
++ state->subreq = state->ops->update_send(state, ev, gensec_security, in);
++ if (tevent_req_nomem(state->subreq, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+- tevent_schedule_immediate(state->im, ev,
+- gensec_update_async_trigger,
+- req);
++ tevent_req_set_callback(state->subreq,
++ gensec_update_subreq_done,
++ req);
+
+ return req;
+ }
+@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
+ tevent_req_data(req, struct gensec_update_state);
+ NTSTATUS status;
+
+- status = gensec_update(state->gensec_security, state, ctx,
+- state->in, &state->out);
++ status = state->ops->update(state->gensec_security, state, ctx,
++ state->in, &state->out);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ tevent_req_done(req);
++}
++
++static void gensec_update_subreq_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct gensec_update_state *state =
++ tevent_req_data(req,
++ struct gensec_update_state);
++ NTSTATUS status;
++
++ state->subreq = NULL;
++
++ status = state->ops->update_recv(subreq, state, &state->out);
++ TALLOC_FREE(subreq);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
++ /*
++ * Because callers using the
++ * gensec_start_mech_by_authtype() never call
++ * gensec_want_feature(), it isn't sensible for them
++ * to have to call gensec_have_feature() manually, and
++ * these are not points of negotiation, but are
++ * asserted by the client
++ */
++ switch (state->gensec_security->dcerpc_auth_level) {
++ case DCERPC_AUTH_LEVEL_INTEGRITY:
++ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
++ DEBUG(0,("Did not manage to negotiate mandetory feature "
++ "SIGN for dcerpc auth_level %u\n",
++ state->gensec_security->dcerpc_auth_level));
++ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
++ return;
++ }
++ break;
++ case DCERPC_AUTH_LEVEL_PRIVACY:
++ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
++ DEBUG(0,("Did not manage to negotiate mandetory feature "
++ "SIGN for dcerpc auth_level %u\n",
++ state->gensec_security->dcerpc_auth_level));
++ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
++ return;
++ }
++ if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
++ DEBUG(0,("Did not manage to negotiate mandetory feature "
++ "SEAL for dcerpc auth_level %u\n",
++ state->gensec_security->dcerpc_auth_level));
++ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
++ return;
++ }
++ break;
++ default:
++ break;
++ }
++
+ tevent_req_done(req);
+ }
+
+diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
+index 41b6f0d..c04164a 100644
+--- a/auth/gensec/gensec_internal.h
++++ b/auth/gensec/gensec_internal.h
+@@ -40,6 +40,13 @@ struct gensec_security_ops {
+ NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in, DATA_BLOB *out);
++ struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct gensec_security *gensec_security,
++ const DATA_BLOB in);
++ NTSTATUS (*update_recv)(struct tevent_req *req,
++ TALLOC_CTX *out_mem_ctx,
++ DATA_BLOB *out);
+ NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+ uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
+--
+1.9.3
+
+
+From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 11:10:55 +0200
+Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
+ parameters
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
+---
+ auth/gensec/gensec.h | 2 +-
+ auth/gensec/gensec_start.c | 2 +-
+ auth/gensec/spnego.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
+index 5d39d81..d0bc451 100644
+--- a/auth/gensec/gensec.h
++++ b/auth/gensec/gensec.h
+@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
+ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
+ struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+- const char **oid_strings,
++ const char * const *oid_strings,
+ const char *skip);
+ const char **gensec_security_oids(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index 00e2759..2874c13 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
+ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
+ struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+- const char **oid_strings,
++ const char * const *oid_strings,
+ const char *skip)
+ {
+ struct gensec_security_ops_wrapper *backends_out;
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 38a45f8..0eb6da1 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
+ struct spnego_state *spnego_state,
+ TALLOC_CTX *out_mem_ctx,
+ struct tevent_context *ev,
+- const char **mechType,
++ const char * const *mechType,
+ const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out)
+ {
+ int i;
+--
+1.9.3
+
+
+From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 11:20:21 +0200
+Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
+ const if possible.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
+---
+ auth/gensec/gensec.h | 14 +++++-----
+ auth/gensec/gensec_start.c | 52 ++++++++++++++++++++------------------
+ auth/gensec/spnego.c | 8 +++---
+ source3/auth/auth_generic.c | 15 ++++++-----
+ source3/libads/authdata.c | 11 ++++----
+ source3/libsmb/auth_generic.c | 15 ++++++-----
+ source3/utils/ntlm_auth.c | 22 ++++++++--------
+ source4/ldap_server/ldap_backend.c | 4 +--
+ 8 files changed, 75 insertions(+), 66 deletions(-)
+
+diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
+index d0bc451..ac1fadf 100644
+--- a/auth/gensec/gensec.h
++++ b/auth/gensec/gensec.h
+@@ -85,7 +85,7 @@ struct gensec_settings {
+ /* this allows callers to specify a specific set of ops that
+ * should be used, rather than those loaded by the plugin
+ * mechanism */
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops * const *backends;
+
+ /* To fill in our own name in the NTLMSSP server */
+ const char *server_dns_domain;
+@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
+ const struct gensec_security_ops *gensec_security_by_auth_type(
+ struct gensec_security *gensec_security,
+ uint32_t auth_type);
+-struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
++const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx);
+ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
+ struct gensec_security *gensec_security,
+@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
+ const DATA_BLOB *in,
+ DATA_BLOB *out);
+
+-struct gensec_security_ops **gensec_security_all(void);
+-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
+-struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+- struct gensec_security_ops **old_gensec_list,
+- struct cli_credentials *creds);
++const struct gensec_security_ops * const *gensec_security_all(void);
++bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
++const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
++ const struct gensec_security_ops * const *old_gensec_list,
++ struct cli_credentials *creds);
+
+ NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
+ const char *sasl_name);
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index 2874c13..3ae64d5 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -33,17 +33,17 @@
+ #include "lib/util/samba_modules.h"
+
+ /* the list of currently registered GENSEC backends */
+-static struct gensec_security_ops **generic_security_ops;
++static const struct gensec_security_ops **generic_security_ops;
+ static int gensec_num_backends;
+
+ /* Return all the registered mechs. Don't modify the return pointer,
+- * but you may talloc_reference it if convient */
+-_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
++ * but you may talloc_referen it if convient */
++_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
+ {
+ return generic_security_ops;
+ }
+
+-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
++bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
+ {
+ return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+ }
+@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
+ * more compplex.
+ */
+
+-_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+- struct gensec_security_ops **old_gensec_list,
+- struct cli_credentials *creds)
++_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
++ const struct gensec_security_ops * const *old_gensec_list,
++ struct cli_credentials *creds)
+ {
+- struct gensec_security_ops **new_gensec_list;
++ const struct gensec_security_ops **new_gensec_list;
+ int i, j, num_mechs_in;
+ enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
+
+@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
+ /* noop */
+ }
+
+- new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
++ new_gensec_list = talloc_array(mem_ctx,
++ const struct gensec_security_ops *,
++ num_mechs_in + 1);
+ if (!new_gensec_list) {
+ return NULL;
+ }
+@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
+ return new_gensec_list;
+ }
+
+-_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
++_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
+ struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx)
+ {
+ struct cli_credentials *creds = NULL;
+- struct gensec_security_ops **backends = gensec_security_all();
++ const struct gensec_security_ops * const *backends = gensec_security_all();
+
+ if (gensec_security != NULL) {
+ creds = gensec_get_credentials(gensec_security);
+@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
+ uint8_t auth_type)
+ {
+ int i;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ const struct gensec_security_ops *backend;
+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ if (!mem_ctx) {
+@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
+ const char *oid_string)
+ {
+ int i, j;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ const struct gensec_security_ops *backend;
+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ if (!mem_ctx) {
+@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
+ const char *sasl_name)
+ {
+ int i;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ const struct gensec_security_ops *backend;
+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ if (!mem_ctx) {
+@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
+ uint32_t auth_type)
+ {
+ int i;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ const struct gensec_security_ops *backend;
+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ if (!mem_ctx) {
+@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
+ const char *name)
+ {
+ int i;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ const struct gensec_security_ops *backend;
+ TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+ if (!mem_ctx) {
+@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
+ const char **sasl_names)
+ {
+ const struct gensec_security_ops **backends_out;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ int i, k, sasl_idx;
+ int num_backends_out = 0;
+
+@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
+ const char *skip)
+ {
+ struct gensec_security_ops_wrapper *backends_out;
+- struct gensec_security_ops **backends;
++ const struct gensec_security_ops **backends;
+ int i, j, k, oid_idx;
+ int num_backends_out = 0;
+
+@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
+ static const char **gensec_security_oids_from_ops(
+ struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+- struct gensec_security_ops **ops,
++ const struct gensec_security_ops * const *ops,
+ const char *skip)
+ {
+ int i;
+@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
+ TALLOC_CTX *mem_ctx,
+ const char *skip)
+ {
+- struct gensec_security_ops **ops
+- = gensec_security_mechs(gensec_security, mem_ctx);
++ const struct gensec_security_ops **ops;
++
++ ops = gensec_security_mechs(gensec_security, mem_ctx);
++
+ return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
+ }
+
+@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
+
+ generic_security_ops = talloc_realloc(talloc_autofree_context(),
+ generic_security_ops,
+- struct gensec_security_ops *,
++ const struct gensec_security_ops *,
+ gensec_num_backends+2);
+ if (!generic_security_ops) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
++ generic_security_ops[gensec_num_backends] = ops;
+ gensec_num_backends++;
+ generic_security_ops[gensec_num_backends] = NULL;
+
+@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
+ return &critical_sizes;
+ }
+
+-static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
++static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
+ return (*gs2)->priority - (*gs1)->priority;
+ }
+
+diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
+index 0eb6da1..d90a50c 100644
+--- a/auth/gensec/spnego.c
++++ b/auth/gensec/spnego.c
+@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
+ const DATA_BLOB in, DATA_BLOB *out)
+ {
+ int i,j;
+- struct gensec_security_ops **all_ops
+- = gensec_security_mechs(gensec_security, out_mem_ctx);
+- for (i=0; all_ops[i]; i++) {
++ const struct gensec_security_ops **all_ops;
++
++ all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
++
++ for (i=0; all_ops && all_ops[i]; i++) {
+ bool is_spnego;
+ NTSTATUS nt_status;
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index a2ba4e3..e15c87e 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
+ return nt_status;
+ }
+ } else {
++ const struct gensec_security_ops **backends = NULL;
+ struct gensec_settings *gensec_settings;
+ struct loadparm_context *lp_ctx;
+ size_t idx = 0;
+@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- gensec_settings->backends = talloc_zero_array(gensec_settings,
+- struct gensec_security_ops *, 4);
+- if (gensec_settings->backends == NULL) {
++ backends = talloc_zero_array(gensec_settings,
++ const struct gensec_security_ops *, 4);
++ if (backends == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
++ gensec_settings->backends = backends;
+
+ gensec_init();
+
+ /* These need to be in priority order, krb5 before NTLMSSP */
+ #if defined(HAVE_KRB5)
+- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
++ backends[idx++] = &gensec_gse_krb5_security_ops;
+ #endif
+
+- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
++ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+
+- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
+- GENSEC_OID_SPNEGO);
++ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+
+ /*
+ * This is anonymous for now, because we just use it
+diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
+index 582917d..801e551 100644
+--- a/source3/libads/authdata.c
++++ b/source3/libads/authdata.c
+@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ const char *cc = "MEMORY:kerberos_return_pac";
+ struct auth_session_info *session_info;
+ struct gensec_security *gensec_server_context;
+-
++ const struct gensec_security_ops **backends;
+ struct gensec_settings *gensec_settings;
+ size_t idx = 0;
+ struct auth4_context *auth_context;
+@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
+ goto out;
+ }
+
+- gensec_settings->backends = talloc_zero_array(gensec_settings,
+- struct gensec_security_ops *, 2);
+- if (gensec_settings->backends == NULL) {
++ backends = talloc_zero_array(gensec_settings,
++ const struct gensec_security_ops *, 2);
++ if (backends == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
++ gensec_settings->backends = backends;
+
+ gensec_init();
+
+- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
++ backends[idx++] = &gensec_gse_krb5_security_ops;
+
+ status = gensec_server_start(tmp_ctx, gensec_settings,
+ auth_context, &gensec_server_context);
+diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
+index ba0a0ce..e30c1b7 100644
+--- a/source3/libsmb/auth_generic.c
++++ b/source3/libsmb/auth_generic.c
+@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
+ NTSTATUS nt_status;
+ size_t idx = 0;
+ struct gensec_settings *gensec_settings;
++ const struct gensec_security_ops **backends = NULL;
+ struct loadparm_context *lp_ctx;
+
+ ans = talloc_zero(mem_ctx, struct auth_generic_state);
+@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- gensec_settings->backends = talloc_zero_array(gensec_settings,
+- struct gensec_security_ops *, 4);
+- if (gensec_settings->backends == NULL) {
++ backends = talloc_zero_array(gensec_settings,
++ const struct gensec_security_ops *, 4);
++ if (backends == NULL) {
+ TALLOC_FREE(ans);
+ return NT_STATUS_NO_MEMORY;
+ }
++ gensec_settings->backends = backends;
+
+ gensec_init();
+
+ /* These need to be in priority order, krb5 before NTLMSSP */
+ #if defined(HAVE_KRB5)
+- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
++ backends[idx++] = &gensec_gse_krb5_security_ops;
+ #endif
+
+- gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
++ backends[idx++] = &gensec_ntlmssp3_client_ops;
+
+- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
+- GENSEC_OID_SPNEGO);
++ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+
+ nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 5fcb60e..25e717c 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
+ NTSTATUS nt_status;
+
+ TALLOC_CTX *tmp_ctx;
+-
++ const struct gensec_security_ops **backends;
+ struct gensec_settings *gensec_settings;
+ size_t idx = 0;
+ struct cli_credentials *server_credentials;
+@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
+ gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
+ get_mydnsfullname());
+
+- gensec_settings->backends = talloc_zero_array(gensec_settings,
+- struct gensec_security_ops *, 4);
++ backends = talloc_zero_array(gensec_settings,
++ const struct gensec_security_ops *, 4);
+
+- if (gensec_settings->backends == NULL) {
++ if (backends == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+-
++ gensec_settings->backends = backends;
++
+ gensec_init();
+
+ /* These need to be in priority order, krb5 before NTLMSSP */
+ #if defined(HAVE_KRB5)
+- gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
++ backends[idx++] = &gensec_gse_krb5_security_ops;
+ #endif
+-
+- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+
+- gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
+- GENSEC_OID_SPNEGO);
+-
++ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
++
++ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
++
+ /*
+ * This is anonymous for now, because we just use it
+ * to set the kerberos state at the moment
+diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
+index f0da82c..3432594 100644
+--- a/source4/ldap_server/ldap_backend.c
++++ b/source4/ldap_server/ldap_backend.c
+@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
+
+ if (conn->server_credentials) {
+ char **sasl_mechs = NULL;
+- struct gensec_security_ops **backends = gensec_security_all();
+- struct gensec_security_ops **ops
++ const struct gensec_security_ops * const *backends = gensec_security_all();
++ const struct gensec_security_ops **ops
+ = gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
+ unsigned int i, j = 0;
+ for (i = 0; ops && ops[i]; i++) {
+--
+1.9.3
+
+
+From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 10:43:38 +0200
+Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
+ read_negTokenInit()
+
+Also add error checks.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
+---
+ libcli/auth/spnego_parse.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
+index 3bf7aea..2c73613 100644
+--- a/libcli/auth/spnego_parse.c
++++ b/libcli/auth/spnego_parse.c
+@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
+ asn1_start_tag(asn1, ASN1_CONTEXT(0));
+ asn1_start_tag(asn1, ASN1_SEQUENCE(0));
+
+- token->mechTypes = talloc(NULL, const char *);
++ token->mechTypes = talloc(mem_ctx, const char *);
++ if (token->mechTypes == NULL) {
++ asn1->has_error = true;
++ return false;
++ }
+ for (i = 0; !asn1->has_error &&
+ 0 < asn1_tag_remaining(asn1); i++) {
+ char *oid;
+- token->mechTypes = talloc_realloc(NULL,
+- token->mechTypes,
+- const char *, i+2);
++ const char **p;
++ p = talloc_realloc(mem_ctx,
++ token->mechTypes,
++ const char *, i+2);
++ if (p == NULL) {
++ TALLOC_FREE(token->mechTypes);
++ asn1->has_error = true;
++ return false;
++ }
++ token->mechTypes = p;
+ asn1_read_OID(asn1, token->mechTypes, &oid);
+ token->mechTypes[i] = oid;
+ }
+--
+1.9.3
+
+
+From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 5 Aug 2013 10:46:47 +0200
+Subject: [PATCH 090/249] libcli/auth: add more const to
+ spnego_negTokenInit->mechTypes
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
+(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
+---
+ libcli/auth/spnego.h | 2 +-
+ libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
+ libcli/auth/spnego_proto.h | 2 +-
+ source3/utils/ntlm_auth.c | 2 +-
+ 4 files changed, 19 insertions(+), 14 deletions(-)
+
+diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
+index 9a93f2e..539b903 100644
+--- a/libcli/auth/spnego.h
++++ b/libcli/auth/spnego.h
+@@ -49,7 +49,7 @@ enum spnego_negResult {
+ };
+
+ struct spnego_negTokenInit {
+- const char **mechTypes;
++ const char * const *mechTypes;
+ DATA_BLOB reqFlags;
+ uint8_t reqFlagsPadding;
+ DATA_BLOB mechToken;
+diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
+index 2c73613..b1ca07d 100644
+--- a/libcli/auth/spnego_parse.c
++++ b/libcli/auth/spnego_parse.c
+@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
+
+ switch (context) {
+ /* Read mechTypes */
+- case ASN1_CONTEXT(0):
++ case ASN1_CONTEXT(0): {
++ const char **mechTypes;
++
+ asn1_start_tag(asn1, ASN1_CONTEXT(0));
+ asn1_start_tag(asn1, ASN1_SEQUENCE(0));
+
+- token->mechTypes = talloc(mem_ctx, const char *);
+- if (token->mechTypes == NULL) {
++ mechTypes = talloc(mem_ctx, const char *);
++ if (mechTypes == NULL) {
+ asn1->has_error = true;
+ return false;
+ }
+@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
+ char *oid;
+ const char **p;
+ p = talloc_realloc(mem_ctx,
+- token->mechTypes,
++ mechTypes,
+ const char *, i+2);
+ if (p == NULL) {
+- TALLOC_FREE(token->mechTypes);
++ talloc_free(mechTypes);
+ asn1->has_error = true;
+ return false;
+ }
+- token->mechTypes = p;
+- asn1_read_OID(asn1, token->mechTypes, &oid);
+- token->mechTypes[i] = oid;
++ mechTypes = p;
++
++ asn1_read_OID(asn1, mechTypes, &oid);
++ mechTypes[i] = oid;
+ }
+- token->mechTypes[i] = NULL;
++ mechTypes[i] = NULL;
++ token->mechTypes = mechTypes;
+
+ asn1_end_tag(asn1);
+ asn1_end_tag(asn1);
+ break;
++ }
+ /* Read reqFlags */
+ case ASN1_CONTEXT(1):
+ asn1_start_tag(asn1, ASN1_CONTEXT(1));
+@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
+ switch(spnego->type) {
+ case SPNEGO_NEG_TOKEN_INIT:
+ if (spnego->negTokenInit.mechTypes) {
+- talloc_free(spnego->negTokenInit.mechTypes);
++ talloc_free(discard_const(spnego->negTokenInit.mechTypes));
+ }
+ data_blob_free(&spnego->negTokenInit.reqFlags);
+ data_blob_free(&spnego->negTokenInit.mechToken);
+@@ -390,7 +395,7 @@ out:
+ }
+
+ bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
+- const char **mech_types,
++ const char * const *mech_types,
+ DATA_BLOB *blob)
+ {
+ struct asn1_data *asn1 = asn1_init(mem_ctx);
+diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
+index 5fd5e59..c0fa934 100644
+--- a/libcli/auth/spnego_proto.h
++++ b/libcli/auth/spnego_proto.h
+@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
+ ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
+ bool spnego_free_data(struct spnego_data *spnego);
+ bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
+- const char **mech_types,
++ const char * const *mech_types,
+ DATA_BLOB *blob);
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 25e717c..1df615c 100644
+--- a/source3/utils/ntlm_auth.c
++++ b/source3/utils/ntlm_auth.c
+@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
+
+ /* The server offers a list of mechanisms */
+
+- const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
++ const char *const *mechType = spnego.negTokenInit.mechTypes;
+
+ while (*mechType != NULL) {
+
+--
+1.9.3
+
+
+From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 9 Aug 2013 10:15:05 +0200
+Subject: [PATCH 091/249] auth/credentials: make sure
+ cli_credentials_get_nt_hash() always returns a talloc object
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/credentials/credentials.c | 19 ++++++++++++++-----
+ auth/credentials/credentials.h | 4 ++--
+ 2 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index be497bc..57a7c0b 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
+ * @param cred credentials context
+ * @retval If set, the cleartext password, otherwise NULL
+ */
+-_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+- TALLOC_CTX *mem_ctx)
++_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
++ TALLOC_CTX *mem_ctx)
+ {
+ const char *password = cli_credentials_get_password(cred);
+
+@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
+ if (!nt_hash) {
+ return NULL;
+ }
+-
++
+ E_md4hash(password, nt_hash->hash);
+
+ return nt_hash;
+- } else {
+- return cred->nt_hash;
++ } else if (cred->nt_hash != NULL) {
++ struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
++ if (!nt_hash) {
++ return NULL;
++ }
++
++ *nt_hash = *cred->nt_hash;
++
++ return nt_hash;
+ }
++
++ return NULL;
+ }
+
+ /**
+diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
+index cb09dc3..766a513 100644
+--- a/auth/credentials/credentials.h
++++ b/auth/credentials/credentials.h
+@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
+ enum credentials_obtained obtained);
+ struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
+ void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
+-const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+- TALLOC_CTX *mem_ctx);
++struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
++ TALLOC_CTX *mem_ctx);
+ bool cli_credentials_set_realm(struct cli_credentials *cred,
+ const char *val,
+ enum credentials_obtained obtained);
+--
+1.9.3
+
+
+From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc@symas.com>
+Date: Tue, 17 Sep 2013 13:09:50 -0700
+Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module
+
+Signed-off-by: Howard Chu <hyc@symas.com>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
+(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
+---
+ auth/gensec/external.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++
+ auth/gensec/gensec.h | 3 +-
+ auth/gensec/wscript_build | 7 ++++
+ 3 files changed, 91 insertions(+), 1 deletion(-)
+ create mode 100644 auth/gensec/external.c
+
+diff --git a/auth/gensec/external.c b/auth/gensec/external.c
+new file mode 100644
+index 0000000..a26e435
+--- /dev/null
++++ b/auth/gensec/external.c
+@@ -0,0 +1,82 @@
++/*
++ Unix SMB/CIFS implementation.
++
++ SASL/EXTERNAL authentication.
++
++ Copyright (C) Howard Chu <hyc@symas.com> 2013
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "includes.h"
++#include "auth/credentials/credentials.h"
++#include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
++#include "auth/gensec/gensec_proto.h"
++#include "auth/gensec/gensec_toplevel_proto.h"
++
++/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
++ * layer is already mutually authenticated.
++ */
++
++NTSTATUS gensec_external_init(void);
++
++static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
++{
++ if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
++ return NT_STATUS_INVALID_PARAMETER;
++ if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
++ return NT_STATUS_INVALID_PARAMETER;
++
++ return NT_STATUS_OK;
++}
++
++static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
++ TALLOC_CTX *out_mem_ctx,
++ struct tevent_context *ev,
++ const DATA_BLOB in, DATA_BLOB *out)
++{
++ *out = data_blob_talloc(out_mem_ctx, "", 0);
++ return NT_STATUS_OK;
++}
++
++/* We have no features */
++static bool gensec_external_have_feature(struct gensec_security *gensec_security,
++ uint32_t feature)
++{
++ return false;
++}
++
++static const struct gensec_security_ops gensec_external_ops = {
++ .name = "sasl-EXTERNAL",
++ .sasl_name = "EXTERNAL",
++ .client_start = gensec_external_start,
++ .update = gensec_external_update,
++ .have_feature = gensec_external_have_feature,
++ .enabled = true,
++ .priority = GENSEC_EXTERNAL
++};
++
++
++NTSTATUS gensec_external_init(void)
++{
++ NTSTATUS ret;
++
++ ret = gensec_register(&gensec_external_ops);
++ if (!NT_STATUS_IS_OK(ret)) {
++ DEBUG(0,("Failed to register '%s' gensec backend!\n",
++ gensec_external_ops.name));
++ }
++ return ret;
++}
+diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
+index ac1fadf..6974f87 100644
+--- a/auth/gensec/gensec.h
++++ b/auth/gensec/gensec.h
+@@ -41,7 +41,8 @@ enum gensec_priority {
+ GENSEC_SCHANNEL = 60,
+ GENSEC_NTLMSSP = 50,
+ GENSEC_SASL = 20,
+- GENSEC_OTHER = 0
++ GENSEC_OTHER = 10,
++ GENSEC_EXTERNAL = 0
+ };
+
+ struct gensec_security;
+diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
+index fcd74a3..71222f7 100755
+--- a/auth/gensec/wscript_build
++++ b/auth/gensec/wscript_build
+@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
+ init_function='gensec_spnego_init',
+ deps='asn1util samba-credentials SPNEGO_PARSE'
+ )
++
++bld.SAMBA_MODULE('gensec_external',
++ source='external.c',
++ autoproto='external_proto.h',
++ subsystem='gensec',
++ init_function='gensec_external_init'
++ )
+--
+1.9.3
+
+
+From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 17:24:10 +0200
+Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
+---
+ auth/gensec/schannel.c | 330 ++++++++++++++++++++++++++++++++++++++
+ auth/gensec/wscript_build | 8 +
+ source4/auth/gensec/schannel.c | 330 --------------------------------------
+ source4/auth/gensec/wscript_build | 10 --
+ 4 files changed, 338 insertions(+), 340 deletions(-)
+ create mode 100644 auth/gensec/schannel.c
+ delete mode 100644 source4/auth/gensec/schannel.c
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+new file mode 100644
+index 0000000..eb2e100
+--- /dev/null
++++ b/auth/gensec/schannel.c
+@@ -0,0 +1,330 @@
++/*
++ Unix SMB/CIFS implementation.
++
++ dcerpc schannel operations
++
++ Copyright (C) Andrew Tridgell 2004
++ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "includes.h"
++#include "librpc/gen_ndr/ndr_schannel.h"
++#include "auth/auth.h"
++#include "auth/credentials/credentials.h"
++#include "auth/gensec/gensec.h"
++#include "auth/gensec/gensec_internal.h"
++#include "auth/gensec/gensec_proto.h"
++#include "../libcli/auth/schannel.h"
++#include "librpc/gen_ndr/dcerpc.h"
++#include "param/param.h"
++#include "auth/gensec/gensec_toplevel_proto.h"
++
++_PUBLIC_ NTSTATUS gensec_schannel_init(void);
++
++static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
++{
++ struct schannel_state *state =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
++
++ return netsec_outgoing_sig_size(state);
++}
++
++static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
++ struct tevent_context *ev,
++ const DATA_BLOB in, DATA_BLOB *out)
++{
++ struct schannel_state *state =
++ talloc_get_type(gensec_security->private_data,
++ struct schannel_state);
++ NTSTATUS status;
++ enum ndr_err_code ndr_err;
++ struct NL_AUTH_MESSAGE bind_schannel;
++ struct NL_AUTH_MESSAGE bind_schannel_ack;
++ struct netlogon_creds_CredentialState *creds;
++ const char *workstation;
++ const char *domain;
++
++ *out = data_blob(NULL, 0);
++
++ switch (gensec_security->gensec_role) {
++ case GENSEC_CLIENT:
++ if (state != NULL) {
++ /* we could parse the bind ack, but we don't know what it is yet */
++ return NT_STATUS_OK;
++ }
++
++ creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
++ if (creds == NULL) {
++ return NT_STATUS_INVALID_PARAMETER_MIX;
++ }
++
++ state = netsec_create_state(gensec_security,
++ creds, true /* initiator */);
++ if (state == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ gensec_security->private_data = state;
++
++ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
++#if 0
++ /* to support this we'd need to have access to the full domain name */
++ /* 0x17, 23 */
++ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
++ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
++ NL_FLAG_UTF8_DNS_DOMAIN_NAME |
++ NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
++ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
++ bind_schannel.oem_netbios_computer.a = creds->computer_name;
++ bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
++ /* w2k3 refuses us if we use the full DNS workstation?
++ why? perhaps because we don't fill in the dNSHostName
++ attribute in the machine account? */
++ bind_schannel.utf8_netbios_computer = creds->computer_name;
++#else
++ bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
++ NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
++ bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
++ bind_schannel.oem_netbios_computer.a = creds->computer_name;
++#endif
++
++ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
++ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ status = ndr_map_error2ntstatus(ndr_err);
++ DEBUG(3, ("Could not create schannel bind: %s\n",
++ nt_errstr(status)));
++ return status;
++ }
++
++ return NT_STATUS_MORE_PROCESSING_REQUIRED;
++ case GENSEC_SERVER:
++
++ if (state != NULL) {
++ /* no third leg on this protocol */
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ /* parse the schannel startup blob */
++ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
++ (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ status = ndr_map_error2ntstatus(ndr_err);
++ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
++ nt_errstr(status)));
++ return status;
++ }
++
++ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
++ domain = bind_schannel.oem_netbios_domain.a;
++ if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
++ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
++ domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
++ return NT_STATUS_LOGON_FAILURE;
++ }
++ } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
++ domain = bind_schannel.utf8_dns_domain.u;
++ if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
++ DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
++ domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
++ return NT_STATUS_LOGON_FAILURE;
++ }
++ } else {
++ DEBUG(3, ("Request for schannel to without domain\n"));
++ return NT_STATUS_LOGON_FAILURE;
++ }
++
++ if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
++ workstation = bind_schannel.oem_netbios_computer.a;
++ } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
++ workstation = bind_schannel.utf8_netbios_computer.u;
++ } else {
++ DEBUG(3, ("Request for schannel to without netbios workstation\n"));
++ return NT_STATUS_LOGON_FAILURE;
++ }
++
++ status = schannel_get_creds_state(out_mem_ctx,
++ gensec_security->settings->lp_ctx,
++ workstation, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
++ workstation, nt_errstr(status)));
++ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
++ return NT_STATUS_LOGON_FAILURE;
++ }
++ return status;
++ }
++
++ state = netsec_create_state(gensec_security,
++ creds, false /* not initiator */);
++ if (state == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ gensec_security->private_data = state;
++
++ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
++ bind_schannel_ack.Flags = 0;
++ bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
++ * this does not have
++ * any meaning here
++ * - gd */
++
++ ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
++ (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ status = ndr_map_error2ntstatus(ndr_err);
++ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
++ workstation, nt_errstr(status)));
++ return status;
++ }
++
++ return NT_STATUS_OK;
++ }
++ return NT_STATUS_INVALID_PARAMETER;
++}
++
++/**
++ * Returns anonymous credentials for schannel, matching Win2k3.
++ *
++ */
++
++static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ struct auth_session_info **_session_info)
++{
++ return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
++}
++
++static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
++{
++ return NT_STATUS_OK;
++}
++
++static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
++{
++ return NT_STATUS_OK;
++}
++
++static bool schannel_have_feature(struct gensec_security *gensec_security,
++ uint32_t feature)
++{
++ if (feature & (GENSEC_FEATURE_SIGN |
++ GENSEC_FEATURE_SEAL)) {
++ return true;
++ }
++ if (feature & GENSEC_FEATURE_DCE_STYLE) {
++ return true;
++ }
++ return false;
++}
++
++/*
++ unseal a packet
++*/
++static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
++ uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ const DATA_BLOB *sig)
++{
++ struct schannel_state *state =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
++
++ return netsec_incoming_packet(state, true,
++ discard_const_p(uint8_t, data),
++ length, sig);
++}
++
++/*
++ check the signature on a packet
++*/
++static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
++ const uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ const DATA_BLOB *sig)
++{
++ struct schannel_state *state =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
++
++ return netsec_incoming_packet(state, false,
++ discard_const_p(uint8_t, data),
++ length, sig);
++}
++/*
++ seal a packet
++*/
++static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ DATA_BLOB *sig)
++{
++ struct schannel_state *state =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
++
++ return netsec_outgoing_packet(state, mem_ctx, true,
++ data, length, sig);
++}
++
++/*
++ sign a packet
++*/
++static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
++ TALLOC_CTX *mem_ctx,
++ const uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
++ DATA_BLOB *sig)
++{
++ struct schannel_state *state =
++ talloc_get_type_abort(gensec_security->private_data,
++ struct schannel_state);
++
++ return netsec_outgoing_packet(state, mem_ctx, false,
++ discard_const_p(uint8_t, data),
++ length, sig);
++}
++
++static const struct gensec_security_ops gensec_schannel_security_ops = {
++ .name = "schannel",
++ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
++ .client_start = schannel_client_start,
++ .server_start = schannel_server_start,
++ .update = schannel_update,
++ .seal_packet = schannel_seal_packet,
++ .sign_packet = schannel_sign_packet,
++ .check_packet = schannel_check_packet,
++ .unseal_packet = schannel_unseal_packet,
++ .session_info = schannel_session_info,
++ .sig_size = schannel_sig_size,
++ .have_feature = schannel_have_feature,
++ .enabled = true,
++ .priority = GENSEC_SCHANNEL
++};
++
++_PUBLIC_ NTSTATUS gensec_schannel_init(void)
++{
++ NTSTATUS ret;
++ ret = gensec_register(&gensec_schannel_security_ops);
++ if (!NT_STATUS_IS_OK(ret)) {
++ DEBUG(0,("Failed to register '%s' gensec backend!\n",
++ gensec_schannel_security_ops.name));
++ return ret;
++ }
++
++ return ret;
++}
+diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
+index 71222f7..7329eec 100755
+--- a/auth/gensec/wscript_build
++++ b/auth/gensec/wscript_build
+@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
+ deps='asn1util samba-credentials SPNEGO_PARSE'
+ )
+
++bld.SAMBA_MODULE('gensec_schannel',
++ source='schannel.c',
++ autoproto='schannel_proto.h',
++ subsystem='gensec',
++ init_function='gensec_schannel_init',
++ deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
++ )
++
+ bld.SAMBA_MODULE('gensec_external',
+ source='external.c',
+ autoproto='external_proto.h',
+diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
+deleted file mode 100644
+index eb2e100..0000000
+--- a/source4/auth/gensec/schannel.c
++++ /dev/null
+@@ -1,330 +0,0 @@
+-/*
+- Unix SMB/CIFS implementation.
+-
+- dcerpc schannel operations
+-
+- Copyright (C) Andrew Tridgell 2004
+- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+-
+- This program is free software; you can redistribute it and/or modify
+- it under the terms of the GNU General Public License as published by
+- the Free Software Foundation; either version 3 of the License, or
+- (at your option) any later version.
+-
+- This program is distributed in the hope that it will be useful,
+- but WITHOUT ANY WARRANTY; without even the implied warranty of
+- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
+-
+- You should have received a copy of the GNU General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>.
+-*/
+-
+-#include "includes.h"
+-#include "librpc/gen_ndr/ndr_schannel.h"
+-#include "auth/auth.h"
+-#include "auth/credentials/credentials.h"
+-#include "auth/gensec/gensec.h"
+-#include "auth/gensec/gensec_internal.h"
+-#include "auth/gensec/gensec_proto.h"
+-#include "../libcli/auth/schannel.h"
+-#include "librpc/gen_ndr/dcerpc.h"
+-#include "param/param.h"
+-#include "auth/gensec/gensec_toplevel_proto.h"
+-
+-_PUBLIC_ NTSTATUS gensec_schannel_init(void);
+-
+-static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
+-{
+- struct schannel_state *state =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct schannel_state);
+-
+- return netsec_outgoing_sig_size(state);
+-}
+-
+-static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+- struct tevent_context *ev,
+- const DATA_BLOB in, DATA_BLOB *out)
+-{
+- struct schannel_state *state =
+- talloc_get_type(gensec_security->private_data,
+- struct schannel_state);
+- NTSTATUS status;
+- enum ndr_err_code ndr_err;
+- struct NL_AUTH_MESSAGE bind_schannel;
+- struct NL_AUTH_MESSAGE bind_schannel_ack;
+- struct netlogon_creds_CredentialState *creds;
+- const char *workstation;
+- const char *domain;
+-
+- *out = data_blob(NULL, 0);
+-
+- switch (gensec_security->gensec_role) {
+- case GENSEC_CLIENT:
+- if (state != NULL) {
+- /* we could parse the bind ack, but we don't know what it is yet */
+- return NT_STATUS_OK;
+- }
+-
+- creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
+- if (creds == NULL) {
+- return NT_STATUS_INVALID_PARAMETER_MIX;
+- }
+-
+- state = netsec_create_state(gensec_security,
+- creds, true /* initiator */);
+- if (state == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- gensec_security->private_data = state;
+-
+- bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
+-#if 0
+- /* to support this we'd need to have access to the full domain name */
+- /* 0x17, 23 */
+- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
+- NL_FLAG_UTF8_DNS_DOMAIN_NAME |
+- NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+- bind_schannel.oem_netbios_computer.a = creds->computer_name;
+- bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
+- /* w2k3 refuses us if we use the full DNS workstation?
+- why? perhaps because we don't fill in the dNSHostName
+- attribute in the machine account? */
+- bind_schannel.utf8_netbios_computer = creds->computer_name;
+-#else
+- bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
+- bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+- bind_schannel.oem_netbios_computer.a = creds->computer_name;
+-#endif
+-
+- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
+- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- status = ndr_map_error2ntstatus(ndr_err);
+- DEBUG(3, ("Could not create schannel bind: %s\n",
+- nt_errstr(status)));
+- return status;
+- }
+-
+- return NT_STATUS_MORE_PROCESSING_REQUIRED;
+- case GENSEC_SERVER:
+-
+- if (state != NULL) {
+- /* no third leg on this protocol */
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- /* parse the schannel startup blob */
+- ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
+- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- status = ndr_map_error2ntstatus(ndr_err);
+- DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
+- nt_errstr(status)));
+- return status;
+- }
+-
+- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
+- domain = bind_schannel.oem_netbios_domain.a;
+- if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
+- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+- domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
+- return NT_STATUS_LOGON_FAILURE;
+- }
+- } else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
+- domain = bind_schannel.utf8_dns_domain.u;
+- if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
+- DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+- domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
+- return NT_STATUS_LOGON_FAILURE;
+- }
+- } else {
+- DEBUG(3, ("Request for schannel to without domain\n"));
+- return NT_STATUS_LOGON_FAILURE;
+- }
+-
+- if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
+- workstation = bind_schannel.oem_netbios_computer.a;
+- } else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
+- workstation = bind_schannel.utf8_netbios_computer.u;
+- } else {
+- DEBUG(3, ("Request for schannel to without netbios workstation\n"));
+- return NT_STATUS_LOGON_FAILURE;
+- }
+-
+- status = schannel_get_creds_state(out_mem_ctx,
+- gensec_security->settings->lp_ctx,
+- workstation, &creds);
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
+- workstation, nt_errstr(status)));
+- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+- return NT_STATUS_LOGON_FAILURE;
+- }
+- return status;
+- }
+-
+- state = netsec_create_state(gensec_security,
+- creds, false /* not initiator */);
+- if (state == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- gensec_security->private_data = state;
+-
+- bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
+- bind_schannel_ack.Flags = 0;
+- bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
+- * this does not have
+- * any meaning here
+- * - gd */
+-
+- ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
+- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- status = ndr_map_error2ntstatus(ndr_err);
+- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
+- workstation, nt_errstr(status)));
+- return status;
+- }
+-
+- return NT_STATUS_OK;
+- }
+- return NT_STATUS_INVALID_PARAMETER;
+-}
+-
+-/**
+- * Returns anonymous credentials for schannel, matching Win2k3.
+- *
+- */
+-
+-static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- struct auth_session_info **_session_info)
+-{
+- return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
+-}
+-
+-static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+-{
+- return NT_STATUS_OK;
+-}
+-
+-static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
+-{
+- return NT_STATUS_OK;
+-}
+-
+-static bool schannel_have_feature(struct gensec_security *gensec_security,
+- uint32_t feature)
+-{
+- if (feature & (GENSEC_FEATURE_SIGN |
+- GENSEC_FEATURE_SEAL)) {
+- return true;
+- }
+- if (feature & GENSEC_FEATURE_DCE_STYLE) {
+- return true;
+- }
+- return false;
+-}
+-
+-/*
+- unseal a packet
+-*/
+-static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
+- uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- const DATA_BLOB *sig)
+-{
+- struct schannel_state *state =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct schannel_state);
+-
+- return netsec_incoming_packet(state, true,
+- discard_const_p(uint8_t, data),
+- length, sig);
+-}
+-
+-/*
+- check the signature on a packet
+-*/
+-static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
+- const uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- const DATA_BLOB *sig)
+-{
+- struct schannel_state *state =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct schannel_state);
+-
+- return netsec_incoming_packet(state, false,
+- discard_const_p(uint8_t, data),
+- length, sig);
+-}
+-/*
+- seal a packet
+-*/
+-static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- DATA_BLOB *sig)
+-{
+- struct schannel_state *state =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct schannel_state);
+-
+- return netsec_outgoing_packet(state, mem_ctx, true,
+- data, length, sig);
+-}
+-
+-/*
+- sign a packet
+-*/
+-static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
+- TALLOC_CTX *mem_ctx,
+- const uint8_t *data, size_t length,
+- const uint8_t *whole_pdu, size_t pdu_length,
+- DATA_BLOB *sig)
+-{
+- struct schannel_state *state =
+- talloc_get_type_abort(gensec_security->private_data,
+- struct schannel_state);
+-
+- return netsec_outgoing_packet(state, mem_ctx, false,
+- discard_const_p(uint8_t, data),
+- length, sig);
+-}
+-
+-static const struct gensec_security_ops gensec_schannel_security_ops = {
+- .name = "schannel",
+- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
+- .client_start = schannel_client_start,
+- .server_start = schannel_server_start,
+- .update = schannel_update,
+- .seal_packet = schannel_seal_packet,
+- .sign_packet = schannel_sign_packet,
+- .check_packet = schannel_check_packet,
+- .unseal_packet = schannel_unseal_packet,
+- .session_info = schannel_session_info,
+- .sig_size = schannel_sig_size,
+- .have_feature = schannel_have_feature,
+- .enabled = true,
+- .priority = GENSEC_SCHANNEL
+-};
+-
+-_PUBLIC_ NTSTATUS gensec_schannel_init(void)
+-{
+- NTSTATUS ret;
+- ret = gensec_register(&gensec_schannel_security_ops);
+- if (!NT_STATUS_IS_OK(ret)) {
+- DEBUG(0,("Failed to register '%s' gensec backend!\n",
+- gensec_schannel_security_ops.name));
+- return ret;
+- }
+-
+- return ret;
+-}
+diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
+index 04fccc5..a3eff97 100755
+--- a/source4/auth/gensec/wscript_build
++++ b/source4/auth/gensec/wscript_build
+@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
+ )
+
+
+-bld.SAMBA_MODULE('gensec_schannel',
+- source='schannel.c',
+- subsystem='gensec',
+- deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
+- internal_module=True,
+- autoproto='schannel_proto.h',
+- init_function='gensec_schannel_init'
+- )
+-
+-
+ bld.SAMBA_PYTHON('pygensec',
+ source='pygensec.c',
+ deps='gensec pytalloc-util pyparam_util',
+--
+1.9.3
+
+
+From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 17:24:49 +0200
+Subject: [PATCH 094/249] gensec: remove duplicate
+ gensec_security_by_authtype() call.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We should use the equivalent gensec_security_by_auth_type() call which is
+exposed in the public header.
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
+---
+ auth/gensec/gensec_start.c | 29 ++---------------------------
+ 1 file changed, 2 insertions(+), 27 deletions(-)
+
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index 3ae64d5..906ef67 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
+
+ }
+
+-static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
+- uint8_t auth_type)
+-{
+- int i;
+- const struct gensec_security_ops **backends;
+- const struct gensec_security_ops *backend;
+- TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+- if (!mem_ctx) {
+- return NULL;
+- }
+- backends = gensec_security_mechs(gensec_security, mem_ctx);
+- for (i=0; backends && backends[i]; i++) {
+- if (!gensec_security_ops_enabled(backends[i], gensec_security))
+- continue;
+- if (backends[i]->auth_type == auth_type) {
+- backend = backends[i];
+- talloc_free(mem_ctx);
+- return backend;
+- }
+- }
+- talloc_free(mem_ctx);
+-
+- return NULL;
+-}
+-
+ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
+ struct gensec_security *gensec_security,
+ const char *oid_string)
+@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
+ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
+ uint8_t auth_type, uint8_t auth_level)
+ {
+- gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
++ gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
+ if (!gensec_security->ops) {
+ DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
+ return NT_STATUS_INVALID_PARAMETER;
+@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
+ _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
+ {
+ const struct gensec_security_ops *ops;
+- ops = gensec_security_by_authtype(gensec_security, authtype);
++ ops = gensec_security_by_auth_type(gensec_security, authtype);
+ if (ops) {
+ return ops->name;
+ }
+--
+1.9.3
+
+
+From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 17:25:55 +0200
+Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
+ gensec_security_by_auth_type().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+We have equivalent checks in other gensec_security_by_X calls already.
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
+---
+ auth/gensec/gensec_start.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
+index 906ef67..476134a 100644
+--- a/auth/gensec/gensec_start.c
++++ b/auth/gensec/gensec_start.c
+@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
+ }
+ backends = gensec_security_mechs(gensec_security, mem_ctx);
+ for (i=0; backends && backends[i]; i++) {
+- if (!gensec_security_ops_enabled(backends[i], gensec_security))
+- continue;
++ if (gensec_security != NULL &&
++ !gensec_security_ops_enabled(backends[i], gensec_security)) {
++ continue;
++ }
+ if (backends[i]->auth_type == auth_type) {
+ backend = backends[i];
+ talloc_free(mem_ctx);
+--
+1.9.3
+
+
+From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 17:27:28 +0200
+Subject: [PATCH 096/249] s3-auth: also load schannel module from
+ auth_generic_client_prepare().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
+---
+ source3/libsmb/auth_generic.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
+index e30c1b7..3130dec 100644
+--- a/source3/libsmb/auth_generic.c
++++ b/source3/libsmb/auth_generic.c
+@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
+ }
+
+ backends = talloc_zero_array(gensec_settings,
+- const struct gensec_security_ops *, 4);
++ const struct gensec_security_ops *, 5);
+ if (backends == NULL) {
+ TALLOC_FREE(ans);
+ return NT_STATUS_NO_MEMORY;
+@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
+ backends[idx++] = &gensec_ntlmssp3_client_ops;
+
+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
++ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
+
+ nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
+
+--
+1.9.3
+
+
+From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 17:44:10 +0200
+Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
+ CredentialState struct to gensec.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
+---
+ source3/rpc_client/cli_pipe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 470469f..2acbad6 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
+ const char *username,
+ const char *password,
+ enum credentials_use_kerberos use_kerberos,
++ struct netlogon_creds_CredentialState *creds,
+ struct pipe_auth_data **presult)
+ {
+ struct auth_generic_state *auth_generic_ctx;
+@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
+ }
+
+ cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
++ cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
+
+ status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
+ server, target_service,
+ domain, username, password,
+ CRED_AUTO_USE_KERBEROS,
++ NULL,
+ &auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
+@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
+ DCERPC_AUTH_TYPE_SPNEGO, auth_level,
+ server, target_service,
+ domain, username, password,
+- use_kerberos,
++ use_kerberos, NULL,
+ &auth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
+--
+1.9.3
+
+
+From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 18:23:40 +0200
+Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
+ auth_generic_prepare() as well.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
+---
+ source3/auth/auth_generic.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
+index e15c87e..e07d3b7 100644
+--- a/source3/auth/auth_generic.c
++++ b/source3/auth/auth_generic.c
+@@ -32,6 +32,7 @@
+ #include "librpc/crypto/gse.h"
+ #include "auth/credentials/credentials.h"
+ #include "lib/param/loadparm.h"
++#include "librpc/gen_ndr/dcerpc.h"
+
+ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
+ }
+
+ backends = talloc_zero_array(gensec_settings,
+- const struct gensec_security_ops *, 4);
++ const struct gensec_security_ops *, 5);
+ if (backends == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
+
+ backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+
++ backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
++
+ /*
+ * This is anonymous for now, because we just use it
+ * to set the kerberos state at the moment
+--
+1.9.3
+
+
+From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 18:33:14 +0200
+Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
+---
+ source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 2acbad6..8a642e2 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
+
+ switch (auth->auth_type) {
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+- ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
+- if (!NT_STATUS_IS_OK(ret)) {
+- return ret;
+- }
+- break;
+-
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct netr_Authenticator auth;
+ struct netr_Authenticator return_auth;
+ union netr_Capabilities capabilities;
++ const char *target_service = table->authservices->names[0];
+
+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+- status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
+- *pdc, &rpcauth);
++ status = rpccli_generic_bind_data(rpccli,
++ DCERPC_AUTH_TYPE_SCHANNEL,
++ auth_level,
++ NULL,
++ target_service,
++ domain,
++ (*pdc)->computer_name,
++ NULL,
++ CRED_AUTO_USE_KERBEROS,
++ *pdc,
++ &rpcauth);
+ if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
++ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+--
+1.9.3
+
+
+From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 18:34:58 +0200
+Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
+---
+ source3/rpc_server/srv_pipe.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 9043a14..fd7a90a 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ break;
+
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+- if (!pipe_schannel_auth_bind(p, pkt,
+- &auth_info, &auth_resp)) {
++ if (!pipe_auth_generic_bind(p, pkt,
++ &auth_info, &auth_resp)) {
++ goto err_exit;
++ }
++ if (!session_info_set_session_key(p->session_info, generic_session_key())) {
++ DEBUG(0, ("session_info_set_session_key failed\n"));
+ goto err_exit;
+ }
++ p->pipe_bound = true;
+ break;
+
+ case DCERPC_AUTH_TYPE_SPNEGO:
+--
+1.9.3
+
+
+From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 18:36:19 +0200
+Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
+---
+ source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
+ 1 file changed, 3 insertions(+), 32 deletions(-)
+
+diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
+index 97999d7..b9e05cb 100644
+--- a/source3/librpc/rpc/dcerpc_helpers.c
++++ b/source3/librpc/rpc/dcerpc_helpers.c
+@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
+ size_t max_len;
+ size_t mod_len;
+ struct gensec_security *gensec_security;
+- struct schannel_state *schannel_auth;
+
+ /* no auth token cases first */
+ switch (auth->auth_level) {
+@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
++ case DCERPC_AUTH_TYPE_SCHANNEL:
+ gensec_security = talloc_get_type_abort(auth->auth_ctx,
+ struct gensec_security);
+ *auth_len = gensec_sig_size(gensec_security, max_len);
+ break;
+-
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
+- struct schannel_state);
+- *auth_len = netsec_outgoing_sig_size(schannel_auth);
+- break;
+ default:
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
+ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
+ size_t pad_len, DATA_BLOB *rpc_out)
+ {
+- struct schannel_state *schannel_auth;
+ struct gensec_security *gensec_security;
+ char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
+ DATA_BLOB auth_info;
+@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
++ case DCERPC_AUTH_TYPE_SCHANNEL:
+ gensec_security = talloc_get_type_abort(auth->auth_ctx,
+ struct gensec_security);
+ status = add_generic_auth_footer(gensec_security,
+ auth->auth_level,
+ rpc_out);
+ break;
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
+- struct schannel_state);
+- status = add_schannel_auth_footer(schannel_auth,
+- auth->auth_level,
+- rpc_out);
+- break;
+ default:
+ status = NT_STATUS_INVALID_PARAMETER;
+ break;
+@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
+ DATA_BLOB *raw_pkt,
+ size_t *pad_len)
+ {
+- struct schannel_state *schannel_auth;
+ struct gensec_security *gensec_security;
+ NTSTATUS status;
+ struct dcerpc_auth auth_info;
+@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
++ case DCERPC_AUTH_TYPE_SCHANNEL:
+
+ DEBUG(10, ("GENSEC auth\n"));
+
+@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
+ return status;
+ }
+ break;
+-
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+-
+- DEBUG(10, ("SCHANNEL auth\n"));
+-
+- schannel_auth = talloc_get_type_abort(auth->auth_ctx,
+- struct schannel_state);
+- status = get_schannel_auth_footer(pkt, schannel_auth,
+- auth->auth_level,
+- &data, &full_pkt,
+- &auth_info.credentials);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+- break;
+-
+ default:
+ DEBUG(0, ("process_request_pdu: "
+ "unknown auth type %u set.\n",
+--
+1.9.3
+
+
+From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 19 Sep 2013 11:03:31 +0200
+Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
+ dcerpc_helpers.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
+---
+ source3/librpc/rpc/dcerpc.h | 3 -
+ source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
+ 2 files changed, 127 deletions(-)
+
+diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
+index b3ae3b4..38d59cd 100644
+--- a/source3/librpc/rpc/dcerpc.h
++++ b/source3/librpc/rpc/dcerpc.h
+@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
+ const DATA_BLOB *blob,
+ struct ncacn_packet *r,
+ bool bigendian);
+-NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
+- struct NL_AUTH_MESSAGE *r,
+- DATA_BLOB *blob);
+ NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
+index b9e05cb..2400bfd 100644
+--- a/source3/librpc/rpc/dcerpc_helpers.c
++++ b/source3/librpc/rpc/dcerpc_helpers.c
+@@ -21,9 +21,6 @@
+ #include "includes.h"
+ #include "librpc/rpc/dcerpc.h"
+ #include "librpc/gen_ndr/ndr_dcerpc.h"
+-#include "librpc/gen_ndr/ndr_schannel.h"
+-#include "../libcli/auth/schannel.h"
+-#include "../libcli/auth/spnego.h"
+ #include "librpc/crypto/gse.h"
+ #include "auth/gensec/gensec.h"
+
+@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
+ }
+
+ /**
+-* @brief NDR Encodes a NL_AUTH_MESSAGE
+-*
+-* @param mem_ctx The memory context the blob will be allocated on
+-* @param r The NL_AUTH_MESSAGE to encode
+-* @param blob [out] The encoded blob if successful
+-*
+-* @return a NTSTATUS error code
+-*/
+-NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
+- struct NL_AUTH_MESSAGE *r,
+- DATA_BLOB *blob)
+-{
+- enum ndr_err_code ndr_err;
+-
+- ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
+- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- return ndr_map_error2ntstatus(ndr_err);
+- }
+-
+- if (DEBUGLEVEL >= 10) {
+- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+-/**
+ * @brief NDR Encodes a dcerpc_auth structure
+ *
+ * @param mem_ctx The memory context the blob will be allocated on
+@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
+ }
+ }
+
+-/*******************************************************************
+- Create and add the schannel sign/seal auth data.
+- ********************************************************************/
+-
+-static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
+- enum dcerpc_AuthLevel auth_level,
+- DATA_BLOB *rpc_out)
+-{
+- uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
+- size_t data_and_pad_len = rpc_out->length
+- - DCERPC_RESPONSE_LENGTH
+- - DCERPC_AUTH_TRAILER_LENGTH;
+- DATA_BLOB auth_blob;
+- NTSTATUS status;
+-
+- if (!sas) {
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- switch (auth_level) {
+- case DCERPC_AUTH_LEVEL_PRIVACY:
+- status = netsec_outgoing_packet(sas,
+- rpc_out->data,
+- true,
+- data_p,
+- data_and_pad_len,
+- &auth_blob);
+- break;
+- case DCERPC_AUTH_LEVEL_INTEGRITY:
+- status = netsec_outgoing_packet(sas,
+- rpc_out->data,
+- false,
+- data_p,
+- data_and_pad_len,
+- &auth_blob);
+- break;
+- default:
+- status = NT_STATUS_INTERNAL_ERROR;
+- break;
+- }
+-
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
+- nt_errstr(status)));
+- return status;
+- }
+-
+- if (DEBUGLEVEL >= 10) {
+- dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
+- }
+-
+- /* Finally attach the blob. */
+- if (!data_blob_append(NULL, rpc_out,
+- auth_blob.data, auth_blob.length)) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- data_blob_free(&auth_blob);
+-
+- return NT_STATUS_OK;
+-}
+-
+-/*******************************************************************
+- Check/unseal the Schannel auth data. (Unseal in place).
+- ********************************************************************/
+-
+-static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
+- struct schannel_state *auth_state,
+- enum dcerpc_AuthLevel auth_level,
+- DATA_BLOB *data, DATA_BLOB *full_pkt,
+- DATA_BLOB *auth_token)
+-{
+- switch (auth_level) {
+- case DCERPC_AUTH_LEVEL_PRIVACY:
+- /* Data portion is encrypted. */
+- return netsec_incoming_packet(auth_state,
+- true,
+- data->data,
+- data->length,
+- auth_token);
+-
+- case DCERPC_AUTH_LEVEL_INTEGRITY:
+- /* Data is signed. */
+- return netsec_incoming_packet(auth_state,
+- false,
+- data->data,
+- data->length,
+- auth_token);
+-
+- default:
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-}
+-
+ /**
+ * @brief Append an auth footer according to what is the current mechanism
+ *
+--
+1.9.3
+
+
+From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 19 Sep 2013 11:04:19 +0200
+Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
+ cli_pipe.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
+---
+ source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
+ 1 file changed, 76 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 8a642e2..b73f2f2 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -22,11 +22,8 @@
+ #include "includes.h"
+ #include "../lib/util/tevent_ntstatus.h"
+ #include "librpc/gen_ndr/ndr_epmapper_c.h"
+-#include "../librpc/gen_ndr/ndr_schannel.h"
+ #include "../librpc/gen_ndr/ndr_dssetup.h"
+ #include "../libcli/auth/schannel.h"
+-#include "../libcli/auth/spnego.h"
+-#include "../auth/ntlmssp/ntlmssp.h"
+ #include "auth_generic.h"
+ #include "librpc/gen_ndr/ndr_dcerpc.h"
+ #include "librpc/gen_ndr/ndr_netlogon_c.h"
+@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
+ }
+
+ /*******************************************************************
+- Creates schannel auth bind.
+- ********************************************************************/
+-
+-static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
+- DATA_BLOB *auth_token)
+-{
+- NTSTATUS status;
+- struct NL_AUTH_MESSAGE r;
+-
+- if (!cli->auth->user_name || !cli->auth->user_name[0]) {
+- return NT_STATUS_INVALID_PARAMETER_MIX;
+- }
+-
+- if (!cli->auth->domain || !cli->auth->domain[0]) {
+- return NT_STATUS_INVALID_PARAMETER_MIX;
+- }
+-
+- /*
+- * Now marshall the data into the auth parse_struct.
+- */
+-
+- r.MessageType = NL_NEGOTIATE_REQUEST;
+- r.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+- NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
+- r.oem_netbios_domain.a = cli->auth->domain;
+- r.oem_netbios_computer.a = cli->auth->user_name;
+-
+- status = dcerpc_push_schannel_bind(cli, &r, auth_token);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+-/*******************************************************************
+ Creates the internals of a DCE/RPC bind request or alter context PDU.
+ ********************************************************************/
+
+@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+-static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+- const char *domain,
+- enum dcerpc_AuthLevel auth_level,
+- struct netlogon_creds_CredentialState *creds,
+- struct pipe_auth_data **presult)
+-{
+- struct schannel_state *schannel_auth;
+- struct pipe_auth_data *result;
+-
+- result = talloc(mem_ctx, struct pipe_auth_data);
+- if (result == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+- result->auth_level = auth_level;
+-
+- result->user_name = talloc_strdup(result, creds->computer_name);
+- result->domain = talloc_strdup(result, domain);
+- if ((result->user_name == NULL) || (result->domain == NULL)) {
+- goto fail;
+- }
+-
+- schannel_auth = netsec_create_state(result, creds, true /* initiator */);
+- if (schannel_auth == NULL) {
+- goto fail;
+- }
+-
+- result->auth_ctx = schannel_auth;
+- *presult = result;
+- return NT_STATUS_OK;
+-
+- fail:
+- TALLOC_FREE(result);
+- return NT_STATUS_NO_MEMORY;
+-}
+-
+ /**
+ * Create an rpc pipe client struct, connecting to a tcp port.
+ */
+--
+1.9.3
+
+
+From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 19 Sep 2013 11:05:21 +0200
+Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
+ srv_pipe.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
+(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
+---
+ source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
+ 1 file changed, 116 deletions(-)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index fd7a90a..06752a8 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -30,11 +30,8 @@
+ #include "includes.h"
+ #include "system/filesys.h"
+ #include "srv_pipe_internal.h"
+-#include "../librpc/gen_ndr/ndr_schannel.h"
+ #include "../librpc/gen_ndr/dcerpc.h"
+ #include "../librpc/rpc/rpc_common.h"
+-#include "../libcli/auth/schannel.h"
+-#include "../libcli/auth/spnego.h"
+ #include "dcesrv_auth_generic.h"
+ #include "rpc_server.h"
+ #include "rpc_dce.h"
+@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
+ }
+
+ /*******************************************************************
+- Handle an schannel bind auth.
+-*******************************************************************/
+-
+-static bool pipe_schannel_auth_bind(struct pipes_struct *p,
+- TALLOC_CTX *mem_ctx,
+- struct dcerpc_auth *auth_info,
+- DATA_BLOB *response)
+-{
+- struct NL_AUTH_MESSAGE neg;
+- struct NL_AUTH_MESSAGE reply;
+- bool ret;
+- NTSTATUS status;
+- struct netlogon_creds_CredentialState *creds;
+- enum ndr_err_code ndr_err;
+- struct schannel_state *schannel_auth;
+- struct loadparm_context *lp_ctx;
+-
+- ndr_err = ndr_pull_struct_blob(
+- &auth_info->credentials, mem_ctx, &neg,
+- (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
+- return false;
+- }
+-
+- if (DEBUGLEVEL >= 10) {
+- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
+- }
+-
+- if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
+- DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
+- return false;
+- }
+-
+- lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
+- if (!lp_ctx) {
+- DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
+- return false;
+- }
+-
+- /*
+- * The neg.oem_netbios_computer.a key here must match the remote computer name
+- * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
+- * operations that use credentials.
+- */
+-
+- become_root();
+- status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
+- neg.oem_netbios_computer.a, &creds);
+- unbecome_root();
+-
+- talloc_unlink(p, lp_ctx);
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
+- return False;
+- }
+-
+- schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
+- TALLOC_FREE(creds);
+- if (!schannel_auth) {
+- return False;
+- }
+-
+- /*
+- * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
+- * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
+- * struct of the person who opened the pipe. I need to test this further. JRA.
+- *
+- * VL. As we are mapping this to guest set the generic key
+- * "SystemLibraryDTC" key here. It's a bit difficult to test against
+- * W2k3, as it does not allow schannel binds against SAMR and LSA
+- * anymore.
+- */
+-
+- ret = session_info_set_session_key(p->session_info, generic_session_key());
+-
+- if (!ret) {
+- DEBUG(0, ("session_info_set_session_key failed\n"));
+- return false;
+- }
+-
+- /*** SCHANNEL verifier ***/
+-
+- reply.MessageType = NL_NEGOTIATE_RESPONSE;
+- reply.Flags = 0;
+- reply.Buffer.dummy = 5; /* ??? actually I don't think
+- * this has any meaning
+- * here - gd */
+-
+- ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
+- (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
+- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+- DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
+- return false;
+- }
+-
+- if (DEBUGLEVEL >= 10) {
+- NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
+- }
+-
+- DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
+- neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
+-
+- /* We're finished with this bind - no more packets. */
+- p->auth.auth_ctx = schannel_auth;
+- p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+-
+- p->pipe_bound = True;
+-
+- return True;
+-}
+-
+-/*******************************************************************
+ Handle an NTLMSSP bind auth.
+ *******************************************************************/
+
+--
+1.9.3
+
+
+From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Mon, 12 Aug 2013 17:22:15 +0200
+Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
+ functions.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
+---
+ librpc/ndr/ndr_table.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
+index 7ca0417..01d9094 100644
+--- a/librpc/ndr/ndr_table.c
++++ b/librpc/ndr/ndr_table.c
+@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
+ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
+ {
+ const struct ndr_interface_list *l;
+- for (l=ndr_interfaces;l;l=l->next){
++ for (l=ndr_table_list();l;l=l->next){
+ if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
+ l->table->syntax_id.if_version == if_version) {
+ return l->table->num_calls;
+@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
+ const struct ndr_interface_table *ndr_table_by_name(const char *name)
+ {
+ const struct ndr_interface_list *l;
+- for (l=ndr_interfaces;l;l=l->next) {
++ for (l=ndr_table_list();l;l=l->next) {
+ if (strcasecmp(l->table->name, name) == 0) {
+ return l->table;
+ }
+@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
+ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
+ {
+ const struct ndr_interface_list *l;
+- for (l=ndr_interfaces;l;l=l->next) {
++ for (l=ndr_table_list();l;l=l->next) {
+ if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
+ return l->table;
+ }
+--
+1.9.3
+
+
+From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 8 Aug 2013 17:34:56 +0200
+Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
+ ndr_init_table() first.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
+---
+ librpc/ndr/ndr_table.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
+index 01d9094..f73b9fc 100644
+--- a/librpc/ndr/ndr_table.c
++++ b/librpc/ndr/ndr_table.c
+@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
+ */
+ const struct ndr_interface_list *ndr_table_list(void)
+ {
++ ndr_table_init();
+ return ndr_interfaces;
+ }
+
+--
+1.9.3
+
+
+From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 8 Aug 2013 17:40:22 +0200
+Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
+---
+ source3/lib/netapi/cm.c | 2 +-
+ source3/rpc_client/cli_pipe.c | 7 +++----
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
+index 1cfdccf..bb5d6b2 100644
+--- a/source3/lib/netapi/cm.c
++++ b/source3/lib/netapi/cm.c
+@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
+ status = pipe_cm_open(ctx, ipc, table, &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
+- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
++ table->name,
+ get_friendly_nt_error_msg(status));
+ return WERR_DEST_NOT_FOUND;
+ }
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index b73f2f2..64e7f1c 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+ }
+ DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
+ "%s failed with error %s\n",
+- get_pipe_name_from_syntax(talloc_tos(),
+- &table->syntax_id),
++ table->name,
+ nt_errstr(status) ));
+ TALLOC_FREE(result);
+ return status;
+@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
+
+ DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
+ "%s and bound anonymously.\n",
+- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
++ table->name,
+ result->desthost));
+
+ *presult = result;
+@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ done:
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+ "for domain %s and bound using schannel.\n",
+- get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
++ table->name,
+ rpccli->desthost, domain));
+
+ *_rpccli = rpccli;
+--
+1.9.3
+
+
+From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 10:58:16 +0200
+Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
+ get_pipe_name_from_syntax() in DEBUG.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
+---
+ source3/rpc_server/rpc_handles.c | 15 +++++++++------
+ source3/rpc_server/srv_pipe.c | 22 ++++++++++++++--------
+ source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
+ source3/wscript_build | 3 ++-
+ 4 files changed, 36 insertions(+), 20 deletions(-)
+
+diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
+index 70c3919..409299a 100644
+--- a/source3/rpc_server/rpc_handles.c
++++ b/source3/rpc_server/rpc_handles.c
+@@ -27,6 +27,7 @@
+ #include "rpc_server/rpc_pipes.h"
+ #include "../libcli/security/security.h"
+ #include "lib/tsocket/tsocket.h"
++#include "librpc/ndr/ndr_table.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
+
+ DEBUG(10,("init_pipe_handle_list: created handle list for "
+ "pipe %s\n",
+- get_pipe_name_from_syntax(talloc_tos(), syntax)));
++ ndr_interface_name(&syntax->uuid,
++ syntax->if_version)));
+ }
+
+ /*
+@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
+
+ DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
+ "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
+- get_pipe_name_from_syntax(talloc_tos(), syntax)));
++ ndr_interface_name(&syntax->uuid, syntax->if_version)));
+
+ return True;
+ }
+@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
+ TALLOC_FREE(p->pipe_handles);
+
+ DEBUG(10,("Deleted handle list for RPC connection %s\n",
+- get_pipe_name_from_syntax(talloc_tos(),
+- &p->contexts->syntax)));
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version)));
+ }
+ }
+
+@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
+ if (p->pipe_handles->count > MAX_OPEN_POLS) {
+ DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
+ (int) p->pipe_handles->count,
+- get_pipe_name_from_syntax(talloc_tos(),
+- &p->contexts->syntax)));
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version)));
++
+ *pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
+ return NULL;
+ }
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 06752a8..19dbc37 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -41,6 +41,7 @@
+ #include "rpc_server/srv_pipe.h"
+ #include "rpc_server/rpc_contexts.h"
+ #include "lib/param/param.h"
++#include "librpc/ndr/ndr_table.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
+ bool ok;
+
+ DEBUG(3,("check_bind_req for %s\n",
+- get_pipe_name_from_syntax(talloc_tos(), abstract)));
++ ndr_interface_name(&abstract->uuid,
++ abstract->if_version)));
+
+ /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
+ if (rpc_srv_pipe_exists_by_id(abstract) &&
+@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ if (NT_STATUS_IS_ERR(status)) {
+ DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
+ "%s in bind request.\n",
+- get_pipe_name_from_syntax(talloc_tos(), &id)));
++ ndr_interface_name(&id.uuid,
++ id.if_version)));
+
+ return setup_bind_nak(p, pkt);
+ }
+@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ } else {
+ DEBUG(0, ("module %s doesn't provide functions for "
+ "pipe %s!\n",
+- get_pipe_name_from_syntax(talloc_tos(), &id),
+- get_pipe_name_from_syntax(talloc_tos(), &id)));
++ ndr_interface_name(&id.uuid,
++ id.if_version),
++ ndr_interface_name(&id.uuid,
++ id.if_version)));
+ return setup_bind_nak(p, pkt);
+ }
+ }
+@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ DEBUG(5, ("Requested %s rpc service\n",
+- get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
++ ndr_interface_name(&pipe_fns->syntax.uuid,
++ pipe_fns->syntax.if_version)));
+
+ ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
+ &pipe_fns->syntax);
+@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
+
+ /* interpret the command */
+ DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
+- get_pipe_name_from_syntax(talloc_tos(), syntax),
++ ndr_interface_name(&syntax->uuid, syntax->if_version),
+ pkt->u.request.opnum));
+
+ if (DEBUGLEVEL >= 50) {
+@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
+ /* do the actual command */
+ if(!api_rpc_cmds[fn_num].fn(p)) {
+ DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
+- get_pipe_name_from_syntax(talloc_tos(), syntax),
++ ndr_interface_name(&syntax->uuid, syntax->if_version),
+ api_rpc_cmds[fn_num].name));
+ data_blob_free(&p->out_data.rdata);
+ return False;
+@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
+ }
+
+ DEBUG(5,("api_rpcTNP: called %s successfully\n",
+- get_pipe_name_from_syntax(talloc_tos(), syntax)));
++ ndr_interface_name(&syntax->uuid, syntax->if_version)));
+
+ /* Check for buffer underflow in rpc parsing */
+ if ((DEBUGLEVEL >= 10) &&
+diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
+index 3f8ff44..fcbfa77 100644
+--- a/source3/rpc_server/srv_pipe_hnd.c
++++ b/source3/rpc_server/srv_pipe_hnd.c
+@@ -30,6 +30,7 @@
+ #include "rpc_server/rpc_config.h"
+ #include "../lib/tsocket/tsocket.h"
+ #include "../lib/util/tevent_ntstatus.h"
++#include "librpc/ndr/ndr_table.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
+ }
+
+ DEBUG(6,(" name: %s len: %u\n",
+- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version),
+ (unsigned int)n));
+
+ /*
+@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
+ DEBUG(5,("read_from_pipe: too large read (%u) requested on "
+ "pipe %s. We can only service %d sized reads.\n",
+ (unsigned int)n,
+- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version),
+ RPC_MAX_PDU_FRAG_LEN ));
+ n = RPC_MAX_PDU_FRAG_LEN;
+ }
+@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
+
+ DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
+ "current_pdu_sent = %u returning %d bytes.\n",
+- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version),
+ (unsigned int)p->out_data.frag.length,
+ (unsigned int)p->out_data.current_pdu_sent,
+ (int)data_returned));
+@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
+
+ DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
+ "= %u, p->out_data.rdata.length = %u.\n",
+- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version),
+ (int)p->fault_state,
+ (unsigned int)p->out_data.data_sent_length,
+ (unsigned int)p->out_data.rdata.length));
+@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
+
+ if(!create_next_pdu(p)) {
+ DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
+- get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
++ ndr_interface_name(&p->contexts->syntax.uuid,
++ p->contexts->syntax.if_version)));
+ return -1;
+ }
+
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 0bf84e2..bb2e928 100755
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
+ deps='''ndr ndr-standard
+ RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
+ LIBTSOCKET gse dcerpc-binding
+- libsmb''',
++ libsmb
++ ndr-table''',
+ vars=locals(),
+ private_library=True)
+
+--
+1.9.3
+
+
+From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Thu, 8 Aug 2013 17:33:29 +0200
+Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
+ function.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
+---
+ librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
+ librpc/rpc/rpc_common.h | 3 +++
+ 2 files changed, 58 insertions(+)
+
+diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
+index 0b9cca3..4046f32 100644
+--- a/librpc/rpc/dcerpc_util.c
++++ b/librpc/rpc/dcerpc_util.c
+@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+ }
++
++const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
++ enum dcerpc_transport_t transport,
++ const struct ndr_interface_table *table)
++{
++ NTSTATUS status;
++ const char *p = NULL;
++ const char *endpoint = NULL;
++ int i;
++ struct dcerpc_binding *default_binding = NULL;
++ TALLOC_CTX *frame = talloc_stackframe();
++
++ /* Find one of the default pipes for this interface */
++
++ for (i = 0; i < table->endpoints->count; i++) {
++
++ status = dcerpc_parse_binding(frame, table->endpoints->names[i],
++ &default_binding);
++ if (NT_STATUS_IS_OK(status)) {
++ if (transport == NCA_UNKNOWN &&
++ default_binding->endpoint != NULL) {
++ p = default_binding->endpoint;
++ break;
++ }
++ if (default_binding->transport == transport &&
++ default_binding->endpoint != NULL) {
++ p = default_binding->endpoint;
++ break;
++ }
++ }
++ }
++
++ if (i == table->endpoints->count || p == NULL) {
++ goto done;
++ }
++
++ /*
++ * extract the pipe name without \\pipe from for example
++ * ncacn_np:[\\pipe\\epmapper]
++ */
++ if (default_binding->transport == NCACN_NP) {
++ if (strncasecmp(p, "\\pipe\\", 6) == 0) {
++ p += 6;
++ }
++ if (strncmp(p, "\\", 1) == 0) {
++ p += 1;
++ }
++ }
++
++ endpoint = talloc_strdup(mem_ctx, p);
++
++ done:
++ talloc_free(frame);
++ return endpoint;
++}
+diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
+index e2b3755..d2816f5 100644
+--- a/librpc/rpc/rpc_common.h
++++ b/librpc/rpc/rpc_common.h
+@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
+ uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
+ void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
+ uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
++const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
++ enum dcerpc_transport_t transport,
++ const struct ndr_interface_table *table);
+
+ /**
+ * @brief Pull a dcerpc_auth structure, taking account of any auth
+--
+1.9.3
+
+
+From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 18 Sep 2013 10:59:14 +0200
+Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
+ function.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
+---
+ source3/rpc_client/rpc_transport_np.c | 4 +++-
+ source3/rpc_server/rpc_ncacn_np.c | 12 ++++++++++--
+ source3/rpc_server/srv_pipe.c | 28 +++++++++++++++++++++-------
+ 3 files changed, 34 insertions(+), 10 deletions(-)
+
+diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
+index c0f313e..91943f4 100644
+--- a/source3/rpc_client/rpc_transport_np.c
++++ b/source3/rpc_client/rpc_transport_np.c
+@@ -22,6 +22,7 @@
+ #include "rpc_client/rpc_transport.h"
+ #include "libsmb/cli_np_tstream.h"
+ #include "client.h"
++#include "librpc/ndr/ndr_table.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_CLI
+@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
+ state->ev = ev;
+ state->cli = cli;
+ state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
+- state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
++ state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
++ table);
+ if (tevent_req_nomem(state->pipe_name, req)) {
+ return tevent_req_post(req, ev);
+ }
+diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
+index 7389b3e..46b77fd 100644
+--- a/source3/rpc_server/rpc_ncacn_np.c
++++ b/source3/rpc_server/rpc_ncacn_np.c
+@@ -36,6 +36,7 @@
+ #include "../lib/util/tevent_ntstatus.h"
+ #include "rpc_contexts.h"
+ #include "rpc_server/rpc_config.h"
++#include "librpc/ndr/ndr_table.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
+ struct pipe_rpc_fns *context_fns;
+ const char *pipe_name;
+ int ret;
++ const struct ndr_interface_table *table;
+
+- pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
++ table = ndr_table_by_uuid(&syntax->uuid);
++ if (table == NULL) {
++ DEBUG(0,("unknown interface\n"));
++ return NULL;
++ }
++
++ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
+
+ DEBUG(4,("Create pipe requested %s\n", pipe_name));
+
+@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
++ pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
+ if (pipe_name == NULL) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto done;
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 19dbc37..5f834fb 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ struct dcerpc_ack_ctx bind_ack_ctx;
+ DATA_BLOB auth_resp = data_blob_null;
+ DATA_BLOB auth_blob = data_blob_null;
++ const struct ndr_interface_table *table;
+
+ /* No rebinds on a bound pipe - use alter context. */
+ if (p->pipe_bound) {
+@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ * that this is a pipe name we support.
+ */
+ id = pkt->u.bind.ctx_list[0].abstract_syntax;
++
++ table = ndr_table_by_uuid(&id.uuid);
++ if (table == NULL) {
++ DEBUG(0,("unknown interface\n"));
++ return false;
++ }
++
+ if (rpc_srv_pipe_exists_by_id(&id)) {
+ DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
+ rpc_srv_get_pipe_cli_name(&id),
+ rpc_srv_get_pipe_srv_name(&id)));
+ } else {
+ status = smb_probe_module(
+- "rpc", get_pipe_name_from_syntax(
+- talloc_tos(),
+- &id));
++ "rpc", dcerpc_default_transport_endpoint(pkt,
++ NCACN_NP, table));
+
+ if (NT_STATUS_IS_ERR(status)) {
+ DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
+@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ }
+
+ if (rpc_srv_get_pipe_interface_by_cli_name(
+- get_pipe_name_from_syntax(talloc_tos(),
+- &id),
++ dcerpc_default_transport_endpoint(pkt,
++ NCACN_NP, table),
+ &id)) {
+ DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
+ rpc_srv_get_pipe_cli_name(&id),
+@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
+ {
+ int fn_num;
+ uint32_t offset1;
++ const struct ndr_interface_table *table;
+
+ /* interpret the command */
+ DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
+ ndr_interface_name(&syntax->uuid, syntax->if_version),
+ pkt->u.request.opnum));
+
++ table = ndr_table_by_uuid(&syntax->uuid);
++ if (table == NULL) {
++ DEBUG(0,("unknown interface\n"));
++ return false;
++ }
++
+ if (DEBUGLEVEL >= 50) {
+ fstring name;
+ slprintf(name, sizeof(name)-1, "in_%s",
+- get_pipe_name_from_syntax(talloc_tos(), syntax));
++ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
+ dump_pdu_region(name, pkt->u.request.opnum,
+ &p->in_data.data, 0,
+ p->in_data.data.length);
+@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
+ if (DEBUGLEVEL >= 50) {
+ fstring name;
+ slprintf(name, sizeof(name)-1, "out_%s",
+- get_pipe_name_from_syntax(talloc_tos(), syntax));
++ dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
+ dump_pdu_region(name, pkt->u.request.opnum,
+ &p->out_data.rdata, offset1,
+ p->out_data.rdata.length);
+--
+1.9.3
+
+
+From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 7 Aug 2013 17:43:08 +0200
+Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
+(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
+---
+ source3/librpc/rpc/dcerpc.h | 8 --
+ source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
+ source3/wscript_build | 1 -
+ 3 files changed, 218 deletions(-)
+ delete mode 100644 source3/librpc/rpc/rpc_common.c
+
+diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
+index 38d59cd..b18b7ba 100644
+--- a/source3/librpc/rpc/dcerpc.h
++++ b/source3/librpc/rpc/dcerpc.h
+@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
+ DATA_BLOB *raw_pkt,
+ size_t *pad_len);
+
+-/* The following definitions come from librpc/rpc/rpc_common.c */
+-
+-bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
+-const struct ndr_interface_table *get_iface_from_syntax(
+- const struct ndr_syntax_id *syntax);
+-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
+- const struct ndr_syntax_id *syntax);
+-
+ #endif /* __S3_DCERPC_H__ */
+diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
+deleted file mode 100644
+index 1219b2d..0000000
+--- a/source3/librpc/rpc/rpc_common.c
++++ /dev/null
+@@ -1,209 +0,0 @@
+-/*
+- * Unix SMB/CIFS implementation.
+- * RPC Pipe client / server routines
+- * Largely rewritten by Jeremy Allison 2005.
+- *
+- * This program is free software; you can redistribute it and/or modify
+- * it under the terms of the GNU General Public License as published by
+- * the Free Software Foundation; either version 3 of the License, or
+- * (at your option) any later version.
+- *
+- * This program is distributed in the hope that it will be useful,
+- * but WITHOUT ANY WARRANTY; without even the implied warranty of
+- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- * GNU General Public License for more details.
+- *
+- * You should have received a copy of the GNU General Public License
+- * along with this program; if not, see <http://www.gnu.org/licenses/>.
+- */
+-
+-#include "includes.h"
+-#include "librpc/rpc/dcerpc.h"
+-#include "../librpc/gen_ndr/ndr_lsa.h"
+-#include "../librpc/gen_ndr/ndr_dssetup.h"
+-#include "../librpc/gen_ndr/ndr_samr.h"
+-#include "../librpc/gen_ndr/ndr_netlogon.h"
+-#include "../librpc/gen_ndr/ndr_srvsvc.h"
+-#include "../librpc/gen_ndr/ndr_wkssvc.h"
+-#include "../librpc/gen_ndr/ndr_winreg.h"
+-#include "../librpc/gen_ndr/ndr_spoolss.h"
+-#include "../librpc/gen_ndr/ndr_dfs.h"
+-#include "../librpc/gen_ndr/ndr_echo.h"
+-#include "../librpc/gen_ndr/ndr_initshutdown.h"
+-#include "../librpc/gen_ndr/ndr_svcctl.h"
+-#include "../librpc/gen_ndr/ndr_eventlog.h"
+-#include "../librpc/gen_ndr/ndr_ntsvcs.h"
+-#include "../librpc/gen_ndr/ndr_epmapper.h"
+-#include "../librpc/gen_ndr/ndr_drsuapi.h"
+-#include "../librpc/gen_ndr/ndr_fsrvp.h"
+-
+-static const char *get_pipe_name_from_iface(
+- TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
+-{
+- int i;
+- const struct ndr_interface_string_array *ep = interface->endpoints;
+- char *p;
+-
+- for (i=0; i<ep->count; i++) {
+- if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
+- break;
+- }
+- }
+- if (i == ep->count) {
+- return NULL;
+- }
+-
+- /*
+- * extract the pipe name without \\pipe from for example
+- * ncacn_np:[\\pipe\\epmapper]
+- */
+- p = strchr(ep->names[i]+15, ']');
+- if (p == NULL) {
+- return "PIPE";
+- }
+- return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
+-}
+-
+-static const struct ndr_interface_table **interfaces;
+-
+-bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
+-{
+- int num_interfaces = talloc_array_length(interfaces);
+- const struct ndr_interface_table **tmp;
+- int i;
+-
+- for (i=0; i<num_interfaces; i++) {
+- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
+- &interface->syntax_id)) {
+- return true;
+- }
+- }
+-
+- tmp = talloc_realloc(NULL, interfaces,
+- const struct ndr_interface_table *,
+- num_interfaces + 1);
+- if (tmp == NULL) {
+- DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
+- return false;
+- }
+- interfaces = tmp;
+- interfaces[num_interfaces] = interface;
+- return true;
+-}
+-
+-static bool initialize_interfaces(void)
+-{
+- if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_samr)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_winreg)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
+- return false;
+- }
+- if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
+- return false;
+- }
+- return true;
+-}
+-
+-const struct ndr_interface_table *get_iface_from_syntax(
+- const struct ndr_syntax_id *syntax)
+-{
+- int num_interfaces;
+- int i;
+-
+- if (interfaces == NULL) {
+- if (!initialize_interfaces()) {
+- return NULL;
+- }
+- }
+- num_interfaces = talloc_array_length(interfaces);
+-
+- for (i=0; i<num_interfaces; i++) {
+- if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
+- return interfaces[i];
+- }
+- }
+-
+- return NULL;
+-}
+-
+-/****************************************************************************
+- Return the pipe name from the interface.
+- ****************************************************************************/
+-
+-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
+- const struct ndr_syntax_id *syntax)
+-{
+- const struct ndr_interface_table *interface;
+- char *guid_str;
+- const char *result;
+-
+- interface = get_iface_from_syntax(syntax);
+- if (interface != NULL) {
+- result = get_pipe_name_from_iface(mem_ctx, interface);
+- if (result != NULL) {
+- return result;
+- }
+- }
+-
+- /*
+- * Here we should ask \\epmapper, but for now our code is only
+- * interested in the known pipes mentioned in pipe_names[]
+- */
+-
+- guid_str = GUID_string(talloc_tos(), &syntax->uuid);
+- if (guid_str == NULL) {
+- return NULL;
+- }
+- result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
+- (int)syntax->if_version);
+- TALLOC_FREE(guid_str);
+-
+- if (result == NULL) {
+- return "PIPE";
+- }
+- return result;
+-}
+-
+diff --git a/source3/wscript_build b/source3/wscript_build
+index bb2e928..8126cf6 100755
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
+
+ LIBMSRPC_SRC = '''
+ rpc_client/cli_pipe.c
+- librpc/rpc/rpc_common.c
+ rpc_client/rpc_transport_np.c
+ rpc_client/rpc_transport_sock.c
+ rpc_client/rpc_transport_tstream.c
+--
+1.9.3
+
+
+From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Wed, 14 Aug 2013 09:27:59 +0000
+Subject: [PATCH 112/249] winbind3: Fix an invalid free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes a warning I've never seen before :-)
+
+../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
+(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
+---
+ source3/winbindd/winbindd_cm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index facef64..d868826 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
+ }
+
+ if (!strupper_m(*machine_krb5_principal)) {
+- SAFE_FREE(machine_krb5_principal);
++ SAFE_FREE(*machine_krb5_principal);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+--
+1.9.3
+
+
+From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 11 Oct 2013 13:34:13 +1300
+Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
+ parameter
+
+This uses the documeted "winbindd socket directory" parameter instead.
+
+This came about due to the merge of the two smb.conf tables in s3 and
+s4 for the Samba 4.0 release. The s4 code used a real parameter,
+which caused this to be documented, whereas no automatic procedure
+existed to notice the parametric option and the need to document that.
+The fact that this was not used consistently in both codebases is one
+of the many areas of technical debt we still need to pay off here.
+
+Andrew Bartlett
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
+---
+ selftest/target/Samba3.pm | 2 +-
+ source3/include/proto.h | 1 +
+ source3/param/loadparm.c | 1 +
+ source3/winbindd/winbindd.c | 9 ++-------
+ source3/winbindd/winbindd_proto.h | 1 -
+ 5 files changed, 5 insertions(+), 9 deletions(-)
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index ba01154..d8f0c27 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -972,7 +972,7 @@ sub provision($$$$$$)
+ printing = bsd
+ printcap name = /dev/null
+
+- winbindd:socket dir = $wbsockdir
++ winbindd socket directory = $wbsockdir
+ nmbd:socket dir = $nmbdsockdir
+ idmap config * : range = 100000-200000
+ winbind enum users = yes
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index cbad7ac..53cd59d 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
+ const char *lp_template_homedir(void);
+ const char *lp_template_shell(void);
+ const char *lp_winbind_separator(void);
++const char *lp_winbindd_socket_directory(void);
+ bool lp_winbind_enum_users(void);
+ bool lp_winbind_enum_groups(void);
+ bool lp_winbind_use_default_domain(void);
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 4b31023..b2804ae 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
+ string_set(&Globals.szTemplateShell, "/bin/false");
+ string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
+ string_set(&Globals.szWinbindSeparator, "\\");
++ string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
+
+ string_set(&Globals.szCupsServer, "");
+ string_set(&Globals.szIPrintServer, "");
+diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
+index f101e52..69a17bf 100644
+--- a/source3/winbindd/winbindd.c
++++ b/source3/winbindd/winbindd.c
+@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
+ char *path = NULL;
+
+ if (asprintf(&path, "%s/%s",
+- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
++ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
+ unlink(path);
+ SAFE_FREE(path);
+ }
+@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
+ * Winbindd socket accessor functions
+ */
+
+-const char *get_winbind_pipe_dir(void)
+-{
+- return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
+-}
+-
+ char *get_winbind_priv_pipe_dir(void)
+ {
+ return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
+@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
+
+ pub_state->privileged = false;
+ pub_state->fd = create_pipe_sock(
+- get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
++ lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
+ if (pub_state->fd == -1) {
+ goto failed;
+ }
+diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
+index 3df7d7c..cfc19d0 100644
+--- a/source3/winbindd/winbindd_proto.h
++++ b/source3/winbindd/winbindd_proto.h
+@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
+ bool winbindd_setup_sig_hup_handler(const char *lfile);
+ bool winbindd_use_idmap_cache(void);
+ bool winbindd_use_cache(void);
+-const char *get_winbind_pipe_dir(void);
+ char *get_winbind_priv_pipe_dir(void);
+ struct tevent_context *winbind_event_context(void);
+ int main(int argc, char **argv, char **envp);
+--
+1.9.3
+
+
+From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 15:33:20 +1300
+Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
+ share_params *p so should be FN_LOCAL_PARM_CHAR
+
+This was found when trying to autogenerate prototypes for lp_ functions again.
+
+Andrew Bartlett
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ lib/param/loadparm.c | 2 +-
+ lib/param/param_functions.c | 2 +-
+ source3/param/loadparm.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 455c5e6..4497dbf 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
+
+ #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
+
+-#define FN_LOCAL_CHAR(fn_name,val) \
++#define FN_LOCAL_PARM_CHAR(fn_name,val) \
+ _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
+ struct loadparm_service *sDefault) { \
+ return((service != NULL)? service->val : sDefault->val); \
+diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
+index d9d5df6..60f9c07 100644
+--- a/lib/param/param_functions.c
++++ b/lib/param/param_functions.c
+@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
+ FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
+ FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
+ FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
+-FN_LOCAL_CHAR(magicchar, magic_char)
++FN_LOCAL_PARM_CHAR(magicchar, magic_char)
+ FN_LOCAL_STRING(cups_options, szCupsOptions)
+ FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
+ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index b2804ae..40f3242 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
+ bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
+ #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
+ int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
+-#define FN_LOCAL_CHAR(fn_name,val) \
++#define FN_LOCAL_PARM_CHAR(fn_name,val) \
+ char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
+
+
+--
+1.9.3
+
+
+From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 13:47:27 +1300
+Subject: [PATCH 115/249] build: Move loadparm-related build rules to
+ source3/param/wscript_build
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
+ source3/wscript_build | 36 ++----------------------------------
+ 2 files changed, 34 insertions(+), 34 deletions(-)
+ create mode 100644 source3/param/wscript_build
+
+diff --git a/source3/param/wscript_build b/source3/param/wscript_build
+new file mode 100644
+index 0000000..278d5f5
+--- /dev/null
++++ b/source3/param/wscript_build
+@@ -0,0 +1,32 @@
++#!/usr/bin/env python
++
++bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
++ source='util.c',
++ deps='talloc')
++
++bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
++ source='loadparm_ctx.c',
++ deps='''talloc s3_param_h param''')
++
++bld.SAMBA_GENERATOR('s3_param_global_h',
++ source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
++ target='param_global.h',
++ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
++
++bld.SAMBA3_PYTHON('pys3param',
++ source='pyparam.c',
++ deps='param',
++ public_deps='samba-hostconfig pytalloc-util talloc',
++ realname='samba/samba3/param.so')
++
++bld.SAMBA3_SUBSYSTEM('param_service',
++ source='service.c',
++ deps = 'USER_UTIL param PRINTING')
++
++bld.SAMBA3_BINARY('test_lp_load',
++ source='test_lp_load.c',
++ deps='''
++ talloc
++ param
++ popt_samba3''',
++ install=False)
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 8126cf6..13d15c3 100755
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
+ source=SERVER_MUTEX_SRC,
+ deps='talloc')
+
+-bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
+- source=PARAM_UTIL_SRC,
+- deps='talloc')
+-
+-bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
+- source='param/loadparm_ctx.c',
+- deps='''talloc s3_param_h param''',
+- vars=locals())
+-
+-bld.SAMBA_GENERATOR('param/param_global_h',
+- source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
+- target='param/param_global.h',
+- rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
+-
+ bld.SAMBA3_SUBSYSTEM('param',
+ source=PARAM_WITHOUT_REG_SRC,
+- deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
+-
+-bld.SAMBA3_PYTHON('pys3param',
+- source='param/pyparam.c',
+- deps='param',
+- public_deps='samba-hostconfig pytalloc-util talloc',
+- realname='samba/samba3/param.so')
+-
+-bld.SAMBA3_SUBSYSTEM('param_service',
+- source='param/service.c',
+- deps = 'USER_UTIL param PRINTING')
++ deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
+
+ bld.SAMBA3_SUBSYSTEM('REGFIO',
+ source=REGFIO_SRC,
+@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
+ install=False,
+ vars=locals())
+
+-bld.SAMBA3_BINARY('test_lp_load',
+- source=TEST_LP_LOAD_SRC,
+- deps='''
+- talloc
+- param
+- popt_samba3''',
+- install=False,
+- vars=locals())
+-
+ bld.SAMBA3_BINARY('dbwrap_tool',
+ source=DBWRAP_TOOL_SRC,
+ deps='''
+@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
+ bld.RECURSE('libsmb')
+ bld.RECURSE('modules')
+ bld.RECURSE('pam_smbpass')
++bld.RECURSE('param')
+ bld.RECURSE('passdb')
+ bld.RECURSE('rpc_server')
+ bld.RECURSE('script')
+--
+1.9.3
+
+
+From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 15:34:40 +1300
+Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
+ for allocated and subbed string parameters
+
+This allows us not to generate array entries for these, which in turn allows
+us to avoid initialising them. The issue is that we do not have the
+% macro sub context nor a talloc context handy (yet).
+
+Andrew Bartlett
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ lib/param/loadparm.c | 21 ++++++++++-----------
+ 1 file changed, 10 insertions(+), 11 deletions(-)
+
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 4497dbf..23b45e2 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
+ #define lpcfg_default_service global_loadparm_context->sDefault
+ #define lpcfg_global_service(i) global_loadparm_context->services[i]
+
+-#define FN_GLOBAL_STRING(fn_name,var_name) \
++#define FN_GLOBAL_STRING(fn_name,var_name) \
++ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
++ if (lp_ctx == NULL) return NULL; \
++ if (lp_ctx->s3_fns) { \
++ smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
++ } \
++ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
++}
++
++#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
+ if (lp_ctx == NULL) return NULL; \
+ if (lp_ctx->s3_fns) { \
+@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
+ return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
+ }
+
+-#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
+- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
+- if (lp_ctx == NULL) return NULL; \
+- if (lp_ctx->s3_fns) { \
+- SMB_ASSERT(lp_ctx->s3_fns->fn_name); \
+- return lp_ctx->s3_fns->fn_name(); \
+- } \
+- return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
+- }
+-
+ #define FN_GLOBAL_LIST(fn_name,var_name) \
+ _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
+ if (lp_ctx == NULL) return NULL; \
+--
+1.9.3
+
+
+From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 15:36:18 +1300
+Subject: [PATCH 117/249] param: Skip generating hooks for local and string
+ parameters
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ script/mks3param.pl | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/script/mks3param.pl b/script/mks3param.pl
+index 4222ca5..799958c 100644
+--- a/script/mks3param.pl
++++ b/script/mks3param.pl
+@@ -108,7 +108,14 @@ sub handle_loadparm($$)
+ {
+ my ($file,$line) = @_;
+
+- if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
++ # Local parameters don't need the ->s3_fns because the struct
++ # loadparm_service is shared and lpcfg_service() checks the ->s3_fns
++ # hook
++ #
++ # STRING isn't handled as we do not yet have a way to pass in a memory context nor
++ # do we have a good way of dealing with the % macros yet.
++
++ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
+ my $scope = $1;
+ my $type = $2;
+ my $name = $3;
+--
+1.9.3
+
+
+From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 15:39:10 +1300
+Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
+ after proto.h was frozen
+
+This autogenerates the parameters so that we can keep everything in sync easier,
+particularly when adding new parameters. This will also make it easier to move
+to a fully autogenerated system in the future, as it reduces special cases.
+
+Andrew Bartlett
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ script/mks3param_proto.pl | 199 ++++++++++++++++++++++++++++++++++++++++++++
+ source3/include/proto.h | 2 +
+ source3/param/wscript_build | 5 ++
+ 3 files changed, 206 insertions(+)
+ create mode 100644 script/mks3param_proto.pl
+
+diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
+new file mode 100644
+index 0000000..446e343
+--- /dev/null
++++ b/script/mks3param_proto.pl
+@@ -0,0 +1,199 @@
++#!/usr/bin/perl
++# Generate loadparm interfaces tables for Samba3/Samba4 integration
++# by Andrew Bartlett
++# based on mkproto.pl Written by Jelmer Vernooij
++# based on the original mkproto.sh by Andrew Tridgell
++
++use strict;
++
++# don't use warnings module as it is not portable enough
++# use warnings;
++
++use Getopt::Long;
++use File::Basename;
++use File::Path;
++
++#####################################################################
++# read a file into a string
++
++my $file = undef;
++my $public_define = undef;
++my $_public = "";
++my $_private = "";
++my $public_data = \$_public;
++my $builddir = ".";
++my $srcdir = ".";
++
++sub public($)
++{
++ my ($d) = @_;
++ $$public_data .= $d;
++}
++
++sub usage()
++{
++ print "Usage: mks3param.pl [options] [c files]\n";
++ print "OPTIONS:\n";
++ print " --srcdir=path Read files relative to this directory\n";
++ print " --builddir=path Write file relative to this directory\n";
++ print " --help Print this help message\n\n";
++ exit 0;
++}
++
++GetOptions(
++ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
++ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
++ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
++ 'help' => \&usage
++) or exit(1);
++
++sub normalize_define($$)
++{
++ my ($define, $file) = @_;
++
++ if (not defined($define) and defined($file)) {
++ $define = "__" . uc($file) . "__";
++ $define =~ tr{./}{__};
++ $define =~ tr{\-}{_};
++ } elsif (not defined($define)) {
++ $define = '_S3_PARAM_PROTO_H_';
++ }
++
++ return $define;
++}
++
++$public_define = normalize_define($public_define, $file);
++
++sub file_load($)
++{
++ my($filename) = @_;
++ local(*INPUTFILE);
++ open(INPUTFILE, $filename) or return undef;
++ my($saved_delim) = $/;
++ undef $/;
++ my($data) = <INPUTFILE>;
++ close(INPUTFILE);
++ $/ = $saved_delim;
++ return $data;
++}
++
++sub print_header($$)
++{
++ my ($file, $header_name) = @_;
++ $file->("#ifndef $header_name\n");
++ $file->("#define $header_name\n\n");
++ $file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
++}
++
++sub print_footer($$)
++{
++ my ($file, $header_name) = @_;
++ $file->("\n#endif /* $header_name */\n\n");
++}
++
++sub handle_loadparm($$)
++{
++ my ($file,$line) = @_;
++
++ my $scope;
++ my $type;
++ my $name;
++ my $var;
++ my $param;
++
++ if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
++ $scope = $1;
++ $type = $2;
++ $name = $3;
++ $var = $4;
++ $param = "int";
++ } elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
++ $scope = $1;
++ $type = $2;
++ $name = $3;
++ $var = $4;
++ $param = "const struct share_params *p";
++ } else {
++ return;
++ }
++
++ my %tmap = (
++ "BOOL" => "bool ",
++ "CONST_STRING" => "const char *",
++ "STRING" => "char *",
++ "INTEGER" => "int ",
++ "CHAR" => "char ",
++ "LIST" => "const char **",
++ );
++
++ my %smap = (
++ "GLOBAL" => "void",
++ "LOCAL" => "$param"
++ );
++
++ if (($type eq "STRING") and ($scope eq "GLOBAL")) {
++ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
++ } elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
++ $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
++ } else {
++ $file->("$tmap{$type}lp_$name($smap{$scope});\n");
++ }
++}
++
++sub process_file($$)
++{
++ my ($file, $filename) = @_;
++
++ $filename =~ s/\.o$/\.c/g;
++
++ if ($filename =~ /^\//) {
++ open(FH, "<$filename") or die("Failed to open $filename");
++ } elsif (!open(FH, "< $builddir/$filename")) {
++ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
++ }
++
++ my $comment = undef;
++ my $incomment = 0;
++ while (my $line = <FH>) {
++ if ($line =~ /^\/\*\*/) {
++ $comment = "";
++ $incomment = 1;
++ }
++
++ if ($incomment) {
++ $comment .= $line;
++ if ($line =~ /\*\//) {
++ $incomment = 0;
++ }
++ }
++
++ # these are ordered for maximum speed
++ next if ($line =~ /^\s/);
++
++ next unless ($line =~ /\(/);
++
++ next if ($line =~ /^\/|[;]/);
++
++ if ($line =~ /^FN_/) {
++ handle_loadparm($file, $line);
++ }
++ next;
++ }
++
++ close(FH);
++}
++
++
++print_header(\&public, $public_define);
++
++process_file(\&public, $_) foreach (@ARGV);
++print_footer(\&public, $public_define);
++
++if (not defined($file)) {
++ print STDOUT $$public_data;
++}
++
++mkpath(dirname($file), 0, 0755);
++open(PUBLIC, ">$file") or die("Can't open `$file': $!");
++print PUBLIC "$$public_data";
++close(PUBLIC);
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 53cd59d..614baa4 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
+
+ /* The following definitions come from param/loadparm.c */
+
++#include "source3/param/param_proto.h"
++
+ const char **lp_smb_ports(void);
+ const char *lp_dos_charset(void);
+ const char *lp_unix_charset(void);
+diff --git a/source3/param/wscript_build b/source3/param/wscript_build
+index 278d5f5..643c27e 100644
+--- a/source3/param/wscript_build
++++ b/source3/param/wscript_build
+@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
+ target='param_global.h',
+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
+
++bld.SAMBA_GENERATOR('s3_param_proto_h',
++ source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
++ target='param_proto.h',
++ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
++
+ bld.SAMBA3_PYTHON('pys3param',
+ source='pyparam.c',
+ deps='param',
+--
+1.9.3
+
+
+From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 15:46:43 +1300
+Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table
+
+This allows us to use more lpcfg_ functions without adding them
+manually.
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ lib/param/wscript_build | 1 +
+ script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
+ source3/param/loadparm_ctx.c | 64 +------------------
+ source3/param/wscript_build | 5 ++
+ 4 files changed, 146 insertions(+), 63 deletions(-)
+ create mode 100644 script/mks3param_ctx_table.pl
+
+diff --git a/lib/param/wscript_build b/lib/param/wscript_build
+index 10e05a3..0e1a2e0 100644
+--- a/lib/param/wscript_build
++++ b/lib/param/wscript_build
+@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
+ target='s3_param.h',
+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
+
++
+ bld.SAMBA_GENERATOR('param_global_h',
+ source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
+ target='param_global.h',
+diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
+new file mode 100644
+index 0000000..cfd6e02
+--- /dev/null
++++ b/script/mks3param_ctx_table.pl
+@@ -0,0 +1,139 @@
++#!/usr/bin/perl
++# Generate loadparm interfaces tables for Samba3/Samba4 integration
++# by Andrew Bartlett
++# based on mkproto.pl Written by Jelmer Vernooij
++# based on the original mkproto.sh by Andrew Tridgell
++
++use strict;
++
++# don't use warnings module as it is not portable enough
++# use warnings;
++
++use Getopt::Long;
++use File::Basename;
++use File::Path;
++
++#####################################################################
++# read a file into a string
++
++my $file = undef;
++my $public_define = undef;
++my $_public = "";
++my $_private = "";
++my $public_data = \$_public;
++my $builddir = ".";
++my $srcdir = ".";
++
++sub public($)
++{
++ my ($d) = @_;
++ $$public_data .= $d;
++}
++
++sub usage()
++{
++ print "Usage: mks3param.pl [options] [c files]\n";
++ print "OPTIONS:\n";
++ print " --srcdir=path Read files relative to this directory\n";
++ print " --builddir=path Write file relative to this directory\n";
++ print " --help Print this help message\n\n";
++ exit 0;
++}
++
++GetOptions(
++ 'file=s' => sub { my ($f,$v) = @_; $file = $v; },
++ 'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
++ 'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
++ 'help' => \&usage
++) or exit(1);
++
++sub file_load($)
++{
++ my($filename) = @_;
++ local(*INPUTFILE);
++ open(INPUTFILE, $filename) or return undef;
++ my($saved_delim) = $/;
++ undef $/;
++ my($data) = <INPUTFILE>;
++ close(INPUTFILE);
++ $/ = $saved_delim;
++ return $data;
++}
++
++sub print_header($)
++{
++ my ($file) = @_;
++ $file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
++ $file->("static const struct loadparm_s3_helpers s3_fns = \n");
++ $file->("{\n");
++ $file->("\t.get_parametric = lp_parm_const_string_service,\n");
++ $file->("\t.get_parm_struct = lp_get_parameter,\n");
++ $file->("\t.get_parm_ptr = lp_parm_ptr,\n");
++ $file->("\t.get_service = lp_service_for_s4_ctx,\n");
++ $file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
++ $file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
++ $file->("\t.get_numservices = lp_numservices,\n");
++ $file->("\t.load = lp_load_for_s4_ctx,\n");
++ $file->("\t.set_cmdline = lp_set_cmdline,\n");
++ $file->("\t.dump = lp_dump,\n");
++}
++
++sub print_footer($)
++{
++ my ($file) = @_;
++ $file->("};");
++}
++
++sub handle_loadparm($$)
++{
++ my ($file,$line) = @_;
++
++ # STRING isn't handled here, as we still don't know what to do with the substituted vars */
++ # LOCAL also isn't handled here
++ if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
++ my $scope = $1;
++ my $type = $2;
++ my $name = $3;
++
++ $file->(".$name = lp_$name,\n");
++ }
++}
++
++sub process_file($$)
++{
++ my ($file, $filename) = @_;
++
++ $filename =~ s/\.o$/\.c/g;
++
++ if ($filename =~ /^\//) {
++ open(FH, "<$filename") or die("Failed to open $filename");
++ } elsif (!open(FH, "< $builddir/$filename")) {
++ open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
++ }
++
++ my $comment = undef;
++ my $incomment = 0;
++ while (my $line = <FH>) {
++ if ($line =~ /^FN_/) {
++ handle_loadparm($file, $line);
++ }
++ next;
++ }
++
++ close(FH);
++}
++
++
++print_header(\&public);
++
++process_file(\&public, $_) foreach (@ARGV);
++print_footer(\&public);
++
++if (not defined($file)) {
++ print STDOUT $$public_data;
++}
++
++mkpath(dirname($file), 0, 0755);
++open(PUBLIC, ">$file") or die("Can't open `$file': $!");
++print PUBLIC "$$public_data";
++close(PUBLIC);
+diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
+index 63ead53..5cbc920 100644
+--- a/source3/param/loadparm_ctx.c
++++ b/source3/param/loadparm_ctx.c
+@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
+ return status;
+ }
+
+-/* These are in the order that they appear in the s4 loadparm file.
+- * All of the s4 loadparm functions should be here eventually, once
+- * they are implemented in the s3 loadparm, have the same format (enum
+- * values in particular) and defaults. */
+-static const struct loadparm_s3_helpers s3_fns =
+-{
+- .get_parametric = lp_parm_const_string_service,
+- .get_parm_struct = lp_get_parameter,
+- .get_parm_ptr = lp_parm_ptr,
+- .get_service = lp_service_for_s4_ctx,
+- .get_servicebynum = lp_servicebynum_for_s4_ctx,
+- .get_default_loadparm_service = lp_default_loadparm_service,
+- .get_numservices = lp_numservices,
+- .load = lp_load_for_s4_ctx,
+- .set_cmdline = lp_set_cmdline,
+- .dump = lp_dump,
+-
+- ._server_role = lp__server_role,
+- ._security = lp__security,
+- ._domain_master = lp__domain_master,
+- ._domain_logons = lp__domain_logons,
+-
+- .winbind_separator = lp_winbind_separator,
+- .template_homedir = lp_template_homedir,
+- .template_shell = lp_template_shell,
+-
+- .dos_charset = lp_dos_charset,
+- .unix_charset = lp_unix_charset,
+-
+- .realm = lp_realm,
+- .dnsdomain = lp_dnsdomain,
+- .socket_options = lp_socket_options,
+- .workgroup = lp_workgroup,
+-
+- .netbios_name = lp_netbios_name,
+- .netbios_scope = lp_netbios_scope,
+- .netbios_aliases = lp_netbios_aliases,
+-
+- .lanman_auth = lp_lanman_auth,
+- .ntlm_auth = lp_ntlm_auth,
+-
+- .client_plaintext_auth = lp_client_plaintext_auth,
+- .client_lanman_auth = lp_client_lanman_auth,
+- .client_ntlmv2_auth = lp_client_ntlmv2_auth,
+- .client_use_spnego_principal = lp_client_use_spnego_principal,
+-
+- .private_dir = lp_private_dir,
+- .ncalrpc_dir = lp_ncalrpc_dir,
+- .lockdir = lp_lockdir,
+-
+- .passdb_backend = lp_passdb_backend,
+-
+- .host_msdfs = lp_host_msdfs,
+- .unix_extensions = lp_unix_extensions,
+- .use_spnego = lp_use_spnego,
+- .use_mmap = lp_use_mmap,
+- .use_ntdb = lp_use_ntdb,
+-
+- .srv_minprotocol = lp_srv_minprotocol,
+- .srv_maxprotocol = lp_srv_maxprotocol,
+-
+- .passwordserver = lp_passwordserver
+-};
++#include "loadparm_ctx_table.c"
+
+ const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
+ {
+diff --git a/source3/param/wscript_build b/source3/param/wscript_build
+index 643c27e..673cb4d 100644
+--- a/source3/param/wscript_build
++++ b/source3/param/wscript_build
+@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
+ target='param_proto.h',
+ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
+
++bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
++ source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
++ target='loadparm_ctx_table.c',
++ rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
++
+ bld.SAMBA3_PYTHON('pys3param',
+ source='pyparam.c',
+ deps='param',
+--
+1.9.3
+
+
+From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Mon, 14 Oct 2013 15:49:25 +1300
+Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes
+
+This also ensures we remove prototypes from parameters we remove or
+rename, and easily see how many special cases we have left.
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/proto.h | 361 +-----------------------------------------------
+ 1 file changed, 1 insertion(+), 360 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 614baa4..5e068d2 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
+
+ #include "source3/param/param_proto.h"
+
+-const char **lp_smb_ports(void);
+-const char *lp_dos_charset(void);
+-const char *lp_unix_charset(void);
+-char *lp_logfile(TALLOC_CTX *ctx);
+-char *lp_configfile(TALLOC_CTX *ctx);
+-const char *lp_smb_passwd_file(void);
+-const char *lp_private_dir(void);
+-char *lp_serverstring(TALLOC_CTX *ctx);
+-int lp_printcap_cache_time(void);
+-char *lp_addport_cmd(TALLOC_CTX *ctx);
+-char *lp_enumports_cmd(TALLOC_CTX *ctx);
+-char *lp_addprinter_cmd(TALLOC_CTX *ctx);
+-char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
+-char *lp_os2_driver_map(TALLOC_CTX *ctx);
+-const char *lp_lockdir(void);
+ const char *lp_statedir(void);
+ const char *lp_cachedir(void);
+-const char *lp_piddir(void);
+-char *lp_mangling_method(TALLOC_CTX *ctx);
+-int lp_mangle_prefix(void);
+-const char *lp_utmpdir(void);
+-const char *lp_wtmpdir(void);
+-bool lp_utmp(void);
+-char *lp_rootdir(TALLOC_CTX *ctx);
+-char *lp_defaultservice(TALLOC_CTX *ctx);
+-char *lp_msg_command(TALLOC_CTX *ctx);
+-char *lp_get_quota_command(TALLOC_CTX *ctx);
+-char *lp_set_quota_command(TALLOC_CTX *ctx);
+-char *lp_auto_services(TALLOC_CTX *ctx);
+-char *lp_passwd_program(TALLOC_CTX *ctx);
+-char *lp_passwd_chat(TALLOC_CTX *ctx);
+-const char *lp_passwordserver(void);
+-const char **lp_name_resolve_order(void);
+-const char *lp_netbios_scope(void);
+-const char *lp_netbios_name(void);
+-const char *lp_workgroup(void);
+-const char *lp_realm(void);
+-const char *lp_dnsdomain(void);
+-const char *lp_afs_username_map(void);
+-int lp_afs_token_lifetime(void);
+-char *lp_log_nt_token_command(TALLOC_CTX *ctx);
+-char *lp_username_map(TALLOC_CTX *ctx);
+-const char *lp_logon_script(void);
+-const char *lp_logon_path(void);
+-const char *lp_logon_drive(void);
+-const char *lp_logon_home(void);
+-char *lp_remote_announce(TALLOC_CTX *ctx);
+-char *lp_remote_browse_sync(TALLOC_CTX *ctx);
+-bool lp_nmbd_bind_explicit_broadcast(void);
+-const char **lp_wins_server_list(void);
+-const char **lp_interfaces(void);
+-const char *lp_nbt_client_socket_address(void);
+-char *lp_nis_home_map_name(TALLOC_CTX *ctx);
+-const char **lp_netbios_aliases(void);
+-const char *lp_passdb_backend(void);
+-const char **lp_preload_modules(void);
+-char *lp_panic_action(TALLOC_CTX *ctx);
+-char *lp_adduser_script(TALLOC_CTX *ctx);
+-char *lp_renameuser_script(TALLOC_CTX *ctx);
+-char *lp_deluser_script(TALLOC_CTX *ctx);
+-const char *lp_guestaccount(void);
+-char *lp_addgroup_script(TALLOC_CTX *ctx);
+-char *lp_delgroup_script(TALLOC_CTX *ctx);
+-char *lp_addusertogroup_script(TALLOC_CTX *ctx);
+-char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
+-char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
+-char *lp_addmachine_script(TALLOC_CTX *ctx);
+-char *lp_shutdown_script(TALLOC_CTX *ctx);
+-char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
+-char *lp_username_map_script(TALLOC_CTX *ctx);
+-int lp_username_map_cache_time(void);
+-char *lp_check_password_script(TALLOC_CTX *ctx);
+-char *lp_wins_hook(TALLOC_CTX *ctx);
+-const char *lp_template_homedir(void);
+-const char *lp_template_shell(void);
+-const char *lp_winbind_separator(void);
+-const char *lp_winbindd_socket_directory(void);
+-bool lp_winbind_enum_users(void);
+-bool lp_winbind_enum_groups(void);
+-bool lp_winbind_use_default_domain(void);
+-bool lp_winbind_trusted_domains_only(void);
+-bool lp_winbind_nested_groups(void);
+-int lp_winbind_expand_groups(void);
+-bool lp_winbind_refresh_tickets(void);
+-bool lp_winbind_offline_logon(void);
+-bool lp_winbind_normalize_names(void);
+-bool lp_winbind_rpc_only(void);
+-bool lp_create_krb5_conf(void);
+ int lp_winbind_max_domain_connections(void);
+-int lp_idmap_cache_time(void);
+-int lp_idmap_negative_cache_time(void);
+ bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
+ bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
+ const char *lp_idmap_backend(const char *domain_name);
+ const char *lp_idmap_default_backend (void);
+-int lp_keepalive(void);
+-bool lp_passdb_expand_explicit(void);
+-char *lp_ldap_suffix(TALLOC_CTX *ctx);
+-char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
+-int lp_ldap_ssl(void);
+-bool lp_ldap_ssl_ads(void);
+-int lp_ldap_deref(void);
+-int lp_ldap_follow_referral(void);
+-int lp_ldap_passwd_sync(void);
+-bool lp_ldap_delete_dn(void);
+-int lp_ldap_replication_sleep(void);
+-int lp_ldap_timeout(void);
+-int lp_ldap_connection_timeout(void);
+-int lp_ldap_page_size(void);
+-int lp_ldap_debug_level(void);
+-int lp_ldap_debug_threshold(void);
+-char *lp_add_share_cmd(TALLOC_CTX *ctx);
+-char *lp_change_share_cmd(TALLOC_CTX *ctx);
+-char *lp_delete_share_cmd(TALLOC_CTX *ctx);
+-char *lp_usershare_path(TALLOC_CTX *ctx);
+-const char **lp_usershare_prefix_allow_list(void);
+-const char **lp_usershare_prefix_deny_list(void);
+-const char **lp_eventlog_list(void);
+-bool lp_registry_shares(void);
+-bool lp_usershare_allow_guests(void);
+-bool lp_usershare_owner_only(void);
+-bool lp_disable_netbios(void);
+-bool lp_reset_on_zero_vc(void);
+-bool lp_log_writeable_files_on_exit(void);
+-bool lp_ms_add_printer_wizard(void);
+-bool lp_wins_dns_proxy(void);
+-bool lp_we_are_a_wins_server(void);
+-bool lp_wins_proxy(void);
+-bool lp_local_master(void);
+-const char **lp_init_logon_delayed_hosts(void);
+-int lp_init_logon_delay(void);
+-bool lp_load_printers(void);
+ bool lp_readraw(void);
+-bool lp_large_readwrite(void);
+ bool lp_writeraw(void);
+-bool lp_null_passwords(void);
+-bool lp_obey_pam_restrictions(void);
+-bool lp_encrypted_passwords(void);
+-int lp_client_schannel(void);
+-int lp_server_schannel(void);
+-bool lp_syslog_only(void);
+-bool lp_timestamp_logs(void);
+-bool lp_debug_prefix_timestamp(void);
+-bool lp_debug_hires_timestamp(void);
+-bool lp_debug_pid(void);
+-bool lp_debug_uid(void);
+-bool lp_debug_class(void);
+-bool lp_enable_core_files(void);
+-bool lp_browse_list(void);
+-bool lp_nis_home_map(void);
+-bool lp_bind_interfaces_only(void);
+-bool lp_pam_password_change(void);
+-bool lp_unix_password_sync(void);
+-bool lp_passwd_chat_debug(void);
+-int lp_passwd_chat_timeout(void);
+-bool lp_nt_pipe_support(void);
+-bool lp_nt_status_support(void);
+-bool lp_stat_cache(void);
+-int lp_max_stat_cache_size(void);
+-bool lp_allow_trusted_domains(void);
+-bool lp_map_untrusted_to_domain(void);
+-int lp_restrict_anonymous(void);
+-bool lp_lanman_auth(void);
+-bool lp_ntlm_auth(void);
+-bool lp_client_plaintext_auth(void);
+-bool lp_client_lanman_auth(void);
+-bool lp_client_ntlmv2_auth(void);
+-bool lp_host_msdfs(void);
+-bool lp_enhanced_browsing(void);
+-bool lp_use_mmap(void);
+-bool lp_use_ntdb(void);
+-bool lp_unix_extensions(void);
+-bool lp_unicode(void);
+-bool lp_use_spnego(void);
+-bool lp_client_use_spnego(void);
+-bool lp_client_use_spnego_principal(void);
+-bool lp_hostname_lookups(void);
+-bool lp_change_notify(const struct share_params *p );
+-bool lp_kernel_change_notify(const struct share_params *p );
+-const char * lp_dedicated_keytab_file(void);
+-int lp_kerberos_method(void);
+-bool lp_defer_sharing_violations(void);
+-bool lp_enable_privileges(void);
+-bool lp_enable_asu_support(void);
+-int lp_os_level(void);
+-int lp_max_ttl(void);
+-int lp_max_wins_ttl(void);
+-int lp_min_wins_ttl(void);
+-int lp_max_log_size(void);
+-int lp_max_open_files(void);
+-int lp_open_files_db_hash_size(void);
+-int lp_max_xmit(void);
+-int lp_maxmux(void);
+-int lp_passwordlevel(void);
+-int lp_usernamelevel(void);
+-int lp_deadtime(void);
+-bool lp_getwd_cache(void);
+-int lp_srv_maxprotocol(void);
+-int lp_srv_minprotocol(void);
+-int lp_cli_maxprotocol(void);
+-int lp_cli_minprotocol(void);
+ int lp_security(void);
+-int lp__server_role(void);
+-int lp__security(void);
+-int lp__domain_master(void);
+-bool lp__domain_logons(void);
+-const char **lp_auth_methods(void);
+-bool lp_paranoid_server_security(void);
+-int lp_maxdisksize(void);
+-int lp_lpqcachetime(void);
+-int lp_max_smbd_processes(void);
+-bool lp__disable_spoolss(void);
+-int lp_syslog(void);
+-int lp_lm_announce(void);
+-int lp_lm_interval(void);
+-int lp_machine_password_timeout(void);
+-int lp_map_to_guest(void);
+-int lp_oplock_break_wait_time(void);
+-int lp_lock_spin_time(void);
+-int lp_usershare_max_shares(void);
+-const char *lp_socket_options(void);
+-int lp_config_backend(void);
+-int lp_smb2_max_read(void);
+-int lp_smb2_max_write(void);
+-int lp_smb2_max_trans(void);
+ int lp_smb2_max_credits(void);
+-char *lp_preexec(TALLOC_CTX *ctx, int );
+-char *lp_postexec(TALLOC_CTX *ctx, int );
+-char *lp_rootpreexec(TALLOC_CTX *ctx, int );
+-char *lp_rootpostexec(TALLOC_CTX *ctx, int );
+-char *lp_servicename(TALLOC_CTX *ctx, int );
+-const char *lp_const_servicename(int );
+-char *lp_pathname(TALLOC_CTX *ctx, int );
+-char *lp_dontdescend(TALLOC_CTX *ctx, int );
+-char *lp_username(TALLOC_CTX *ctx, int );
+-const char **lp_invalid_users(int );
+-const char **lp_valid_users(int );
+-const char **lp_admin_users(int );
+-const char **lp_svcctl_list(void);
+-char *lp_cups_options(TALLOC_CTX *ctx, int );
+-char *lp_cups_server(TALLOC_CTX *ctx);
+ int lp_cups_encrypt(void);
+-char *lp_iprint_server(TALLOC_CTX *ctx);
+-int lp_cups_connection_timeout(void);
+-const char *lp_ctdbd_socket(void);
+-const char *_lp_ctdbd_socket(void);
+-const char **lp_cluster_addresses(void);
+-bool lp_clustering(void);
+-int lp_ctdb_timeout(void);
+-int lp_ctdb_locktime_warn_threshold(void);
+-char *lp_printcommand(TALLOC_CTX *ctx, int );
+-char *lp_lpqcommand(TALLOC_CTX *ctx, int );
+-char *lp_lprmcommand(TALLOC_CTX *ctx, int );
+-char *lp_lppausecommand(TALLOC_CTX *ctx, int );
+-char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
+-char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
+-char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
+-const char *lp_printjob_username(int );
+-const char **lp_hostsallow(int );
+-const char **lp_hostsdeny(int );
+-char *lp_magicscript(TALLOC_CTX *ctx, int );
+-char *lp_magicoutput(TALLOC_CTX *ctx, int );
+-char *lp_comment(TALLOC_CTX *ctx, int );
+-char *lp_force_user(TALLOC_CTX *ctx, int );
+-char *lp_force_group(TALLOC_CTX *ctx, int );
+-const char **lp_readlist(int );
+-const char **lp_writelist(int );
+-char *lp_fstype(TALLOC_CTX *ctx, int );
+-const char **lp_vfs_objects(int );
+-char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
+-char *lp_veto_files(TALLOC_CTX *ctx, int );
+-char *lp_hide_files(TALLOC_CTX *ctx, int );
+-char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
+-bool lp_msdfs_root(int );
+-char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
+-char *lp_dfree_command(TALLOC_CTX *ctx, int );
+-bool lp_autoloaded(int );
+-bool lp_preexec_close(int );
+-bool lp_rootpreexec_close(int );
+-int lp_casesensitive(int );
+-bool lp_preservecase(int );
+-bool lp_shortpreservecase(int );
+-bool lp_hide_dot_files(int );
+-bool lp_hide_special_files(int );
+-bool lp_hideunreadable(int );
+-bool lp_hideunwriteable_files(int );
+-bool lp_browseable(int );
+-bool lp_access_based_share_enum(int );
+-bool lp_readonly(int );
+-bool lp_guest_ok(int );
+-bool lp_guest_only(int );
+-bool lp_administrative_share(int );
+-bool lp_print_ok(int );
+-bool lp_print_notify_backchannel(int );
+-bool lp_map_hidden(int );
+-bool lp_map_archive(int );
+-bool lp_store_dos_attributes(int );
+-bool lp_dmapi_support(int );
+-bool lp_locking(const struct share_params *p );
+-int lp_strict_locking(const struct share_params *p );
+-bool lp_posix_locking(const struct share_params *p );
+-bool lp_oplocks(int );
+-bool lp_kernel_oplocks(int );
+-bool lp_level2_oplocks(int );
+-bool lp_kernel_share_modes(int);
+-bool lp_onlyuser(int );
+-bool lp_manglednames(const struct share_params *p );
+-bool lp_allow_insecure_widelinks(void);
+ bool lp_widelinks(int );
+-bool lp_symlinks(int );
+-bool lp_syncalways(int );
+-bool lp_strict_allocate(int );
+-bool lp_strict_sync(int );
+-bool lp_map_system(int );
+-bool lp_delete_readonly(int );
+-bool lp_fake_oplocks(int );
+-bool lp_recursive_veto_delete(int );
+-bool lp_dos_filemode(int );
+-bool lp_dos_filetimes(int );
+-bool lp_dos_filetime_resolution(int );
+-bool lp_fake_dir_create_times(int);
+-bool lp_async_smb_echo_handler(void);
+-bool lp_multicast_dns_register(void);
+-bool lp_blocking_locks(int );
+-bool lp_inherit_perms(int );
+-bool lp_inherit_acls(int );
+-bool lp_inherit_owner(int );
+-bool lp_use_client_driver(int );
+-bool lp_default_devmode(int );
+-bool lp_force_printername(int );
+-bool lp_nt_acl_support(int );
+-bool lp_force_unknown_acl_user(int );
+-bool lp_ea_support(int );
+-bool lp__use_sendfile(int );
+-bool lp_profile_acls(int );
+-bool lp_map_acl_inherit(int );
+-bool lp_afs_share(int );
+-bool lp_acl_check_permissions(int );
+-bool lp_acl_group_control(int );
+-bool lp_acl_map_full_control(int );
+-bool lp_acl_allow_execute_always(int);
+-bool lp_durable_handles(int);
+-int lp_create_mask(int );
+-int lp_force_create_mode(int );
+-int lp_dir_mask(int );
+-int lp_force_dir_mode(int );
+-int lp_max_connections(int );
+-int lp_defaultcase(int );
+-int lp_minprintspace(int );
+-int lp_printing(int );
+-int lp_max_reported_jobs(int );
+-int lp_oplock_contention_limit(int );
+-int lp_csc_policy(int );
+-int lp_write_cache_size(int );
+-int lp_block_size(int );
+-int lp_dfree_cache_time(int );
+-int lp_allocation_roundup_size(int );
+-int lp_aio_read_size(int );
+-int lp_aio_write_size(int );
+-int lp_map_readonly(int );
+-int lp_directory_name_cache_size(int );
+-int lp_smb_encrypt(int );
+-char lp_magicchar(const struct share_params *p );
+-int lp_winbind_cache_time(void);
+-int lp_winbind_reconnect_delay(void);
+-int lp_winbind_request_timeout(void);
+-int lp_winbind_max_clients(void);
+-const char **lp_winbind_nss_info(void);
+-int lp_algorithmic_rid_base(void);
+-int lp_name_cache_timeout(void);
+-int lp_client_signing(void);
+-int lp_server_signing(void);
+-int lp_client_ldap_sasl_wrapping(void);
++
+ char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
+ const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
+ struct loadparm_service;
+--
+1.9.3
+
+
+From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Wed, 16 Oct 2013 14:45:31 +1300
+Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 69 insertions(+)
+
+diff --git a/lib/param/README b/lib/param/README
+index 403a217..b567d71 100644
+--- a/lib/param/README
++++ b/lib/param/README
+@@ -1,4 +1,73 @@
++libsamba-hostconfig
++-------------------
++
+ This directory contains "libsamba-hostconfig".
+
+ The libsamba-hostconfig library provides access to all host-wide configuration
+ such as the configured shares, default parameter values and host secret keys.
++
++
++Adding a parameter
++------------------
++
++To add or change an smb.conf option, you only have to modify
++lib/param/param_table.c and lib/param/param_functions.c. The rest is
++generated for you.
++
++
++Using smb.conf parameters in the code
++-------------------------------------
++
++Call the lpcfg_*() function. To get the lp_ctx, have the caller pass
++it to you. To get a lp_ctx for the source3/param loadparm system, use:
++
++struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
++
++Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
++
++To get a lp_ctx for the lib/param loadparm system, typically the
++pointer is already set up by popt at startup, and is passed down from
++cmdline_lp_ctx.
++
++In pure source3/ code, you may use lp_*() functions, but are
++encouraged to use the lpcfg_*() functions so that code can be made
++common.
++
++
++How does loadparm_init_s3() work?
++---------------------------------
++
++loadparm_s3_helpers() returns a initialised table of function
++pointers, pointing at all global lp_*() functions, except for those
++that return substituted strings (% macros). The lpcfg_*() function
++then calls this plugged in function, allowing the one function and
++pattern to use either loadparm system.
++
++
++There is a lot of generated code, here, what generates what?
++------------------------------------------------------------
++
++The regular format of the CPP macros in param_functions.c is used to
++generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
++and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
++the initilisation of the glue table (mks3param_ctx_table.pl).
++
++I have tried combining some of these, but it just makes the scripts more
++complex.
++
++The CPP macros are defined in and expand in lib/param/loadparm.c and
++source3/param/loadparm.c to read the values from the generated
++stuctures. They are CPP #included into these files so that the same
++macro has two definitions, depending on the system it is loading into.
++
++
++Why was this done, rather than a 'proper' fix, or just using one system or the other?
++-------------------------------------------------------------------------------------
++
++This was done to allow merging from both ends - merging more parts of
++the loadparm handling, and merging code that needs to read the
++smb.conf, without having to do it all at once. Ideally
++param_functions.c would be generated from param_table.c or (even
++better) our XML manpage source, and the CPP macros would instead be
++generated expanded as generated C files, but this is a task nobody has
++taken on yet.
+--
+1.9.3
+
+
+From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Aug 2013 08:19:08 +0200
+Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
+ librpc/rpc/rpc_common.h | 8 ++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
+index 9354bbd..714baa7 100644
+--- a/librpc/rpc/binding_handle.c
++++ b/librpc/rpc/binding_handle.c
+@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
+ return h->ops->set_timeout(h, timeout);
+ }
+
++void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
++ enum dcerpc_AuthType *auth_type,
++ enum dcerpc_AuthLevel *auth_level)
++{
++ enum dcerpc_AuthType _auth_type;
++ enum dcerpc_AuthLevel _auth_level;
++
++ if (auth_type == NULL) {
++ auth_type = &_auth_type;
++ }
++
++ if (auth_level == NULL) {
++ auth_level = &_auth_level;
++ }
++
++ *auth_type = DCERPC_AUTH_TYPE_NONE;
++ *auth_level = DCERPC_AUTH_LEVEL_NONE;
++
++ if (h->ops->auth_info == NULL) {
++ return;
++ }
++
++ h->ops->auth_info(h, auth_type, auth_level);
++}
++
+ struct dcerpc_binding_handle_raw_call_state {
+ const struct dcerpc_binding_handle_ops *ops;
+ uint8_t *out_data;
+diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
+index d2816f5..978229e 100644
+--- a/librpc/rpc/rpc_common.h
++++ b/librpc/rpc/rpc_common.h
+@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
+ uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
+ uint32_t timeout);
+
++ void (*auth_info)(struct dcerpc_binding_handle *h,
++ enum dcerpc_AuthType *auth_type,
++ enum dcerpc_AuthLevel *auth_level);
++
+ struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dcerpc_binding_handle *h,
+@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
+ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
+ uint32_t timeout);
+
++void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
++ enum dcerpc_AuthType *auth_type,
++ enum dcerpc_AuthLevel *auth_level);
++
+ struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct dcerpc_binding_handle *h,
+--
+1.9.3
+
+
+From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Aug 2013 08:19:35 +0200
+Subject: [PATCH 123/249] s3:rpc_client: implement
+ dcerpc_binding_handle_auth_info()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 64e7f1c..a343997 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
+ return rpccli_set_timeout(hs->rpc_cli, timeout);
+ }
+
++static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
++ enum dcerpc_AuthType *auth_type,
++ enum dcerpc_AuthLevel *auth_level)
++{
++ struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
++ struct rpccli_bh_state);
++
++ if (hs->rpc_cli == NULL) {
++ return;
++ }
++
++ if (hs->rpc_cli->auth == NULL) {
++ return;
++ }
++
++ *auth_type = hs->rpc_cli->auth->auth_type;
++ *auth_level = hs->rpc_cli->auth->auth_level;
++}
++
+ struct rpccli_bh_raw_call_state {
+ DATA_BLOB in_data;
+ DATA_BLOB out_data;
+@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
+ .name = "rpccli",
+ .is_connected = rpccli_bh_is_connected,
+ .set_timeout = rpccli_bh_set_timeout,
++ .auth_info = rpccli_bh_auth_info,
+ .raw_call_send = rpccli_bh_raw_call_send,
+ .raw_call_recv = rpccli_bh_raw_call_recv,
+ .disconnect_send = rpccli_bh_disconnect_send,
+--
+1.9.3
+
+
+From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Aug 2013 08:19:57 +0200
+Subject: [PATCH 124/249] s4:librpc: implement
+ dcerpc_binding_handle_auth_info()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
+index 2826160..56b821e 100644
+--- a/source4/librpc/rpc/dcerpc.c
++++ b/source4/librpc/rpc/dcerpc.c
+@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
+ return old;
+ }
+
++static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
++ enum dcerpc_AuthType *auth_type,
++ enum dcerpc_AuthLevel *auth_level)
++{
++ struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
++ struct dcerpc_bh_state);
++
++ if (hs->p == NULL) {
++ return;
++ }
++
++ if (hs->p->conn == NULL) {
++ return;
++ }
++
++ if (hs->p->conn->security_state.auth_info == NULL) {
++ return;
++ }
++
++ *auth_type = hs->p->conn->security_state.auth_info->auth_type;
++ *auth_level = hs->p->conn->security_state.auth_info->auth_level;
++}
++
+ struct dcerpc_bh_raw_call_state {
+ struct tevent_context *ev;
+ struct dcerpc_binding_handle *h;
+@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
+ .name = "dcerpc",
+ .is_connected = dcerpc_bh_is_connected,
+ .set_timeout = dcerpc_bh_set_timeout,
++ .auth_info = dcerpc_bh_auth_info,
+ .raw_call_send = dcerpc_bh_raw_call_send,
+ .raw_call_recv = dcerpc_bh_raw_call_recv,
+ .disconnect_send = dcerpc_bh_disconnect_send,
+--
+1.9.3
+
+
+From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2013 04:25:39 +0200
+Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()
+
+We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/winbindd/winbindd_cm.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index d868826..c4f59d3 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ &ndr_table_lsarpc,
+ &conn->lsa_pipe);
+ if (!NT_STATUS_IS_OK(result)) {
+- result = NT_STATUS_PIPE_NOT_AVAILABLE;
+ goto done;
+ }
+
+--
+1.9.3
+
+
+From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 2 Sep 2013 09:24:42 +0200
+Subject: [PATCH 126/249] s3:include: add forward declaration for struct
+ messaging_context; in g_lock.h
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/g_lock.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
+index 004c452..f513349 100644
+--- a/source3/include/g_lock.h
++++ b/source3/include/g_lock.h
+@@ -23,6 +23,7 @@
+ #include "dbwrap/dbwrap.h"
+
+ struct g_lock_ctx;
++struct messaging_context;
+
+ enum g_lock_type {
+ G_LOCK_READ = 0,
+--
+1.9.3
+
+
+From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 2 Sep 2013 19:29:05 +0200
+Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
+ messages.h
+
+The function already used 'uint8_t' instead of 'uint8'.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/messages.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/include/messages.h b/source3/include/messages.h
+index 09c39cc..50b2a84 100644
+--- a/source3/include/messages.h
++++ b/source3/include/messages.h
+@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
+
+ NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
+ struct server_id server, uint32_t msg_type,
+- const uint8 *buf, size_t len);
++ const uint8_t *buf, size_t len);
+ void messaging_dispatch_rec(struct messaging_context *msg_ctx,
+ struct messaging_rec *rec);
+
+--
+1.9.3
+
+
+From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 12:09:51 +0200
+Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
+ check_trustdomain_security()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/auth/auth_domain.c | 22 ----------------------
+ 1 file changed, 22 deletions(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index 06078e2..9f88c4a 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
+ struct auth_serversupplied_info **server_info)
+ {
+ NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+- unsigned char trust_md4_password[16];
+- char *trust_password;
+ fstring dc_name;
+ struct sockaddr_storage dc_ss;
+
+@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
+ if ( !is_trusted_domain( user_info->mapped.domain_name ) )
+ return NT_STATUS_NOT_IMPLEMENTED;
+
+- /*
+- * Get the trusted account password for the trusted domain
+- * No need to become_root() as secrets_init() is done at startup.
+- */
+-
+- if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
+- NULL, NULL)) {
+- DEBUG(0, ("check_trustdomain_security: could not fetch trust "
+- "account password for domain %s\n",
+- user_info->mapped.domain_name));
+- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+- }
+-
+-#ifdef DEBUG_PASSWORD
+- DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
+- trust_password));
+-#endif
+- E_md4hash(trust_password, trust_md4_password);
+- SAFE_FREE(trust_password);
+-
+ /* use get_dc_name() for consistency even through we know that it will be
+ a netbios name */
+
+--
+1.9.3
+
+
+From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 2 Sep 2013 20:18:39 +0200
+Subject: [PATCH 129/249] s3:libsmb: remove unused
+ change_trust_account_password()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/proto.h | 1 -
+ source3/libsmb/trusts_util.c | 72 --------------------------------------------
+ 2 files changed, 73 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 5e068d2..a40d3c1 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
+ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *domain) ;
+-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
+
+ /* The following definitions come from param/loadparm.c */
+
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index 6156ba0..8a0e53d 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+ sec_channel_type);
+ }
+
+-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
+-{
+- NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
+- struct sockaddr_storage pdc_ss;
+- fstring dc_name;
+- struct cli_state *cli = NULL;
+- struct rpc_pipe_client *netlogon_pipe = NULL;
+-
+- DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
+- domain));
+-
+- if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
+- /* Use the PDC *only* for this */
+-
+- if ( !get_pdc_ip(domain, &pdc_ss) ) {
+- DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
+- goto failed;
+- }
+-
+- if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
+- goto failed;
+- } else {
+- /* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
+- fstrcpy( dc_name, remote_machine );
+- }
+-
+- /* if this next call fails, then give up. We can't do
+- password changes on BDC's --jerry */
+-
+- if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
+- NULL, 0,
+- "IPC$", "IPC",
+- "", "",
+- "", 0, SMB_SIGNING_DEFAULT))) {
+- DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
+- nt_status = NT_STATUS_UNSUCCESSFUL;
+- goto failed;
+- }
+-
+- /*
+- * Ok - we have an anonymous connection to the IPC$ share.
+- * Now start the NT Domain stuff :-).
+- */
+-
+- /* Shouldn't we open this with schannel ? JRA. */
+-
+- nt_status = cli_rpc_pipe_open_noauth(
+- cli, &ndr_table_netlogon, &netlogon_pipe);
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
+- dc_name, nt_errstr(nt_status)));
+- cli_shutdown(cli);
+- cli = NULL;
+- goto failed;
+- }
+-
+- nt_status = trust_pw_find_change_and_store_it(
+- netlogon_pipe, netlogon_pipe, domain);
+-
+- cli_shutdown(cli);
+- cli = NULL;
+-
+-failed:
+- if (!NT_STATUS_IS_OK(nt_status)) {
+- DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
+- current_timestring(talloc_tos(), False), domain));
+- }
+- else
+- DEBUG(5,("change_trust_account_password: sucess!\n"));
+-
+- return nt_status;
+-}
+--
+1.9.3
+
+
+From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 2 Sep 2013 20:19:28 +0200
+Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
+ trust_pw_find_change_and_store_it()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/include/proto.h | 5 -----
+ source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
+ 2 files changed, 15 insertions(+), 40 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index a40d3c1..216a377 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
+
+ /* The following definitions come from libsmb/trusts_util.c */
+
+-NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
+- const char *domain,
+- const char *account_name,
+- unsigned char orig_trust_passwd_hash[16],
+- enum netr_SchannelType sec_channel_type);
+ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *domain) ;
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index 8a0e53d..428e0c1 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -29,20 +29,27 @@
+
+ /*********************************************************
+ Change the domain password on the PDC.
+- Store the password ourselves, but use the supplied password
+- Caller must have already setup the connection to the NETLOGON pipe
++ Do most of the legwork ourselfs. Caller must have
++ already setup the connection to the NETLOGON pipe
+ **********************************************************/
+
+-NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
+- const char *domain,
+- const char *account_name,
+- unsigned char orig_trust_passwd_hash[16],
+- enum netr_SchannelType sec_channel_type)
++NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
++ TALLOC_CTX *mem_ctx,
++ const char *domain)
+ {
++ unsigned char old_trust_passwd_hash[16];
+ unsigned char new_trust_passwd_hash[16];
++ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
++ const char *account_name;
+ char *new_trust_passwd;
+ NTSTATUS nt_status;
+
++ if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
++ &sec_channel_type)) {
++ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
++ return NT_STATUS_UNSUCCESSFUL;
++ }
++
+ switch (sec_channel_type) {
+ case SEC_CHAN_WKSTA:
+ case SEC_CHAN_DOMAIN:
+@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
+
+ nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
+ account_name,
+- orig_trust_passwd_hash,
++ old_trust_passwd_hash,
+ new_trust_passwd,
+ new_trust_passwd_hash,
+ sec_channel_type);
+@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
+
+ return nt_status;
+ }
+-
+-/*********************************************************
+- Change the domain password on the PDC.
+- Do most of the legwork ourselfs. Caller must have
+- already setup the connection to the NETLOGON pipe
+-**********************************************************/
+-
+-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- const char *domain)
+-{
+- unsigned char old_trust_passwd_hash[16];
+- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
+- const char *account_name;
+-
+- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
+- &sec_channel_type)) {
+- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
+- return NT_STATUS_UNSUCCESSFUL;
+- }
+-
+- return trust_pw_change_and_store_it(cli, mem_ctx, domain,
+- account_name,
+- old_trust_passwd_hash,
+- sec_channel_type);
+-}
+-
+--
+1.9.3
+
+
+From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 20 Sep 2013 04:14:00 +0200
+Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
+index 130ebeb..cd62508 100644
+--- a/source4/librpc/rpc/dcerpc_schannel.c
++++ b/source4/librpc/rpc/dcerpc_schannel.c
+@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
+ Initiate establishing a schannel key using netlogon challenge
+ on a secondary pipe
+ */
+-struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
++static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe *p,
+ struct cli_credentials *credentials,
+ struct loadparm_context *lp_ctx)
+@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
+ /*
+ Receive result of schannel key request
+ */
+-NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
++static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
+ {
+ NTSTATUS status = composite_wait(c);
+
+--
+1.9.3
+
+
+From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 20 Sep 2013 04:16:00 +0200
+Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
+ netlogon_creds_CredentialState
+
+cli_credentials_set_netlogon_creds() should only be used directly before
+a DCERPC bind in order to pass the session information to the
+gensec layer.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
+ 1 file changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
+index cd62508..c4bedfa 100644
+--- a/source4/librpc/rpc/dcerpc_schannel.c
++++ b/source4/librpc/rpc/dcerpc_schannel.c
+@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
+ return;
+ }
+
+- /* setup current netlogon credentials */
+- cli_credentials_set_netlogon_creds(s->credentials, s->creds);
+-
+ composite_done(c);
+ }
+
+@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
+ /*
+ Receive result of schannel key request
+ */
+-static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
++static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **creds)
+ {
+ NTSTATUS status = composite_wait(c);
+-
++
++ if (NT_STATUS_IS_OK(status)) {
++ struct schannel_key_state *s =
++ talloc_get_type_abort(c->private_data,
++ struct schannel_key_state);
++ *creds = talloc_move(mem_ctx, &s->creds);
++ }
++
+ talloc_free(c);
+ return status;
+ }
+@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
+ NTSTATUS status;
+
+ /* receive schannel key */
+- status = c->status = dcerpc_schannel_key_recv(ctx);
++ status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
+ if (!composite_is_ok(c)) {
+ DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
+ return;
+ }
+
+ /* send bind auth request with received creds */
++ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
++
+ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials,
+ lpcfg_gensec_settings(c, s->lp_ctx),
+ DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
+@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
+ &ndr_table_netlogon.syntax_id)) {
+ ZERO_STRUCT(s->return_auth);
+
+- s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
+- if (composite_nomem(s->creds_state, c)) return;
+-
+ s->save_creds_state = *s->creds_state;
+ netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
+
+@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
+ }
+
+ *s->creds_state = s->save_creds_state;
++ cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
+
+ if (!NT_STATUS_IS_OK(s->c.out.result)) {
+ composite_error(c, s->c.out.result);
+--
+1.9.3
+
+
+From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 20 Sep 2013 04:33:07 +0200
+Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
+ cli_credentials_set_netlogon_creds()
+
+Typically cli_credentials_set_netlogon_creds() should be used directly
+before the DCERPC bind. And cli_credentials_get_netlogon_creds()
+should be only used by the gensec layer, which only needs a copy.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/credentials/credentials.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index 57a7c0b..9ce38d0 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
+ _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred,
+ struct netlogon_creds_CredentialState *netlogon_creds)
+ {
+- cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
++ TALLOC_FREE(cred->netlogon_creds);
++ if (netlogon_creds == NULL) {
++ return;
++ }
++ cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
+ }
+
+ /**
+--
+1.9.3
+
+
+From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Sat, 9 Nov 2013 19:14:15 +0100
+Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch
+
+We have checked sec_channel_type a few lines above already
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Ira Cooper <ira@samba.org>
+(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
+---
+ source3/libsmb/trusts_util.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index 428e0c1..52fb481 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+ }
+ break;
+ }
+- default:
+- break;
+ }
+ }
+
+--
+1.9.3
+
+
+From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 29 Nov 2013 09:46:01 +0100
+Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly
+
+This removes the useless static auth_anonymous_session_info() wrapper.
+
+auth_anonymous_session_info() is also a public function in source4.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
+---
+ source3/rpc_server/rpc_server.c | 22 ++++++----------------
+ 1 file changed, 6 insertions(+), 16 deletions(-)
+
+diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
+index de54ddc..c3a7f28 100644
+--- a/source3/rpc_server/rpc_server.c
++++ b/source3/rpc_server/rpc_server.c
+@@ -37,19 +37,6 @@
+ #define SERVER_TCP_LOW_PORT 1024
+ #define SERVER_TCP_HIGH_PORT 1300
+
+-static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
+- struct auth_session_info **session_info)
+-{
+- NTSTATUS status;
+-
+- status = make_session_info_guest(mem_ctx, session_info);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+ /* Creates a pipes_struct and initializes it with the information
+ * sent from the client */
+ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
+@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
+ }
+
+ if (ncacn_conn->session_info == NULL) {
+- status = auth_anonymous_session_info(ncacn_conn,
+- &ncacn_conn->session_info);
++ /*
++ * TODO: use auth_anonymous_session_info() here?
++ */
++ status = make_session_info_guest(ncacn_conn,
++ &ncacn_conn->session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(2, ("Failed to create "
+- "auth_anonymous_session_info - %s\n",
++ "make_session_info_guest - %s\n",
+ nt_errstr(status)));
+ talloc_free(ncacn_conn);
+ return;
+--
+1.9.3
+
+
+From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Fri, 29 Nov 2013 16:51:08 +1300
+Subject: [PATCH 136/249] selftest: add new rpc client test
+
+Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
+
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
+---
+ source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
+ source3/selftest/tests.py | 2 ++
+ 2 files changed, 29 insertions(+)
+ create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh
+
+diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
+new file mode 100755
+index 0000000..01af7f8
+--- /dev/null
++++ b/source3/script/tests/test_rpcclient_samlogon.sh
+@@ -0,0 +1,27 @@
++#!/bin/sh
++
++if [ $# -lt 3 ]; then
++cat <<EOF
++Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
++EOF
++exit 1;
++fi
++
++USERNAME="$1"
++PASSWORD="$2"
++shift 2
++ADDARGS="$*"
++
++rpcclient_samlogon()
++{
++ $VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
++}
++
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
++testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
++testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 85d67d6..f9cc3d1 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -394,6 +394,8 @@ for s in signseal_options:
+ plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
+ "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
+
++plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
++ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
+
+ options_list = ["", "-e"]
+ for options in options_list:
+--
+1.9.3
+
+
+From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 29 Nov 2013 08:45:38 +0100
+Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
+ netlogon secure channel fails
+
+This is based on a patch from Garming Sam <garming@catalyst.net.nz>.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
+---
+ source3/rpcclient/rpcclient.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index cb7b70f..0cbec20 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ trust_password, &machine_account,
+ &sec_channel_type))
+ {
++ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
++ get_cmdline_auth_info_domain(auth_info),
++ cmd_entry->table->name));
++ TALLOC_FREE(cmd_entry->rpc_pipe);
+ talloc_free(mem_ctx);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ if (!NT_STATUS_IS_OK(ntresult)) {
+ DEBUG(0, ("Could not initialise credentials for %s.\n",
+ cmd_entry->table->name));
++ TALLOC_FREE(cmd_entry->rpc_pipe);
+ talloc_free(mem_ctx);
+ return ntresult;
+ }
+--
+1.9.3
+
+
+From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Mon, 2 Dec 2013 13:20:39 +1300
+Subject: [PATCH 138/249] selftest: add new credential change test
+
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
+---
+ source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
+ source3/selftest/tests.py | 3 +++
+ 2 files changed, 19 insertions(+)
+ create mode 100755 source3/script/tests/test_net_cred_change.sh
+
+diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
+new file mode 100755
+index 0000000..9013d07
+--- /dev/null
++++ b/source3/script/tests/test_net_cred_change.sh
+@@ -0,0 +1,16 @@
++#!/bin/sh
++
++if [ $# -lt 1 ]; then
++cat <<EOF
++Usage: test_net_cred_change.sh CONFIGURATION
++EOF
++exit 1;
++fi
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
++testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
++testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index f9cc3d1..aac1bbb 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
+
+ plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3, '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
+
++for env in ["member", "s3member"]:
++ plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
++
+ env = "s3member"
+ t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
+ plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
+--
+1.9.3
+
+
+From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Mon, 23 Dec 2013 17:12:39 +1300
+Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo
+
+Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
+(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
+---
+ source4/selftest/tests.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index e738d1d9..c3a33c7 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
+ plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
+ plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
+ plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
+-plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
+-plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
++for env in ["dc", "s4member", "rodc", "promoted_dc"]:
++ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
+ plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
+ plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
+ plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
+--
+1.9.3
+
+
+From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Dec 2013 19:35:37 +0100
+Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
+ = 0
+
+This is what windows returns, the value is ignored by the client anyway.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
+---
+ libcli/auth/credentials.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index 1f664d3..197db86 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
+ netlogon_creds_step(creds);
+ if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
+ return_authenticator->cred = creds->server;
+- return_authenticator->timestamp = creds->sequence;
++ return_authenticator->timestamp = 0;
+ return NT_STATUS_OK;
+ } else {
+ ZERO_STRUCTP(return_authenticator);
+--
+1.9.3
+
+
+From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Dec 2013 19:40:15 +0100
+Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
+ attacks
+
+creds->sequence (timestamp) is the value that is used to increment the internal
+state, it's not a real sequence number. The sequence comes
+from adding all timestamps of the whole session.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
+---
+ libcli/auth/credentials.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index 197db86..afb4a04 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+- /* TODO: this may allow the a replay attack on a non-signed
+- connection. Should we check that this is increasing? */
+ creds->sequence = received_authenticator->timestamp;
+ netlogon_creds_step(creds);
+ if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
+--
+1.9.3
+
+
+From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Dec 2013 19:55:12 +0100
+Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
+ creds->sequence
+
+If the last usage of netlogon_creds_client_authenticator()
+is in the past try to use the current timestamp and increment
+more than just 2.
+
+If we use netlogon_creds_client_authenticator() a lot within a
+second, we increment keep incrementing by 2.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
+(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
+---
+ libcli/auth/credentials.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
+index afb4a04..f52538a 100644
+--- a/libcli/auth/credentials.c
++++ b/libcli/auth/credentials.c
+@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
+ void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
+ struct netr_Authenticator *next)
+ {
++ uint32_t t32n = (uint32_t)time(NULL);
++
++ /*
++ * we always increment and ignore an overflow here
++ */
+ creds->sequence += 2;
++
++ if (t32n > creds->sequence) {
++ /*
++ * we may increment more
++ */
++ creds->sequence = t32n;
++ } else {
++ uint32_t d = creds->sequence - t32n;
++
++ if (d >= INT32_MAX) {
++ /*
++ * got an overflow of time_t vs. uint32_t
++ */
++ creds->sequence = t32n;
++ }
++ }
++
+ netlogon_creds_step(creds);
+
+ next->cred = creds->client;
+--
+1.9.3
+
+
+From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 12:56:38 +0100
+Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...
+
+This avoids flakey crashes in the promoted_dc environment.
+
+See the examples below, we had up to 50% of the daily build failing...
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout
+
+ [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
+ Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
+ FSMO transfer of 'schema' role successful
+ Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
+ ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE - <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
+ UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
+ REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
+ traceback
+ 380
+
+https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout
+
+ [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
+ ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
+ REASON: unable to set up environment promoted_dc - exiting
+
+https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr
+
+ Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
+ Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
+ ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
+ ===============================================================
+ INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
+ Please read the Trouble-Shooting section of the Samba HOWTO
+ ===============================================================
+ smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
+ [Thread debugging using libthread_db enabled]
+ 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
+ stat_loc=0x7fff67c7709c, options=<value optimized out>)
+ at ../sysdeps/unix/sysv/linux/waitpid.c:32
+ 32 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
+ in ../sysdeps/unix/sysv/linux/waitpid.c
+ #0 0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
+ stat_loc=0x7fff67c7709c, options=<value optimized out>)
+ at ../sysdeps/unix/sysv/linux/waitpid.c:32
+ oldtype = <value optimized out>
+ result = <value optimized out>
+ #1 0x00002af6b5baeb39 in do_system (line=<value optimized out>)
+ at ../sysdeps/posix/system.c:149
+ __result = -512
+ _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
+ __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
+ _avail = 1
+ status = <value optimized out>
+ save = <value optimized out>
+ pid = 886733
+ sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
+ sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
+ sa_restorer = 0x2af6b5b730f0}
+ omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
+ 0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
+ 47239099003120, 140734934511792, 47239558787328}}
+ #2 0x00002af6b311821f in smb_panic_default (
+ why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
+ result = 32767
+ pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
+ cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
+ __FUNCTION__ = "smb_panic_default"
+ #3 0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
+ at ../lib/util/fault.c:162
+ No locals.
+ #4 0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
+ counter = 1
+ __FUNCTION__ = "fault_report"
+ #5 0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
+ No locals.
+ #6 <signal handler called>
+ No symbol table info available.
+ #7 0x00002af6cabef930 in replmd_check_urgent_objectclass (
+ objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
+ i = 2
+ j = 0
+ #8 0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
+ schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
+ msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
+ is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
+ omd_value = 0x7fff67c77810
+ ndr_err = 3508465920
+ omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
+ count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
+ i = 10998
+ now = 130323687620000000
+ our_invocation_id = 0x2af6d1796390
+ ret = 0
+ attrs = 0x7fff67c77750
+ attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
+ 0x0}
+ attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
+ 0x2af6cabffc8d "instanceType", 0x0}
+ res = 0x2af6d10b0eb0
+ ldb = 0x2af6b17f2470
+ objectclass_el = 0x0
+ situation = REPL_URGENT_ON_UPDATE
+ rmd_is_provided = false
+ __FUNCTION__ = "replmd_update_rpmd"
+ #9 0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
+ req=0x2af6d05e8ad0)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
+ msds_intid_struct = 0x2af6d05e8ad0
+ ldb = 0x2af6b17f2470
+ ac = 0x2af6d0c31580
+ down_req = 0x2af6d0e6a100
+ msg = 0x2af6d11ef100
+ t = 1387895162
+ ret = 1741125936
+ is_urgent = false
+ rodc = false
+ functional_level = 3
+ guid_blob = 0x0
+ sd_propagation_control = 0x0
+ #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
+ message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
+ at ../source4/dsdb/samdb/ldb_modules/util.c:460
+ ops = 0x2af6cae06b40
+ mod_req = 0x2af6d05e8ad0
+ ret = 0
+ ldb = 0x2af6b17f2470
+ tmp_ctx = 0x2af6d0ed62f0
+ res = 0x2af6d0e6a100
+ __FUNCTION__ = "dsdb_module_modify"
+ #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
+ req=0x2af6ce6ea980, re_delete=true)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
+ ret = 0
+ retb = true
+ disallow_move_on_delete = false
+ old_dn = 0x2af6d6a2a010
+ new_dn = 0x2af6d0794a90
+ rdn_name = 0x2af6d0885c10 "CN"
+ rdn_value = 0x2af6d10d7368
+ new_rdn_value = 0x2af6d0c45a00
+ guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
+ clock_seq = "\200\251", node = "n\316\366*\000"}
+ ldb = 0x2af6b17f2470
+ schema = 0x2af6d05e5570
+ msg = 0x2af6d1183fe0
+ old_msg = 0x2af6d1902800
+ el = 0x2af6d0874900
+ tmp_ctx = 0x2af6d0b77560
+ res = 0x2af6d0d57980
+ parent_res = 0x30
+ preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
+ 0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
+ 0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
+ 0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
+ 0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
+ 0x2af6cac0561a "lDAPDisplayName",
+ 0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
+ 0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
+ 0x2af6cac021e8 "msDS-LastKnownRDN",
+ 0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
+ 0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
+ 0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
+ 0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
+ 0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
+ 0x2af6cabff775 "replPropertyMetaData",
+ 0x2af6cac05696 "sAMAccountName",
+ 0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
+ 0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
+ 0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
+ 0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
+ 0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
+ 0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
+ 0x2af6cabff753 "whenChanged", 0x0}
+ i = 12
+ el_count = 1
+ deletion_state = OBJECT_TOMBSTONE
+ next_deletion_state = OBJECT_TOMBSTONE
+ __FUNCTION__ = "replmd_delete_internals"
+ #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
+ ar=0x2af6d74c0b40)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
+ del_req = 0x2af6ce6ea980
+ res = 0x2af6d0cdebf0
+ tmp_ctx = 0x2af6d0949230
+ deleted_objects_dn = 0x2af6d1a49f00
+ msg = 0x2af6d0a39620
+ ret = 0
+ #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
+ ares=0x2af6d0d715c0)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
+ ret = 10998
+ ac = 0x2af6d74c0b40
+ replmd_private = 0x2af6b188c7c0
+ modified_partition = 0x2af6d141b670
+ partition_ctrl = 0x2af6d1905f40
+ partition = 0x2af6ce6bdbe0
+ controls = 0x0
+ __FUNCTION__ = "replmd_op_callback"
+ #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
+ ctrls=0x2af6d1629aa0, response=0x0, error=0)
+ at ../lib/ldb/common/ldb_modules.c:832
+ ares = 0x2af6d0d715c0
+ #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
+ req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
+ callback=0x2af6cabf0334 <replmd_op_callback>)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
+ conflict_dn = 0x2af6cac03470
+ ar = 0x2af6d74c0b40
+ res = 0x2af6b354f89b
+ attrs = {0x2af6cabff775 "replPropertyMetaData",
+ 0x2af6cabff5b5 "objectGUID", 0x0}
+ ret = -682882240
+ omd_value = 0x7fff67c77e20
+ omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
+ count = 0, reserved = 0, array = 0x28}}}
+ rmd = 0x2af6d74c0ae0
+ ndr_err = 10998
+ rename_incoming_record = false
+ rodc = false
+ rmd_name = 0x7fff67c77e10
+ omd_name = 0x2af6d74c0b40
+ msg = 0x2af6b1883e50
+ __FUNCTION__ = "replmd_op_possible_conflict_callback"
+ #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
+ ares=0x2af6b1883eb0)
+ at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
+ ar = 0x2af6d74c0b40
+ #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
+ ctrls=0x2af6d1629aa0, response=0x0, error=0)
+ at ../lib/ldb/common/ldb_modules.c:832
+ ares = 0x2af6b1883eb0
+ #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
+ ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
+ ac = 0x2af6d0949370
+ module = 0x2af6cd27bf12
+ nreq = 0x2af6d05b67b0
+ ret = 0
+ partition_ctrl = 0x2af6d0d71740
+ #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
+ at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
+ ldb = 0x2af6b17f2470
+ req = 0x2af6d087a1e0
+ ares = 0x2af6d05a1fa0
+ #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
+ te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
+ at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
+ ctx = 0x2af6d1cd7ed0
+ ret = 0
+ #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
+ at ../lib/tevent/tevent_timed.c:341
+ current_time = {tv_sec = 0, tv_usec = 0}
+ te = 0x2af6d17f75d0
+ #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
+ location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
+ at ../lib/tevent/tevent_epoll.c:912
+ epoll_ev = 0x2af6b17efb00
+ tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
+ panic_triggered = false
+ #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
+ location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
+ at ../lib/tevent/tevent_standard.c:112
+ glue_ptr = 0x2af6b17ef9b0
+ glue = 0x2af6b17ef9b0
+ ret = 10998
+ #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
+ location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
+ at ../lib/tevent/tevent.c:530
+ ret = 0
+ nesting_stack_ptr = 0x0
+ #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
+ at ../lib/ldb/common/ldb.c:621
+ ev = 0x2af6b17ef8c0
+ ret = 0
+ #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
+ oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
+ _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
+ req = 0x2af6d0c45a00
+ ret = 0
+ res = 0x2af6d69238f0
+ #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
+ working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
+ at ../source4/dsdb/repl/replicated_objects.c:773
+ werr = {w = 0}
+ ext_res = 0x0
+ cur_schema = 0x0
+ new_schema = 0x0
+ ret = 0
+ seq_num1 = 5554
+ seq_num2 = 47239626746464
+ used_global_schema = false
+ tmp_ctx = 0x2af6d03c5860
+ __FUNCTION__ = "dsdb_replicated_objects_commit"
+ #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
+ req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
+ ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
+ state = 0x2af6d17db050
+ rf1 = {blobsize = 274, consecutive_sync_failures = 0,
+ last_success = 130323684670000000,
+ last_attempt = 130323687610000000, result_last_attempt = {w = 0},
+ other_info = 0x2af6d0949910, other_info_length = 66,
+ replica_flags = 112, schedule = '\021' <repeats 84 times>,
+ reserved = 0, highwatermark = {tmp_highest_usn = 12398,
+ reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
+ time_low = 984092159, time_mid = 850,
+ time_hi_and_version = 18870, clock_seq = "\251X",
+ node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
+ time_low = 1460694408, time_mid = 52035,
+ time_hi_and_version = 18738, clock_seq = "\204}",
+ node = "\264\365\276\372\256\303"}, transport_guid = {
+ time_low = 0, time_mid = 0, time_hi_and_version = 0,
+ clock_seq = "\000", node = "\000\000\000\000\000"}}
+ service = 0x2af6d0ff6b00
+ partition = 0x2af6d0b6f220
+ drsuapi = 0x2af6d1c8d480
+ schema = 0x2af6d05e5570
+ working_schema = 0x0
+ mapping_ctr = 0x2af6d1b02c10
+ object_count = 50
+ first_object = 0x2af6d0571800
+ linked_attributes_count = 0
+ linked_attributes = 0x2af6d5212140
+ uptodateness_vector = 0x2af6d1a741c0
+ objects = 0x2af6d0e2bc60
+ more_data = false
+ status = {w = 0}
+ nt_status = {v = 3006553120}
+ dsdb_repl_flags = 0
+ __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
+ #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
+ subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
+ req = 0x2af6d17daed0
+ state = 0x2af6d17db050
+ status = {v = 0}
+ r = 0x2af6d17db0d0
+ ctr_level = 6
+ ctr1 = 0x0
+ ctr6 = 0x2af6d1b02bb0
+ extended_ret = DRSUAPI_EXOP_ERR_NONE
+ #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
+ location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
+ at ../lib/tevent/tevent_req.c:102
+ No locals.
+ #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
+ state=TEVENT_REQ_DONE,
+ location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
+ at ../lib/tevent/tevent_req.c:117
+ No locals.
+ #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
+ location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
+ at ../lib/tevent/tevent_req.c:123
+ No locals.
+ #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
+ subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
+ req = 0x2af6d1a73f70
+ status = {v = 0}
+ #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
+ location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
+ at ../lib/tevent/tevent_req.c:102
+ No locals.
+ #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
+ state=TEVENT_REQ_DONE,
+ location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
+ at ../lib/tevent/tevent_req.c:117
+ No locals.
+ #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
+ location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
+ at ../lib/tevent/tevent_req.c:123
+ No locals.
+ #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
+ at ../librpc/rpc/binding_handle.c:517
+ req = 0x2af6d122f4c0
+ state = 0x2af6d122f640
+ h = 0x2af6d0959d10
+ error = {v = 0}
+ out_flags = 0
+ ndr_err = NDR_ERR_SUCCESS
+ #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
+ location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
+ at ../lib/tevent/tevent_req.c:102
+ No locals.
+ #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
+ state=TEVENT_REQ_DONE,
+ location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
+ at ../lib/tevent/tevent_req.c:117
+ No locals.
+ #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
+ location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
+ at ../lib/tevent/tevent_req.c:123
+ No locals.
+ #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
+ at ../librpc/rpc/binding_handle.c:188
+ req = 0x2af6d522f7a0
+ state = 0x2af6d522f920
+ error = {v = 0}
+ #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
+ location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
+ at ../lib/tevent/tevent_req.c:102
+ No locals.
+ #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
+ state=TEVENT_REQ_DONE,
+ location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
+ at ../lib/tevent/tevent_req.c:117
+ No locals.
+ #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
+ im=0x2af6d0712500, private_data=0x2af6d0712430)
+ at ../lib/tevent/tevent_req.c:174
+ req = 0x2af6d0712430
+ #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
+ at ../lib/tevent/tevent_immediate.c:135
+ im = 0x2af6d0712500
+ handler = 0x2af6b333e423 <tevent_req_trigger>
+ private_data = 0x2af6d0712430
+ #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
+ location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
+ at ../lib/tevent/tevent_epoll.c:907
+ epoll_ev = 0x2af6b17efb00
+ tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
+ panic_triggered = false
+ #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
+ location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
+ at ../lib/tevent/tevent_standard.c:112
+ glue_ptr = 0x2af6b17ef9b0
+ glue = 0x2af6b17ef9b0
+ ret = 10998
+ #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
+ location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
+ at ../lib/tevent/tevent.c:530
+ ret = 0
+ nesting_stack_ptr = 0x0
+ #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
+ location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
+ at ../lib/tevent/tevent.c:634
+ ret = 0
+ #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
+ location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
+ at ../lib/tevent/tevent_standard.c:138
+ glue_ptr = 0x2af6b17ef9b0
+ glue = 0x2af6b17ef9b0
+ ret = 10998
+ #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
+ location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
+ at ../lib/tevent/tevent.c:653
+ No locals.
+ #52 0x00002af6b15a37bc in binary_smbd_main (
+ binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
+ at ../source4/smbd/server.c:503
+ opt_daemon = false
+ opt_interactive = true
+ opt = -1
+ pc = 0x2af6b17d5040
+ static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
+ 0x2af6b2aca9e7 <server_service_echo_init>, 0}
+ shared_init = 0x2af6b18143b0
+ event_ctx = 0x2af6b17ef8c0
+ stdin_event_flags = 1
+ status = {v = 0}
+ model = 0x2af6b17d5b90 "single"
+ max_runtime = 7500
+
+Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
+Autobuild-Date(master): Mon Jan 6 01:16:13 CET 2014 on sn-devel-104
+(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
+---
+ source4/selftest/tests.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
+index c3a33c7..9567a8e 100755
+--- a/source4/selftest/tests.py
++++ b/source4/selftest/tests.py
+@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
+ plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
+ plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
+ plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
+-for env in ["dc", "s4member", "rodc", "promoted_dc"]:
+- plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
+ plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
+ plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
+ plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
+@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
+
+ plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
++
++for env in ["dc", "s4member", "rodc", "promoted_dc"]:
++ plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
++
+ # TODO: Verifying the databases really should be a part of the
+ # environment teardown.
+ # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
+--
+1.9.3
+
+
+From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 08:35:27 +0100
+Subject: [PATCH 144/249] s4:librpc: always try to negotiate
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
+
+If the gensec backend supports it there's no reason not sign the header.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
+---
+ librpc/rpc/binding.c | 1 -
+ librpc/rpc/rpc_common.h | 5 ++++-
+ source4/librpc/rpc/dcerpc.c | 12 ++----------
+ source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
+ 4 files changed, 16 insertions(+), 16 deletions(-)
+
+diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
+index 49651e8..52122cf 100644
+--- a/librpc/rpc/binding.c
++++ b/librpc/rpc/binding.c
+@@ -88,7 +88,6 @@ static const struct {
+ {"padcheck", DCERPC_DEBUG_PAD_CHECK},
+ {"bigendian", DCERPC_PUSH_BIGENDIAN},
+ {"smb2", DCERPC_SMB2},
+- {"hdrsign", DCERPC_HEADER_SIGNING},
+ {"ndr64", DCERPC_NDR64},
+ {"localaddress", DCERPC_LOCALADDRESS}
+ };
+diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
+index 978229e..93d3bb4 100644
+--- a/librpc/rpc/rpc_common.h
++++ b/librpc/rpc/rpc_common.h
+@@ -98,7 +98,7 @@ struct dcerpc_binding {
+ /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
+ #define DCERPC_CONCURRENT_MULTIPLEX (1<<19)
+
+-/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
++/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
+ #define DCERPC_HEADER_SIGNING (1<<20)
+
+ /* use NDR64 transport */
+@@ -113,6 +113,9 @@ struct dcerpc_binding {
+ /* use aes schannel with hmac-sh256 session key */
+ #define DCERPC_SCHANNEL_AES (1<<24)
+
++/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
++#define DCERPC_PROPOSE_HEADER_SIGNING (1<<25)
++
+ /* The following definitions come from ../librpc/rpc/dcerpc_error.c */
+
+ const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
+diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
+index 56b821e..2f6c8dd 100644
+--- a/source4/librpc/rpc/dcerpc.c
++++ b/source4/librpc/rpc/dcerpc.c
+@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+ }
+
+- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
++ if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+ }
+
+@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
+ conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
+ }
+
+- if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
++ if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
+ (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
+ conn->flags |= DCERPC_HEADER_SIGNING;
+ }
+@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+ }
+
+- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
+- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+- }
+-
+ /* construct the NDR form of the packet */
+ status = ncacn_push_auth(&blob, mem_ctx,
+ &pkt,
+@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
+ pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+ }
+
+- if (p->binding->flags & DCERPC_HEADER_SIGNING) {
+- pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+- }
+-
+ pkt.u.alter.max_xmit_frag = 5840;
+ pkt.u.alter.max_recv_frag = 5840;
+ pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
+diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
+index d5e5620..9a5d04d 100644
+--- a/source4/librpc/rpc/dcerpc_auth.c
++++ b/source4/librpc/rpc/dcerpc_auth.c
+@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
+
+ if (!composite_is_ok(c)) return;
+
+- if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
+- gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
+- }
+-
+ if (state->credentials.length == 0) {
+ composite_done(c);
+ return;
+@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
+ TALLOC_FREE(subreq);
+ if (!composite_is_ok(c)) return;
+
++ if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
++ struct dcecli_security *sec = &state->pipe->conn->security_state;
++
++ gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
++ }
++
+ if (!state->more_processing) {
+ /* The first gensec_update has not requested a second run, so
+ * we're done here. */
+@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
+
+ sec->auth_info->credentials = state->credentials;
+
++ if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
++ state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
++ }
++
+ /* The first request always is a dcerpc_bind. The subsequent ones
+ * depend on gensec results */
+ subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
+--
+1.9.3
+
+
+From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 08:39:12 +0100
+Subject: [PATCH 145/249] s4:rpc_server: support
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default
+
+If the gensec backend supports it there's no reason to disable it.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
+---
+ source4/rpc_server/dcerpc_server.c | 6 ------
+ source4/rpc_server/dcesrv_auth.c | 37 ++++++++++++++++++++++++++++++++-----
+ 2 files changed, 32 insertions(+), 11 deletions(-)
+
+diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
+index ad53685..3b35703 100644
+--- a/source4/rpc_server/dcerpc_server.c
++++ b/source4/rpc_server/dcerpc_server.c
+@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
+ call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
+ }
+
+- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
+- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
+- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
+- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+- }
+-
+ /* handle any authentication that is being requested */
+ if (!dcesrv_auth_bind(call)) {
+ talloc_free(call->context);
+diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
+index c891cc6..152715b 100644
+--- a/source4/rpc_server/dcesrv_auth.c
++++ b/source4/rpc_server/dcesrv_auth.c
+@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
+ return false;
+ }
+
+- if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
+- gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
+- }
+-
+ return true;
+ }
+
+@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
+ {
+ struct dcesrv_connection *dce_conn = call->conn;
+ NTSTATUS status;
++ bool want_header_signing = false;
+
+ if (!call->conn->auth_state.gensec_security) {
+ return NT_STATUS_OK;
+ }
+
++ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
++ want_header_signing = true;
++ }
++
++ if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
++ want_header_signing = false;
++ }
++
+ status = gensec_update(dce_conn->auth_state.gensec_security,
+ call, call->event_ctx,
+ dce_conn->auth_state.auth_info->credentials,
+@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
+ return status;
+ }
+
+- if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
++ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER))
++ {
++ want_header_signing = false;
++ }
++
++ if (want_header_signing) {
+ gensec_want_feature(dce_conn->auth_state.gensec_security,
+ GENSEC_FEATURE_SIGN_PKT_HEADER);
++ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
++ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+ }
+
+ /* Now that we are authenticated, go back to the generic session key... */
+@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ dce_conn->auth_state.auth_info->auth_pad_length = 0;
+ dce_conn->auth_state.auth_info->auth_reserved = 0;
++
++ if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER))
++ {
++ want_header_signing = false;
++ }
++
++ if (want_header_signing) {
++ gensec_want_feature(dce_conn->auth_state.gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER);
++ call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
++ pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
++ }
++
+ return NT_STATUS_OK;
+ } else {
+ DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
+--
+1.9.3
+
+
+From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 31 Dec 2013 09:53:55 +0100
+Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
+ always supported
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
+---
+ auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
+index 654c0e3..5672589 100644
+--- a/auth/ntlmssp/gensec_ntlmssp.c
++++ b/auth/ntlmssp/gensec_ntlmssp.c
+@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
+ return true;
+ }
+ }
++ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ return true;
++ }
++
+ return false;
+ }
+
+--
+1.9.3
+
+
+From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 31 Dec 2013 09:54:54 +0100
+Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
+ GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
+---
+ source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 63a53bf..ffdefcf 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
+ if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
+ return true;
+ }
++ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
++ /* TODO: implement this using gss_wrap_iov() */
++ return false;
++ }
++
++ if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
++ return true;
++ }
++
++ return false;
++ }
+ return false;
+ }
+
+--
+1.9.3
+
+
+From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 15:30:46 +0100
+Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
+ gensec_gssapi_[un]seal_packet() rejects header signing
+
+If header signing is requested we should error out instead of
+silently ignoring it, our peer would hopefully reject it,
+but we should also do that.
+
+TODO: we should implement header signing using gss_wrap_iov().
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
+---
+ source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index ffdefcf..b8f007d 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
+ int conf_state;
+ ssize_t sig_length;
+
++ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ DEBUG(1, ("gensec_gssapi_seal_packet: "
++ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ input_token.length = length;
+ input_token.value = data;
+
+@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
+
+ dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
+
++ if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ DEBUG(1, ("gensec_gssapi_unseal_packet: "
++ "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
+ in = data_blob_talloc(gensec_security, NULL, sig->length + length);
+
+ memcpy(in.data, sig->data, sig->length);
+--
+1.9.3
+
+
+From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 31 Dec 2013 09:42:36 +0100
+Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
+ schannel.c
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
+---
+ auth/gensec/schannel.c | 380 ++++++++++++++++++++++++++++++++++++++++
+ libcli/auth/schannel_proto.h | 14 --
+ libcli/auth/schannel_sign.c | 404 -------------------------------------------
+ libcli/auth/wscript_build | 2 +-
+ 4 files changed, 381 insertions(+), 419 deletions(-)
+ delete mode 100644 libcli/auth/schannel_sign.c
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index eb2e100..c60ab4f 100644
+--- a/auth/gensec/schannel.c
++++ b/auth/gensec/schannel.c
+@@ -31,6 +31,386 @@
+ #include "librpc/gen_ndr/dcerpc.h"
+ #include "param/param.h"
+ #include "auth/gensec/gensec_toplevel_proto.h"
++#include "lib/crypto/crypto.h"
++
++struct schannel_state {
++ uint64_t seq_num;
++ bool initiator;
++ struct netlogon_creds_CredentialState *creds;
++};
++
++#define SETUP_SEQNUM(state, buf, initiator) do { \
++ uint8_t *_buf = buf; \
++ uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
++ uint32_t _seq_num_high = (state)->seq_num >> 32; \
++ if (initiator) { \
++ _seq_num_high |= 0x80000000; \
++ } \
++ RSIVAL(_buf, 0, _seq_num_low); \
++ RSIVAL(_buf, 4, _seq_num_high); \
++} while(0)
++
++static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState *creds,
++ bool initiator)
++{
++ struct schannel_state *state;
++
++ state = talloc(mem_ctx, struct schannel_state);
++ if (state == NULL) {
++ return NULL;
++ }
++
++ state->initiator = initiator;
++ state->seq_num = 0;
++ state->creds = netlogon_creds_copy(state, creds);
++ if (state->creds == NULL) {
++ talloc_free(state);
++ return NULL;
++ }
++
++ return state;
++}
++
++static void netsec_offset_and_sizes(struct schannel_state *state,
++ bool do_seal,
++ uint32_t *_min_sig_size,
++ uint32_t *_used_sig_size,
++ uint32_t *_checksum_length,
++ uint32_t *_confounder_ofs)
++{
++ uint32_t min_sig_size;
++ uint32_t used_sig_size;
++ uint32_t checksum_length;
++ uint32_t confounder_ofs;
++
++ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ min_sig_size = 48;
++ used_sig_size = 56;
++ /*
++ * Note: windows has a bug here and uses the old values...
++ *
++ * checksum_length = 32;
++ * confounder_ofs = 48;
++ */
++ checksum_length = 8;
++ confounder_ofs = 24;
++ } else {
++ min_sig_size = 24;
++ used_sig_size = 32;
++ checksum_length = 8;
++ confounder_ofs = 24;
++ }
++
++ if (do_seal) {
++ min_sig_size += 8;
++ }
++
++ if (_min_sig_size) {
++ *_min_sig_size = min_sig_size;
++ }
++
++ if (_used_sig_size) {
++ *_used_sig_size = used_sig_size;
++ }
++
++ if (_checksum_length) {
++ *_checksum_length = checksum_length;
++ }
++
++ if (_confounder_ofs) {
++ *_confounder_ofs = confounder_ofs;
++ }
++}
++
++/*******************************************************************
++ Encode or Decode the sequence number (which is symmetric)
++ ********************************************************************/
++static void netsec_do_seq_num(struct schannel_state *state,
++ const uint8_t *checksum,
++ uint32_t checksum_length,
++ uint8_t seq_num[8])
++{
++ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ AES_KEY key;
++ uint8_t iv[AES_BLOCK_SIZE];
++
++ AES_set_encrypt_key(state->creds->session_key, 128, &key);
++ ZERO_STRUCT(iv);
++ memcpy(iv+0, checksum, 8);
++ memcpy(iv+8, checksum, 8);
++
++ aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
++ } else {
++ static const uint8_t zeros[4];
++ uint8_t sequence_key[16];
++ uint8_t digest1[16];
++
++ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
++ hmac_md5(digest1, checksum, checksum_length, sequence_key);
++ arcfour_crypt(seq_num, sequence_key, 8);
++ }
++
++ state->seq_num++;
++}
++
++static void netsec_do_seal(struct schannel_state *state,
++ const uint8_t seq_num[8],
++ uint8_t confounder[8],
++ uint8_t *data, uint32_t length,
++ bool forward)
++{
++ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ AES_KEY key;
++ uint8_t iv[AES_BLOCK_SIZE];
++ uint8_t sess_kf0[16];
++ int i;
++
++ for (i = 0; i < 16; i++) {
++ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
++ }
++
++ AES_set_encrypt_key(sess_kf0, 128, &key);
++ ZERO_STRUCT(iv);
++ memcpy(iv+0, seq_num, 8);
++ memcpy(iv+8, seq_num, 8);
++
++ if (forward) {
++ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
++ aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
++ } else {
++ aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
++ aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
++ }
++ } else {
++ uint8_t sealing_key[16];
++ static const uint8_t zeros[4];
++ uint8_t digest2[16];
++ uint8_t sess_kf0[16];
++ int i;
++
++ for (i = 0; i < 16; i++) {
++ sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
++ }
++
++ hmac_md5(sess_kf0, zeros, 4, digest2);
++ hmac_md5(digest2, seq_num, 8, sealing_key);
++
++ arcfour_crypt(confounder, sealing_key, 8);
++ arcfour_crypt(data, sealing_key, length);
++ }
++}
++
++/*******************************************************************
++ Create a digest over the entire packet (including the data), and
++ MD5 it with the session key.
++ ********************************************************************/
++static void netsec_do_sign(struct schannel_state *state,
++ const uint8_t *confounder,
++ const uint8_t *data, size_t length,
++ uint8_t header[8],
++ uint8_t *checksum)
++{
++ if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ struct HMACSHA256Context ctx;
++
++ hmac_sha256_init(state->creds->session_key,
++ sizeof(state->creds->session_key),
++ &ctx);
++
++ if (confounder) {
++ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
++ SSVAL(header, 2, NL_SEAL_AES128);
++ SSVAL(header, 4, 0xFFFF);
++ SSVAL(header, 6, 0x0000);
++
++ hmac_sha256_update(header, 8, &ctx);
++ hmac_sha256_update(confounder, 8, &ctx);
++ } else {
++ SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
++ SSVAL(header, 2, NL_SEAL_NONE);
++ SSVAL(header, 4, 0xFFFF);
++ SSVAL(header, 6, 0x0000);
++
++ hmac_sha256_update(header, 8, &ctx);
++ }
++
++ hmac_sha256_update(data, length, &ctx);
++
++ hmac_sha256_final(checksum, &ctx);
++ } else {
++ uint8_t packet_digest[16];
++ static const uint8_t zeros[4];
++ MD5_CTX ctx;
++
++ MD5Init(&ctx);
++ MD5Update(&ctx, zeros, 4);
++ if (confounder) {
++ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
++ SSVAL(header, 2, NL_SEAL_RC4);
++ SSVAL(header, 4, 0xFFFF);
++ SSVAL(header, 6, 0x0000);
++
++ MD5Update(&ctx, header, 8);
++ MD5Update(&ctx, confounder, 8);
++ } else {
++ SSVAL(header, 0, NL_SIGN_HMAC_MD5);
++ SSVAL(header, 2, NL_SEAL_NONE);
++ SSVAL(header, 4, 0xFFFF);
++ SSVAL(header, 6, 0x0000);
++
++ MD5Update(&ctx, header, 8);
++ }
++ MD5Update(&ctx, data, length);
++ MD5Final(packet_digest, &ctx);
++
++ hmac_md5(state->creds->session_key,
++ packet_digest, sizeof(packet_digest),
++ checksum);
++ }
++}
++
++static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
++ bool do_unseal,
++ uint8_t *data, size_t length,
++ const DATA_BLOB *sig)
++{
++ uint32_t min_sig_size = 0;
++ uint8_t header[8];
++ uint8_t checksum[32];
++ uint32_t checksum_length = sizeof(checksum_length);
++ uint8_t _confounder[8];
++ uint8_t *confounder = NULL;
++ uint32_t confounder_ofs = 0;
++ uint8_t seq_num[8];
++ int ret;
++
++ netsec_offset_and_sizes(state,
++ do_unseal,
++ &min_sig_size,
++ NULL,
++ &checksum_length,
++ &confounder_ofs);
++
++ if (sig->length < min_sig_size) {
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ if (do_unseal) {
++ confounder = _confounder;
++ memcpy(confounder, sig->data+confounder_ofs, 8);
++ } else {
++ confounder = NULL;
++ }
++
++ SETUP_SEQNUM(state, seq_num, !state->initiator);
++
++ if (do_unseal) {
++ netsec_do_seal(state, seq_num,
++ confounder,
++ data, length,
++ false);
++ }
++
++ netsec_do_sign(state, confounder,
++ data, length,
++ header, checksum);
++
++ ret = memcmp(checksum, sig->data+16, checksum_length);
++ if (ret != 0) {
++ dump_data_pw("calc digest:", checksum, checksum_length);
++ dump_data_pw("wire digest:", sig->data+16, checksum_length);
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
++
++ ret = memcmp(seq_num, sig->data+8, 8);
++ if (ret != 0) {
++ dump_data_pw("calc seq num:", seq_num, 8);
++ dump_data_pw("wire seq num:", sig->data+8, 8);
++ return NT_STATUS_ACCESS_DENIED;
++ }
++
++ return NT_STATUS_OK;
++}
++
++static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
++{
++ uint32_t sig_size = 0;
++
++ netsec_offset_and_sizes(state,
++ true,
++ NULL,
++ &sig_size,
++ NULL,
++ NULL);
++
++ return sig_size;
++}
++
++static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
++ TALLOC_CTX *mem_ctx,
++ bool do_seal,
++ uint8_t *data, size_t length,
++ DATA_BLOB *sig)
++{
++ uint32_t min_sig_size = 0;
++ uint32_t used_sig_size = 0;
++ uint8_t header[8];
++ uint8_t checksum[32];
++ uint32_t checksum_length = sizeof(checksum_length);
++ uint8_t _confounder[8];
++ uint8_t *confounder = NULL;
++ uint32_t confounder_ofs = 0;
++ uint8_t seq_num[8];
++
++ netsec_offset_and_sizes(state,
++ do_seal,
++ &min_sig_size,
++ &used_sig_size,
++ &checksum_length,
++ &confounder_ofs);
++
++ SETUP_SEQNUM(state, seq_num, state->initiator);
++
++ if (do_seal) {
++ confounder = _confounder;
++ generate_random_buffer(confounder, 8);
++ } else {
++ confounder = NULL;
++ }
++
++ netsec_do_sign(state, confounder,
++ data, length,
++ header, checksum);
++
++ if (do_seal) {
++ netsec_do_seal(state, seq_num,
++ confounder,
++ data, length,
++ true);
++ }
++
++ netsec_do_seq_num(state, checksum, checksum_length, seq_num);
++
++ (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
++
++ memcpy(sig->data, header, 8);
++ memcpy(sig->data+8, seq_num, 8);
++ memcpy(sig->data+16, checksum, checksum_length);
++
++ if (confounder) {
++ memcpy(sig->data+confounder_ofs, confounder, 8);
++ }
++
++ dump_data_pw("signature:", sig->data+ 0, 8);
++ dump_data_pw("seq_num :", sig->data+ 8, 8);
++ dump_data_pw("digest :", sig->data+16, checksum_length);
++ dump_data_pw("confound :", sig->data+confounder_ofs, 8);
++
++ return NT_STATUS_OK;
++}
+
+ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
+
+diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
+index da76559..bce37c8 100644
+--- a/libcli/auth/schannel_proto.h
++++ b/libcli/auth/schannel_proto.h
+@@ -28,18 +28,4 @@ struct schannel_state;
+ struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx);
+
+-struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+- struct netlogon_creds_CredentialState *creds,
+- bool initiator);
+-NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+- bool do_unseal,
+- uint8_t *data, size_t length,
+- const DATA_BLOB *sig);
+-uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
+-NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+- TALLOC_CTX *mem_ctx,
+- bool do_seal,
+- uint8_t *data, size_t length,
+- DATA_BLOB *sig);
+-
+ #endif
+diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
+deleted file mode 100644
+index 9502cba..0000000
+--- a/libcli/auth/schannel_sign.c
++++ /dev/null
+@@ -1,404 +0,0 @@
+-/*
+- Unix SMB/CIFS implementation.
+-
+- schannel library code
+-
+- Copyright (C) Andrew Tridgell 2004
+- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+-
+- This program is free software; you can redistribute it and/or modify
+- it under the terms of the GNU General Public License as published by
+- the Free Software Foundation; either version 3 of the License, or
+- (at your option) any later version.
+-
+- This program is distributed in the hope that it will be useful,
+- but WITHOUT ANY WARRANTY; without even the implied warranty of
+- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+- GNU General Public License for more details.
+-
+- You should have received a copy of the GNU General Public License
+- along with this program. If not, see <http://www.gnu.org/licenses/>.
+-*/
+-
+-#include "includes.h"
+-#include "../libcli/auth/schannel.h"
+-#include "../lib/crypto/crypto.h"
+-
+-struct schannel_state {
+- uint64_t seq_num;
+- bool initiator;
+- struct netlogon_creds_CredentialState *creds;
+-};
+-
+-#define SETUP_SEQNUM(state, buf, initiator) do { \
+- uint8_t *_buf = buf; \
+- uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
+- uint32_t _seq_num_high = (state)->seq_num >> 32; \
+- if (initiator) { \
+- _seq_num_high |= 0x80000000; \
+- } \
+- RSIVAL(_buf, 0, _seq_num_low); \
+- RSIVAL(_buf, 4, _seq_num_high); \
+-} while(0)
+-
+-struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+- struct netlogon_creds_CredentialState *creds,
+- bool initiator)
+-{
+- struct schannel_state *state;
+-
+- state = talloc(mem_ctx, struct schannel_state);
+- if (state == NULL) {
+- return NULL;
+- }
+-
+- state->initiator = initiator;
+- state->seq_num = 0;
+- state->creds = netlogon_creds_copy(state, creds);
+- if (state->creds == NULL) {
+- talloc_free(state);
+- return NULL;
+- }
+-
+- return state;
+-}
+-
+-static void netsec_offset_and_sizes(struct schannel_state *state,
+- bool do_seal,
+- uint32_t *_min_sig_size,
+- uint32_t *_used_sig_size,
+- uint32_t *_checksum_length,
+- uint32_t *_confounder_ofs)
+-{
+- uint32_t min_sig_size;
+- uint32_t used_sig_size;
+- uint32_t checksum_length;
+- uint32_t confounder_ofs;
+-
+- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- min_sig_size = 48;
+- used_sig_size = 56;
+- /*
+- * Note: windows has a bug here and uses the old values...
+- *
+- * checksum_length = 32;
+- * confounder_ofs = 48;
+- */
+- checksum_length = 8;
+- confounder_ofs = 24;
+- } else {
+- min_sig_size = 24;
+- used_sig_size = 32;
+- checksum_length = 8;
+- confounder_ofs = 24;
+- }
+-
+- if (do_seal) {
+- min_sig_size += 8;
+- }
+-
+- if (_min_sig_size) {
+- *_min_sig_size = min_sig_size;
+- }
+-
+- if (_used_sig_size) {
+- *_used_sig_size = used_sig_size;
+- }
+-
+- if (_checksum_length) {
+- *_checksum_length = checksum_length;
+- }
+-
+- if (_confounder_ofs) {
+- *_confounder_ofs = confounder_ofs;
+- }
+-}
+-
+-/*******************************************************************
+- Encode or Decode the sequence number (which is symmetric)
+- ********************************************************************/
+-static void netsec_do_seq_num(struct schannel_state *state,
+- const uint8_t *checksum,
+- uint32_t checksum_length,
+- uint8_t seq_num[8])
+-{
+- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- AES_KEY key;
+- uint8_t iv[AES_BLOCK_SIZE];
+-
+- AES_set_encrypt_key(state->creds->session_key, 128, &key);
+- ZERO_STRUCT(iv);
+- memcpy(iv+0, checksum, 8);
+- memcpy(iv+8, checksum, 8);
+-
+- aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
+- } else {
+- static const uint8_t zeros[4];
+- uint8_t sequence_key[16];
+- uint8_t digest1[16];
+-
+- hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
+- hmac_md5(digest1, checksum, checksum_length, sequence_key);
+- arcfour_crypt(seq_num, sequence_key, 8);
+- }
+-
+- state->seq_num++;
+-}
+-
+-static void netsec_do_seal(struct schannel_state *state,
+- const uint8_t seq_num[8],
+- uint8_t confounder[8],
+- uint8_t *data, uint32_t length,
+- bool forward)
+-{
+- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- AES_KEY key;
+- uint8_t iv[AES_BLOCK_SIZE];
+- uint8_t sess_kf0[16];
+- int i;
+-
+- for (i = 0; i < 16; i++) {
+- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
+- }
+-
+- AES_set_encrypt_key(sess_kf0, 128, &key);
+- ZERO_STRUCT(iv);
+- memcpy(iv+0, seq_num, 8);
+- memcpy(iv+8, seq_num, 8);
+-
+- if (forward) {
+- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
+- aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
+- } else {
+- aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
+- aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
+- }
+- } else {
+- uint8_t sealing_key[16];
+- static const uint8_t zeros[4];
+- uint8_t digest2[16];
+- uint8_t sess_kf0[16];
+- int i;
+-
+- for (i = 0; i < 16; i++) {
+- sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
+- }
+-
+- hmac_md5(sess_kf0, zeros, 4, digest2);
+- hmac_md5(digest2, seq_num, 8, sealing_key);
+-
+- arcfour_crypt(confounder, sealing_key, 8);
+- arcfour_crypt(data, sealing_key, length);
+- }
+-}
+-
+-/*******************************************************************
+- Create a digest over the entire packet (including the data), and
+- MD5 it with the session key.
+- ********************************************************************/
+-static void netsec_do_sign(struct schannel_state *state,
+- const uint8_t *confounder,
+- const uint8_t *data, size_t length,
+- uint8_t header[8],
+- uint8_t *checksum)
+-{
+- if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- struct HMACSHA256Context ctx;
+-
+- hmac_sha256_init(state->creds->session_key,
+- sizeof(state->creds->session_key),
+- &ctx);
+-
+- if (confounder) {
+- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
+- SSVAL(header, 2, NL_SEAL_AES128);
+- SSVAL(header, 4, 0xFFFF);
+- SSVAL(header, 6, 0x0000);
+-
+- hmac_sha256_update(header, 8, &ctx);
+- hmac_sha256_update(confounder, 8, &ctx);
+- } else {
+- SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
+- SSVAL(header, 2, NL_SEAL_NONE);
+- SSVAL(header, 4, 0xFFFF);
+- SSVAL(header, 6, 0x0000);
+-
+- hmac_sha256_update(header, 8, &ctx);
+- }
+-
+- hmac_sha256_update(data, length, &ctx);
+-
+- hmac_sha256_final(checksum, &ctx);
+- } else {
+- uint8_t packet_digest[16];
+- static const uint8_t zeros[4];
+- MD5_CTX ctx;
+-
+- MD5Init(&ctx);
+- MD5Update(&ctx, zeros, 4);
+- if (confounder) {
+- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
+- SSVAL(header, 2, NL_SEAL_RC4);
+- SSVAL(header, 4, 0xFFFF);
+- SSVAL(header, 6, 0x0000);
+-
+- MD5Update(&ctx, header, 8);
+- MD5Update(&ctx, confounder, 8);
+- } else {
+- SSVAL(header, 0, NL_SIGN_HMAC_MD5);
+- SSVAL(header, 2, NL_SEAL_NONE);
+- SSVAL(header, 4, 0xFFFF);
+- SSVAL(header, 6, 0x0000);
+-
+- MD5Update(&ctx, header, 8);
+- }
+- MD5Update(&ctx, data, length);
+- MD5Final(packet_digest, &ctx);
+-
+- hmac_md5(state->creds->session_key,
+- packet_digest, sizeof(packet_digest),
+- checksum);
+- }
+-}
+-
+-NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+- bool do_unseal,
+- uint8_t *data, size_t length,
+- const DATA_BLOB *sig)
+-{
+- uint32_t min_sig_size = 0;
+- uint8_t header[8];
+- uint8_t checksum[32];
+- uint32_t checksum_length = sizeof(checksum_length);
+- uint8_t _confounder[8];
+- uint8_t *confounder = NULL;
+- uint32_t confounder_ofs = 0;
+- uint8_t seq_num[8];
+- int ret;
+-
+- netsec_offset_and_sizes(state,
+- do_unseal,
+- &min_sig_size,
+- NULL,
+- &checksum_length,
+- &confounder_ofs);
+-
+- if (sig->length < min_sig_size) {
+- return NT_STATUS_ACCESS_DENIED;
+- }
+-
+- if (do_unseal) {
+- confounder = _confounder;
+- memcpy(confounder, sig->data+confounder_ofs, 8);
+- } else {
+- confounder = NULL;
+- }
+-
+- SETUP_SEQNUM(state, seq_num, !state->initiator);
+-
+- if (do_unseal) {
+- netsec_do_seal(state, seq_num,
+- confounder,
+- data, length,
+- false);
+- }
+-
+- netsec_do_sign(state, confounder,
+- data, length,
+- header, checksum);
+-
+- ret = memcmp(checksum, sig->data+16, checksum_length);
+- if (ret != 0) {
+- dump_data_pw("calc digest:", checksum, checksum_length);
+- dump_data_pw("wire digest:", sig->data+16, checksum_length);
+- return NT_STATUS_ACCESS_DENIED;
+- }
+-
+- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
+-
+- ret = memcmp(seq_num, sig->data+8, 8);
+- if (ret != 0) {
+- dump_data_pw("calc seq num:", seq_num, 8);
+- dump_data_pw("wire seq num:", sig->data+8, 8);
+- return NT_STATUS_ACCESS_DENIED;
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+-uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
+-{
+- uint32_t sig_size = 0;
+-
+- netsec_offset_and_sizes(state,
+- true,
+- NULL,
+- &sig_size,
+- NULL,
+- NULL);
+-
+- return sig_size;
+-}
+-
+-NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+- TALLOC_CTX *mem_ctx,
+- bool do_seal,
+- uint8_t *data, size_t length,
+- DATA_BLOB *sig)
+-{
+- uint32_t min_sig_size = 0;
+- uint32_t used_sig_size = 0;
+- uint8_t header[8];
+- uint8_t checksum[32];
+- uint32_t checksum_length = sizeof(checksum_length);
+- uint8_t _confounder[8];
+- uint8_t *confounder = NULL;
+- uint32_t confounder_ofs = 0;
+- uint8_t seq_num[8];
+-
+- netsec_offset_and_sizes(state,
+- do_seal,
+- &min_sig_size,
+- &used_sig_size,
+- &checksum_length,
+- &confounder_ofs);
+-
+- SETUP_SEQNUM(state, seq_num, state->initiator);
+-
+- if (do_seal) {
+- confounder = _confounder;
+- generate_random_buffer(confounder, 8);
+- } else {
+- confounder = NULL;
+- }
+-
+- netsec_do_sign(state, confounder,
+- data, length,
+- header, checksum);
+-
+- if (do_seal) {
+- netsec_do_seal(state, seq_num,
+- confounder,
+- data, length,
+- true);
+- }
+-
+- netsec_do_seq_num(state, checksum, checksum_length, seq_num);
+-
+- (*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
+-
+- memcpy(sig->data, header, 8);
+- memcpy(sig->data+8, seq_num, 8);
+- memcpy(sig->data+16, checksum, checksum_length);
+-
+- if (confounder) {
+- memcpy(sig->data+confounder_ofs, confounder, 8);
+- }
+-
+- dump_data_pw("signature:", sig->data+ 0, 8);
+- dump_data_pw("seq_num :", sig->data+ 8, 8);
+- dump_data_pw("digest :", sig->data+16, checksum_length);
+- dump_data_pw("confound :", sig->data+confounder_ofs, 8);
+-
+- return NT_STATUS_OK;
+-}
+diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
+index df23058..ca2be2d 100755
+--- a/libcli/auth/wscript_build
++++ b/libcli/auth/wscript_build
+@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
+
+
+ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
+- source='schannel_state_tdb.c schannel_sign.c',
++ source='schannel_state_tdb.c',
+ deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
+ )
+
+--
+1.9.3
+
+
+From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 31 Dec 2013 10:11:18 +0100
+Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
+ in schannel.c
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
+---
+ auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
+index c60ab4f..3d30e83 100644
+--- a/auth/gensec/schannel.c
++++ b/auth/gensec/schannel.c
+@@ -34,6 +34,7 @@
+ #include "lib/crypto/crypto.h"
+
+ struct schannel_state {
++ struct gensec_security *gensec;
+ uint64_t seq_num;
+ bool initiator;
+ struct netlogon_creds_CredentialState *creds;
+@@ -50,17 +51,19 @@ struct schannel_state {
+ RSIVAL(_buf, 4, _seq_num_high); \
+ } while(0)
+
+-static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
++static struct schannel_state *netsec_create_state(
++ struct gensec_security *gensec,
+ struct netlogon_creds_CredentialState *creds,
+ bool initiator)
+ {
+ struct schannel_state *state;
+
+- state = talloc(mem_ctx, struct schannel_state);
++ state = talloc(gensec, struct schannel_state);
+ if (state == NULL) {
+ return NULL;
+ }
+
++ state->gensec = gensec;
+ state->initiator = initiator;
+ state->seq_num = 0;
+ state->creds = netlogon_creds_copy(state, creds);
+@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++ gensec->private_data = state;
++
+ return state;
+ }
+
+@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
+ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+ bool do_unseal,
+ uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
+ const DATA_BLOB *sig)
+ {
+ uint32_t min_sig_size = 0;
+@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+ uint32_t confounder_ofs = 0;
+ uint8_t seq_num[8];
+ int ret;
++ const uint8_t *sign_data = NULL;
++ size_t sign_length = 0;
+
+ netsec_offset_and_sizes(state,
+ do_unseal,
+@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+ false);
+ }
+
++ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ sign_data = whole_pdu;
++ sign_length = pdu_length;
++ } else {
++ sign_data = data;
++ sign_length = length;
++ }
++
+ netsec_do_sign(state, confounder,
+- data, length,
++ sign_data, sign_length,
+ header, checksum);
+
+ ret = memcmp(checksum, sig->data+16, checksum_length);
+@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+ TALLOC_CTX *mem_ctx,
+ bool do_seal,
+ uint8_t *data, size_t length,
++ const uint8_t *whole_pdu, size_t pdu_length,
+ DATA_BLOB *sig)
+ {
+ uint32_t min_sig_size = 0;
+@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+ uint8_t *confounder = NULL;
+ uint32_t confounder_ofs = 0;
+ uint8_t seq_num[8];
++ const uint8_t *sign_data = NULL;
++ size_t sign_length = 0;
+
+ netsec_offset_and_sizes(state,
+ do_seal,
+@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+ confounder = NULL;
+ }
+
++ if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ sign_data = whole_pdu;
++ sign_length = pdu_length;
++ } else {
++ sign_data = data;
++ sign_length = length;
++ }
++
+ netsec_do_sign(state, confounder,
+- data, length,
++ sign_data, sign_length,
+ header, checksum);
+
+ if (do_seal) {
+@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+- gensec_security->private_data = state;
+
+ bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
+ #if 0
+@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+- gensec_security->private_data = state;
+
+ bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
+ bind_schannel_ack.Flags = 0;
+@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
+ return true;
+ }
++ if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
++ return true;
++ }
+ return false;
+ }
+
+@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
+
+ return netsec_incoming_packet(state, true,
+ discard_const_p(uint8_t, data),
+- length, sig);
++ length,
++ whole_pdu, pdu_length,
++ sig);
+ }
+
+ /*
+@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
+
+ return netsec_incoming_packet(state, false,
+ discard_const_p(uint8_t, data),
+- length, sig);
++ length,
++ whole_pdu, pdu_length,
++ sig);
+ }
+ /*
+ seal a packet
+@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
+ struct schannel_state);
+
+ return netsec_outgoing_packet(state, mem_ctx, true,
+- data, length, sig);
++ data, length,
++ whole_pdu, pdu_length,
++ sig);
+ }
+
+ /*
+@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
+
+ return netsec_outgoing_packet(state, mem_ctx, false,
+ discard_const_p(uint8_t, data),
+- length, sig);
++ length,
++ whole_pdu, pdu_length,
++ sig);
+ }
+
+ static const struct gensec_security_ops gensec_schannel_security_ops = {
+--
+1.9.3
+
+
+From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 5 Jan 2014 06:16:03 +0100
+Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
+---
+ source3/rpc_client/cli_pipe.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index a343997..7d1e347 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
+ {
+ struct pipe_auth_data *result;
+
+- result = talloc(mem_ctx, struct pipe_auth_data);
++ result = talloc_zero(mem_ctx, struct pipe_auth_data);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
+ {
+ struct pipe_auth_data *result;
+
+- result = talloc(mem_ctx, struct pipe_auth_data);
++ result = talloc_zero(mem_ctx, struct pipe_auth_data);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
+ struct pipe_auth_data *result;
+ NTSTATUS status;
+
+- result = talloc(mem_ctx, struct pipe_auth_data);
++ result = talloc_zero(mem_ctx, struct pipe_auth_data);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+--
+1.9.3
+
+
+From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 5 Jan 2014 06:31:44 +0100
+Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
+---
+ source3/rpc_client/cli_pipe.c | 4 ++--
+ source3/rpc_client/cli_pipe.h | 10 ----------
+ 2 files changed, 2 insertions(+), 12 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 7d1e347..3d12454 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
+ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+ bool *is_last_frag);
+
+-struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
++static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct rpc_pipe_client *cli,
+ uint8_t op_num,
+@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
+ tevent_req_done(req);
+ }
+
+-NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
++static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+ DATA_BLOB *reply_pdu)
+ {
+ struct rpc_api_pipe_req_state *state = tevent_req_data(
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index ab99373..826f9bf 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -27,16 +27,6 @@
+
+ /* The following definitions come from rpc_client/cli_pipe.c */
+
+-struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
+- struct tevent_context *ev,
+- struct rpc_pipe_client *cli,
+- uint8_t op_num,
+- DATA_BLOB *req_data);
+-
+-NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
+- TALLOC_CTX *mem_ctx,
+- DATA_BLOB *reply_pdu);
+-
+ struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct rpc_pipe_client *cli,
+--
+1.9.3
+
+
+From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 5 Jan 2014 07:56:20 +0100
+Subject: [PATCH 153/249] s3:rpc_client: add some const to
+ rpc_api_pipe_req_send()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
+---
+ source3/rpc_client/cli_pipe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 3d12454..6b7fee2 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
+ struct rpc_pipe_client *cli;
+ uint8_t op_num;
+ uint32_t call_id;
+- DATA_BLOB *req_data;
++ const DATA_BLOB *req_data;
+ uint32_t req_data_sent;
+ DATA_BLOB rpc_out;
+ DATA_BLOB reply_pdu;
+@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct rpc_pipe_client *cli,
+ uint8_t op_num,
+- DATA_BLOB *req_data)
++ const DATA_BLOB *req_data)
+ {
+ struct tevent_req *req, *subreq;
+ struct rpc_api_pipe_req_state *state;
+--
+1.9.3
+
+
+From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 5 Jan 2014 08:26:15 +0100
+Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
+ any other gensec backend
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
+---
+ source3/rpc_client/cli_pipe.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 6b7fee2..b142774 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
+
+ case DCERPC_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+ /* Bind complete. */
+ tevent_req_done(req);
+ return;
+
++ case DCERPC_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ case DCERPC_AUTH_TYPE_KRB5:
+@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
+
+ case DCERPC_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
+- case DCERPC_AUTH_TYPE_SCHANNEL:
+ /* Bind complete. */
+ tevent_req_done(req);
+ return;
+
++ case DCERPC_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+--
+1.9.3
+
+
+From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 22:41:33 +0100
+Subject: [PATCH 155/249] s3:rpc_client: implement
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
+---
+ source3/librpc/rpc/dcerpc.h | 4 +++-
+ source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
+ 2 files changed, 41 insertions(+), 7 deletions(-)
+
+diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
+index b18b7ba..aaf8d68 100644
+--- a/source3/librpc/rpc/dcerpc.h
++++ b/source3/librpc/rpc/dcerpc.h
+@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
+ struct pipe_auth_data {
+ enum dcerpc_AuthType auth_type;
+ enum dcerpc_AuthLevel auth_level;
+-
++ bool client_hdr_signing;
++ bool hdr_signing;
++
+ void *auth_ctx;
+
+ /* Only the client code uses these 3 for now */
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index b142774..1cab580 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+
+ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+- DATA_BLOB *auth_token)
++ DATA_BLOB *auth_token,
++ bool *client_hdr_signing)
+ {
+ struct gensec_security *gensec_security;
+ DATA_BLOB null_blob = data_blob_null;
++ NTSTATUS status;
+
+ gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
+ struct gensec_security);
+
+ DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
+- return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
++ status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
++
++ if (!NT_STATUS_IS_OK(status) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
++ {
++ return status;
++ }
++
++ if (client_hdr_signing != NULL) {
++ *client_hdr_signing = gensec_have_feature(gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER);
++ }
++
++ return status;
+ }
+
+ /*******************************************************************
+@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
+ const struct ndr_syntax_id *abstract,
+ const struct ndr_syntax_id *transfer,
+ const DATA_BLOB *auth_info,
++ bool client_hdr_signing,
+ DATA_BLOB *blob)
+ {
+ uint16 auth_len = auth_info->length;
+ NTSTATUS status;
+ union dcerpc_payload u;
+ struct dcerpc_ctx_list ctx_list;
++ uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+
+ if (auth_len) {
+ auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
+ }
+
++ if (client_hdr_signing) {
++ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
++ }
++
+ ctx_list.context_id = 0;
+ ctx_list.num_transfer_syntaxes = 1;
+ ctx_list.abstract_syntax = *abstract;
+@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
+ u.bind.auth_info = *auth_info;
+
+ status = dcerpc_push_ncacn_packet(mem_ctx,
+- ptype,
+- DCERPC_PFC_FLAG_FIRST |
+- DCERPC_PFC_FLAG_LAST,
++ ptype, pfc_flags,
+ auth_len,
+ rpc_call_id,
+ &u,
+@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+- ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
++ ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
++ &auth_token,
++ &auth->client_hdr_signing);
+
+ if (!NT_STATUS_IS_OK(ret) &&
+ !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
+ abstract,
+ transfer,
+ &auth_info,
++ auth->client_hdr_signing,
+ rpc_out);
+ return ret;
+ }
+@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
+ abstract,
+ transfer,
+ &auth_info,
++ false, /* client_hdr_signing */
+ rpc_out);
+ data_blob_free(&auth_info);
+ return status;
+@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ gensec_security = talloc_get_type_abort(pauth->auth_ctx,
+ struct gensec_security);
++
++ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
++ if (pauth->client_hdr_signing) {
++ pauth->hdr_signing = true;
++ gensec_want_feature(gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER);
++ }
++ }
++
+ status = gensec_update(gensec_security, state, NULL,
+ auth.credentials, &auth_token);
+ if (NT_STATUS_EQUAL(status,
+--
+1.9.3
+
+
+From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 22:56:03 +0100
+Subject: [PATCH 156/249] s3:rpc_server: add support for
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
+
+If the backend supports it there's no reason to avoid it.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
+---
+ source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
+index 5f834fb..f572819 100644
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -42,6 +42,7 @@
+ #include "rpc_server/rpc_contexts.h"
+ #include "lib/param/param.h"
+ #include "librpc/ndr/ndr_table.h"
++#include "auth/gensec/gensec.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_SRV
+@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
+ *******************************************************************/
+
+ static bool pipe_auth_generic_bind(struct pipes_struct *p,
+- TALLOC_CTX *mem_ctx,
++ struct ncacn_packet *pkt,
+ struct dcerpc_auth *auth_info,
+ DATA_BLOB *response)
+ {
++ TALLOC_CTX *mem_ctx = pkt;
+ struct gensec_security *gensec_security = NULL;
+ NTSTATUS status;
+
+@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
+ p->auth.auth_ctx = gensec_security;
+ p->auth.auth_type = auth_info->auth_type;
+
++ if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
++ p->auth.client_hdr_signing = true;
++ p->auth.hdr_signing = gensec_have_feature(gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER);
++ }
++
++ if (p->auth.hdr_signing) {
++ gensec_want_feature(gensec_security,
++ GENSEC_FEATURE_SIGN_PKT_HEADER);
++ }
++
+ return true;
+ }
+
+@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
+ NTSTATUS status;
+ struct ndr_syntax_id id;
++ uint8_t pfc_flags = 0;
+ union dcerpc_payload u;
+ struct dcerpc_ack_ctx bind_ack_ctx;
+ DATA_BLOB auth_resp = data_blob_null;
+@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
+ * header and are never sending more than one PDU here.
+ */
+
++ pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
++
++ if (p->auth.hdr_signing) {
++ pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
++ }
++
+ status = dcerpc_push_ncacn_packet(p->mem_ctx,
+ DCERPC_PKT_BIND_ACK,
+- DCERPC_PFC_FLAG_FIRST |
+- DCERPC_PFC_FLAG_LAST,
++ pfc_flags,
+ auth_resp.length,
+ pkt->call_id,
+ &u,
+--
+1.9.3
+
+
+From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 09:25:23 +0100
+Subject: [PATCH 157/249] librpc/ndr: add
+ LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
+
+This lets ndr_pull_subcontext_end() make sure that all
+subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
+---
+ librpc/idl/idl_types.h | 2 ++
+ librpc/ndr/libndr.h | 6 ++++++
+ librpc/ndr/ndr.c | 20 ++++++++++++++++++++
+ 3 files changed, 28 insertions(+)
+
+diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
+index c50efac..838c219 100644
+--- a/librpc/idl/idl_types.h
++++ b/librpc/idl/idl_types.h
+@@ -53,3 +53,5 @@
+
+ #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
+ #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
++
++#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
+diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
+index a950519..8070c3c 100644
+--- a/librpc/ndr/libndr.h
++++ b/librpc/ndr/libndr.h
+@@ -123,6 +123,12 @@ struct ndr_print {
+ #define LIBNDR_FLAG_STR_RAW8 (1<<13)
+ #define LIBNDR_STRING_FLAGS (0x7FFC)
+
++/*
++ * This lets ndr_pull_subcontext_end() return
++ * NDR_ERR_UNREAD_BYTES.
++ */
++#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
++
+ /* set if relative pointers should *not* be marshalled in reverse order */
+ #define LIBNDR_FLAG_NO_RELATIVE_REVERSE (1<<18)
+
+diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
+index e86cf2f..15a7f12 100644
+--- a/librpc/ndr/ndr.c
++++ b/librpc/ndr/ndr.c
+@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
+ ssize_t size_is)
+ {
+ uint32_t advance;
++ uint32_t highest_ofs;
++
+ if (size_is >= 0) {
+ advance = size_is;
+ } else if (header_size > 0) {
+@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
+ } else {
+ advance = subndr->offset;
+ }
++
++ if (subndr->offset > ndr->relative_highest_offset) {
++ highest_ofs = subndr->offset;
++ } else {
++ highest_ofs = subndr->relative_highest_offset;
++ }
++ if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
++ /*
++ * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
++ */
++ highest_ofs = advance;
++ }
++ if (highest_ofs < advance) {
++ return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
++ "not all bytes consumed ofs[%u] advance[%u]",
++ highest_ofs, advance);
++ }
++
+ NDR_CHECK(ndr_pull_advance(ndr, advance));
+ return NDR_ERR_SUCCESS;
+ }
+--
+1.9.3
+
+
+From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 3 Jan 2014 15:06:23 +0100
+Subject: [PATCH 158/249] dcerpc.idl: add documentation references
+
+To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
+---
+ librpc/idl/dcerpc.idl | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
+index 86f22a4..23cac89 100644
+--- a/librpc/idl/dcerpc.idl
++++ b/librpc/idl/dcerpc.idl
+@@ -5,8 +5,17 @@
+ but given that pidl can handle it nicely it simplifies things a lot
+ to do it this way
+
+- see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
+- layouts
++ See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
++ DCERPC specification:
++ http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
++
++ See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
++ http://www.opengroup.org/onlinepubs/9629399/chap12.htm
++
++ See also [MS-RPCE] for the Microsoft
++ "Remote Procedure Call Protocol Extensions".
++ http://msdn.microsoft.com/en-us/library/cc243560.aspx
++
+ */
+ import "misc.idl";
+
+--
+1.9.3
+
+
+From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 2 Jan 2014 11:18:38 +0100
+Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer
+
+See [MS-RPCE] 2.2.2.13 Verification Trailer for details.
+
+Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
+
+Signed-off-by: Gregor Beck <gbeck@sernet.de>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
+---
+ librpc/idl/dcerpc.idl | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
+ librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
+ librpc/wscript_build | 2 +-
+ 3 files changed, 134 insertions(+), 1 deletion(-)
+ create mode 100644 librpc/ndr/ndr_dcerpc.c
+
+diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
+index 23cac89..8e9be0e 100644
+--- a/librpc/idl/dcerpc.idl
++++ b/librpc/idl/dcerpc.idl
+@@ -19,6 +19,8 @@
+ */
+ import "misc.idl";
+
++cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
++
+ interface dcerpc
+ {
+ typedef struct {
+@@ -514,4 +516,69 @@ interface dcerpc
+ uint8 serial_low;
+ [switch_is(ptype)] dcerpc_payload u;
+ } ncadg_packet;
++
++ typedef [bitmap16bit] bitmap {
++ DCERPC_SEC_VT_COMMAND_ENUM = 0x3FFF,
++ DCERPC_SEC_VT_COMMAND_END = 0x4000,
++ DCERPC_SEC_VT_MUST_PROCESS = 0x8000
++ } dcerpc_sec_vt_command;
++
++ typedef [enum16bit] enum {
++ DCERPC_SEC_VT_COMMAND_BITMASK1 = 0x0001,
++ DCERPC_SEC_VT_COMMAND_PCONTEXT = 0x0002,
++ DCERPC_SEC_VT_COMMAND_HEADER2 = 0x0003
++ } dcerpc_sec_vt_command_enum;
++
++ typedef [bitmap32bit] bitmap {
++ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
++ } dcerpc_sec_vt_bitmask1;
++
++ typedef struct {
++ ndr_syntax_id abstract_syntax;
++ ndr_syntax_id transfer_syntax;
++ } dcerpc_sec_vt_pcontext;
++
++ typedef struct {
++ dcerpc_pkt_type ptype; /* Packet type */
++ [value(0)] uint8 reserved1;
++ [value(0)] uint16 reserved2;
++ uint8 drep[4]; /* NDR data representation */
++ uint32 call_id; /* Call identifier */
++ uint16 context_id;
++ uint16 opnum;
++ } dcerpc_sec_vt_header2;
++
++ typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
++ [case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
++ [case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
++ [case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
++ [default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
++ } dcerpc_sec_vt_union;
++
++ typedef struct {
++ dcerpc_sec_vt_command command;
++ [switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
++ [subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
++ dcerpc_sec_vt_union u;
++ } dcerpc_sec_vt;
++
++ typedef [public,nopush,nopull] struct {
++ uint16 count;
++ } dcerpc_sec_vt_count;
++
++ /*
++ * We assume that the whole verification trailer fits into
++ * the last 1024 bytes after the stub data.
++ *
++ * There're currently only 3 commands defined and each should
++ * only be used once.
++ */
++ const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
++
++ typedef [public,flag(NDR_PAHEX)] struct {
++ [flag(NDR_ALIGN4)] DATA_BLOB _pad;
++ [value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
++ dcerpc_sec_vt_count count;
++ dcerpc_sec_vt commands[count.count];
++ } dcerpc_sec_verification_trailer;
+ }
+diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
+new file mode 100644
+index 0000000..88a7f38
+--- /dev/null
++++ b/librpc/ndr/ndr_dcerpc.c
+@@ -0,0 +1,66 @@
++/*
++ Unix SMB/CIFS implementation.
++
++ Manually parsed structures found in the DCERPC protocol
++
++ Copyright (C) Stefan Metzmacher 2014
++ Copyright (C) Gregor Beck 2014
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "includes.h"
++#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
++
++#include "librpc/gen_ndr/ndr_misc.h"
++
++const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
++
++_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
++{
++ NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
++ /* nothing */
++ return NDR_ERR_SUCCESS;
++}
++
++_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
++{
++ uint32_t _saved_ofs = ndr->offset;
++
++ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
++
++ if (!(ndr_flags & NDR_SCALARS)) {
++ return NDR_ERR_SUCCESS;
++ }
++
++ r->count = 0;
++
++ while (true) {
++ uint16_t command;
++ uint16_t length;
++
++ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
++ NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
++ NDR_CHECK(ndr_pull_advance(ndr, length));
++
++ r->count += 1;
++
++ if (command & DCERPC_SEC_VT_COMMAND_END) {
++ break;
++ }
++ }
++
++ ndr->offset = _saved_ofs;
++ return NDR_ERR_SUCCESS;
++}
+diff --git a/librpc/wscript_build b/librpc/wscript_build
+index 2017a29..a5cf687 100644
+--- a/librpc/wscript_build
++++ b/librpc/wscript_build
+@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
+ )
+
+ bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
+- source='gen_ndr/ndr_dcerpc.c',
++ source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
+ public_deps='ndr',
+ public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
+ header_path= [ ('*gen_ndr*', 'gen_ndr') ],
+--
+1.9.3
+
+
+From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 5 Jan 2014 07:57:51 +0100
+Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
+ data not the total data.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
+---
+ source3/rpc_client/cli_pipe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 1cab580..5edd897 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+
+ ZERO_STRUCT(u.request);
+
+- u.request.alloc_hint = state->req_data->length;
++ u.request.alloc_hint = data_left;
+ u.request.context_id = 0;
+ u.request.opnum = state->op_num;
+
+--
+1.9.3
+
+
+From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 5 Jan 2014 08:12:45 +0100
+Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
+ if needed
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Tue Jan 7 02:24:42 CET 2014 on sn-devel-104
+(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
+---
+ source3/librpc/rpc/dcerpc.h | 1 +
+ source3/rpc_client/cli_pipe.c | 202 ++++++++++++++++++++++++++++++++++++++--
+ source3/rpc_client/rpc_client.h | 1 +
+ 3 files changed, 194 insertions(+), 10 deletions(-)
+
+diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
+index aaf8d68..9d0f861 100644
+--- a/source3/librpc/rpc/dcerpc.h
++++ b/source3/librpc/rpc/dcerpc.h
+@@ -41,6 +41,7 @@ struct pipe_auth_data {
+ enum dcerpc_AuthLevel auth_level;
+ bool client_hdr_signing;
+ bool hdr_signing;
++ bool verified_bitmask1;
+
+ void *auth_ctx;
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 5edd897..a45023f 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
+ uint32_t call_id;
+ const DATA_BLOB *req_data;
+ uint32_t req_data_sent;
++ DATA_BLOB req_trailer;
++ uint32_t req_trailer_sent;
++ bool verify_bitmask1;
++ bool verify_pcontext;
+ DATA_BLOB rpc_out;
+ DATA_BLOB reply_pdu;
+ };
+
+ static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
+ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
++static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
+ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+ bool *is_last_frag);
+
+@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
+ goto post_status;
+ }
+
++ status = prepare_verification_trailer(state);
++ if (!NT_STATUS_IS_OK(status)) {
++ goto post_status;
++ }
++
+ status = prepare_next_frag(state, &is_last_frag);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto post_status;
+@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
++{
++ struct pipe_auth_data *a = state->cli->auth;
++ struct dcerpc_sec_verification_trailer *t;
++ struct dcerpc_sec_vt *c = NULL;
++ struct ndr_push *ndr = NULL;
++ enum ndr_err_code ndr_err;
++ size_t align = 0;
++ size_t pad = 0;
++
++ if (a == NULL) {
++ return NT_STATUS_OK;
++ }
++
++ if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
++ return NT_STATUS_OK;
++ }
++
++ t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
++ if (t == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ if (!a->verified_bitmask1) {
++ t->commands = talloc_realloc(t, t->commands,
++ struct dcerpc_sec_vt,
++ t->count.count + 1);
++ if (t->commands == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ c = &t->commands[t->count.count++];
++ ZERO_STRUCTP(c);
++
++ c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
++ if (a->client_hdr_signing) {
++ c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
++ }
++ state->verify_bitmask1 = true;
++ }
++
++ if (!state->cli->verified_pcontext) {
++ t->commands = talloc_realloc(t, t->commands,
++ struct dcerpc_sec_vt,
++ t->count.count + 1);
++ if (t->commands == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ c = &t->commands[t->count.count++];
++ ZERO_STRUCTP(c);
++
++ c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
++ c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
++ c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
++
++ state->verify_pcontext = true;
++ }
++
++ if (!a->hdr_signing) {
++ t->commands = talloc_realloc(t, t->commands,
++ struct dcerpc_sec_vt,
++ t->count.count + 1);
++ if (t->commands == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ c = &t->commands[t->count.count++];
++ ZERO_STRUCTP(c);
++
++ c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
++ c->u.header2.ptype = DCERPC_PKT_REQUEST;
++ c->u.header2.drep[0] = DCERPC_DREP_LE;
++ c->u.header2.drep[1] = 0;
++ c->u.header2.drep[2] = 0;
++ c->u.header2.drep[3] = 0;
++ c->u.header2.call_id = state->call_id;
++ c->u.header2.context_id = 0;
++ c->u.header2.opnum = state->op_num;
++ }
++
++ if (t->count.count == 0) {
++ TALLOC_FREE(t);
++ return NT_STATUS_OK;
++ }
++
++ c = &t->commands[t->count.count - 1];
++ c->command |= DCERPC_SEC_VT_COMMAND_END;
++
++ if (DEBUGLEVEL >= 10) {
++ NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
++ }
++
++ ndr = ndr_push_init_ctx(state);
++ if (ndr == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
++ NDR_SCALARS | NDR_BUFFERS,
++ t);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ return ndr_map_error2ntstatus(ndr_err);
++ }
++ state->req_trailer = ndr_push_blob(ndr);
++
++ align = state->req_data->length & 0x3;
++ if (align > 0) {
++ pad = 4 - align;
++ }
++ if (pad > 0) {
++ bool ok;
++ uint8_t *p;
++ const uint8_t zeros[4] = { 0, };
++
++ ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
++ if (!ok) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ /* move the padding to the start */
++ p = state->req_trailer.data;
++ memmove(p + pad, p, state->req_trailer.length - pad);
++ memset(p, 0, pad);
++ }
++
++ return NT_STATUS_OK;
++}
++
+ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+ bool *is_last_frag)
+ {
+- size_t data_sent_thistime;
+ size_t auth_len;
+ size_t frag_len;
+ uint8_t flags = 0;
+ size_t pad_len;
+ size_t data_left;
++ size_t data_thistime;
++ size_t trailer_left;
++ size_t trailer_thistime = 0;
++ size_t total_left;
++ size_t total_thistime;
+ NTSTATUS status;
++ bool ok;
+ union dcerpc_payload u;
+
+ data_left = state->req_data->length - state->req_data_sent;
++ trailer_left = state->req_trailer.length - state->req_trailer_sent;
++ total_left = data_left + trailer_left;
++ if ((total_left < data_left) || (total_left < trailer_left)) {
++ /*
++ * overflow
++ */
++ return NT_STATUS_INVALID_PARAMETER_MIX;
++ }
+
+ status = dcerpc_guess_sizes(state->cli->auth,
+- DCERPC_REQUEST_LENGTH, data_left,
++ DCERPC_REQUEST_LENGTH, total_left,
+ state->cli->max_xmit_frag,
+ CLIENT_NDR_PADDING_SIZE,
+- &data_sent_thistime,
++ &total_thistime,
+ &frag_len, &auth_len, &pad_len);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+ flags = DCERPC_PFC_FLAG_FIRST;
+ }
+
+- if (data_sent_thistime == data_left) {
++ if (total_thistime == total_left) {
+ flags |= DCERPC_PFC_FLAG_LAST;
+ }
+
++ data_thistime = MIN(total_thistime, data_left);
++ if (data_thistime < total_thistime) {
++ trailer_thistime = total_thistime - data_thistime;
++ }
++
+ data_blob_free(&state->rpc_out);
+
+ ZERO_STRUCT(u.request);
+
+- u.request.alloc_hint = data_left;
++ u.request.alloc_hint = total_left;
+ u.request.context_id = 0;
+ u.request.opnum = state->op_num;
+
+@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+ * at this stage */
+ dcerpc_set_frag_length(&state->rpc_out, frag_len);
+
+- /* Copy in the data. */
+- if (!data_blob_append(NULL, &state->rpc_out,
++ if (data_thistime > 0) {
++ /* Copy in the data. */
++ ok = data_blob_append(NULL, &state->rpc_out,
+ state->req_data->data + state->req_data_sent,
+- data_sent_thistime)) {
+- return NT_STATUS_NO_MEMORY;
++ data_thistime);
++ if (!ok) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ state->req_data_sent += data_thistime;
++ }
++
++ if (trailer_thistime > 0) {
++ /* Copy in the verification trailer. */
++ ok = data_blob_append(NULL, &state->rpc_out,
++ state->req_trailer.data + state->req_trailer_sent,
++ trailer_thistime);
++ if (!ok) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ state->req_trailer_sent += trailer_thistime;
+ }
+
+ switch (state->cli->auth->auth_level) {
+@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- state->req_data_sent += data_sent_thistime;
+ *is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
+
+ return status;
+@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
+ tevent_req_nterror(req, status);
+ return;
+ }
++
++ if (state->cli->auth == NULL) {
++ tevent_req_done(req);
++ return;
++ }
++
++ if (state->verify_bitmask1) {
++ state->cli->auth->verified_bitmask1 = true;
++ }
++
++ if (state->verify_pcontext) {
++ state->cli->verified_pcontext = true;
++ }
++
+ tevent_req_done(req);
+ }
+
+diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
+index 6561b28..8024f01 100644
+--- a/source3/rpc_client/rpc_client.h
++++ b/source3/rpc_client/rpc_client.h
+@@ -39,6 +39,7 @@ struct rpc_pipe_client {
+
+ struct ndr_syntax_id abstract_syntax;
+ struct ndr_syntax_id transfer_syntax;
++ bool verified_pcontext;
+
+ char *desthost;
+ char *srv_name_slash;
+--
+1.9.3
+
+
+From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 18 Apr 2013 19:16:42 +0200
+Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure
+
+This provides an abstraction to hide netlogon_creds_CredentialState,
+which is stored in a node local tdb.
+
+Where the global state (netlogon_creds_CredentialState) between client and
+server was only kept in memory (on the client side), we now use
+the abstracted netlogon_creds_cli_context.
+
+We now use a node specific computer name in order to establish
+individual netlogon sessions per node.
+
+If the caller wants to use some netlogon calls with credential chain
+(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
+to get the current netlogon_creds_CredentialState in a g_lock'ed
+fashion, a talloc_free() will release the lock.
+
+The locking is needed as there might be more than one process
+(multiple winbindd child, cmdline tools) which want to talk
+to a specific domain controller. The usage of netlogon_creds_CredentialState
+needs to be serialized as it uses sequence numbers.
+
+LogonSamLogonEx doesn't use the credential chain, but for some operations
+it needs the global session in order to de/encrypt individual fields.
+It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
+functions, which just make sure the session hasn't changed between
+get and validate.
+
+This is prepares the proper fix for a large number of bugs:
+https://bugzilla.samba.org/show_bug.cgi?id=6563
+https://bugzilla.samba.org/show_bug.cgi?id=7944
+https://bugzilla.samba.org/show_bug.cgi?id=7945
+https://bugzilla.samba.org/show_bug.cgi?id=7568
+https://bugzilla.samba.org/show_bug.cgi?id=8599
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
+---
+ libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
+ libcli/auth/netlogon_creds_cli.h | 138 ++
+ libcli/auth/wscript_build | 4 +
+ 3 files changed, 2738 insertions(+)
+ create mode 100644 libcli/auth/netlogon_creds_cli.c
+ create mode 100644 libcli/auth/netlogon_creds_cli.h
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+new file mode 100644
+index 0000000..75d6b2c
+--- /dev/null
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -0,0 +1,2596 @@
++/*
++ Unix SMB/CIFS implementation.
++
++ module to store/fetch session keys for the schannel client
++
++ Copyright (C) Stefan Metzmacher 2013
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#include "includes.h"
++#include "system/filesys.h"
++#include <tevent.h>
++#include "lib/util/tevent_ntstatus.h"
++#include "lib/dbwrap/dbwrap.h"
++#include "lib/dbwrap/dbwrap_rbt.h"
++#include "lib/util/util_tdb.h"
++#include "libcli/security/security.h"
++#include "../lib/param/param.h"
++#include "../libcli/auth/schannel.h"
++#include "../librpc/gen_ndr/ndr_schannel.h"
++#include "../librpc/gen_ndr/ndr_netlogon_c.h"
++#include "../librpc/gen_ndr/server_id.h"
++#include "netlogon_creds_cli.h"
++#include "source3/include/messages.h"
++#include "source3/include/g_lock.h"
++
++struct netlogon_creds_cli_locked_state;
++
++struct netlogon_creds_cli_context {
++ struct {
++ const char *computer;
++ const char *account;
++ uint32_t proposed_flags;
++ uint32_t required_flags;
++ enum netr_SchannelType type;
++ enum dcerpc_AuthLevel auth_level;
++ } client;
++
++ struct {
++ const char *computer;
++ const char *netbios_domain;
++ uint32_t cached_flags;
++ bool try_validation6;
++ bool try_logon_ex;
++ bool try_logon_with;
++ } server;
++
++ struct {
++ const char *key_name;
++ TDB_DATA key_data;
++ struct db_context *ctx;
++ struct g_lock_ctx *g_ctx;
++ struct netlogon_creds_cli_locked_state *locked_state;
++ } db;
++};
++
++struct netlogon_creds_cli_locked_state {
++ struct netlogon_creds_cli_context *context;
++ bool is_glocked;
++ struct netlogon_creds_CredentialState *creds;
++};
++
++static int netlogon_creds_cli_locked_state_destructor(
++ struct netlogon_creds_cli_locked_state *state)
++{
++ struct netlogon_creds_cli_context *context = state->context;
++
++ if (context == NULL) {
++ return 0;
++ }
++
++ if (context->db.locked_state == state) {
++ context->db.locked_state = NULL;
++ }
++
++ if (state->is_glocked) {
++ g_lock_unlock(context->db.g_ctx,
++ context->db.key_name);
++ }
++
++ return 0;
++}
++
++static NTSTATUS netlogon_creds_cli_context_common(
++ const char *client_computer,
++ const char *client_account,
++ enum netr_SchannelType type,
++ enum dcerpc_AuthLevel auth_level,
++ uint32_t proposed_flags,
++ uint32_t required_flags,
++ const char *server_computer,
++ const char *server_netbios_domain,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_context)
++{
++ struct netlogon_creds_cli_context *context = NULL;
++
++ *_context = NULL;
++
++ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
++ if (context == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->client.computer = talloc_strdup(context, client_computer);
++ if (context->client.computer == NULL) {
++ talloc_free(context);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->client.account = talloc_strdup(context, client_account);
++ if (context->client.account == NULL) {
++ talloc_free(context);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->client.proposed_flags = proposed_flags;
++ context->client.required_flags = required_flags;
++ context->client.type = type;
++ context->client.auth_level = auth_level;
++
++ context->server.computer = talloc_strdup(context, server_computer);
++ if (context->server.computer == NULL) {
++ talloc_free(context);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
++ if (context->server.netbios_domain == NULL) {
++ talloc_free(context);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
++ client_computer,
++ client_account,
++ server_computer,
++ server_netbios_domain);
++ if (context->db.key_name == NULL) {
++ talloc_free(context);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->db.key_data = string_term_tdb_data(context->db.key_name);
++
++ *_context = context;
++ return NT_STATUS_OK;
++}
++
++static struct db_context *netlogon_creds_cli_global_db;
++
++NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
++{
++ char *fname;
++ struct db_context *global_db;
++
++ if (netlogon_creds_cli_global_db != NULL) {
++ return NT_STATUS_OK;
++ }
++
++ fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
++ if (fname == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
++ fname, 0,
++ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
++ O_RDWR|O_CREAT,
++ 0600, DBWRAP_LOCK_ORDER_2);
++ if (global_db == NULL) {
++ DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
++ fname, strerror(errno)));
++ talloc_free(fname);
++ return NT_STATUS_NO_MEMORY;
++ }
++ TALLOC_FREE(fname);
++
++ netlogon_creds_cli_global_db = global_db;
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
++ struct messaging_context *msg_ctx,
++ const char *client_account,
++ enum netr_SchannelType type,
++ const char *server_computer,
++ const char *server_netbios_domain,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_context)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ NTSTATUS status;
++ struct netlogon_creds_cli_context *context = NULL;
++ const char *client_computer;
++ uint32_t proposed_flags;
++ uint32_t required_flags = 0;
++ bool reject_md5_servers = false;
++ bool require_strong_key = false;
++ int require_sign_or_seal = true;
++ bool seal_secure_channel = true;
++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
++ bool neutralize_nt4_emulation = false;
++ struct server_id self = {
++ .vnn = NONCLUSTER_VNN,
++ .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
++ };
++
++ if (msg_ctx != NULL) {
++ self = messaging_server_id(msg_ctx);
++ }
++
++ *_context = NULL;
++
++ if (self.vnn != NONCLUSTER_VNN) {
++ client_computer = talloc_asprintf(frame,
++ "%s_cluster_vnn_%u",
++ lpcfg_netbios_name(lp_ctx),
++ (unsigned)self.vnn);
++ if (client_computer == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++ } else {
++ client_computer = lpcfg_netbios_name(lp_ctx);
++ }
++
++ /*
++ * allow overwrite per domain
++ * reject md5 servers:<netbios_domain>
++ */
++ //TODO: add lpcfp_reject_md5_servers()
++ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
++ "__default__",
++ "reject md5 servers",
++ reject_md5_servers);
++ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
++ "reject md5 servers",
++ server_netbios_domain,
++ reject_md5_servers);
++
++ /*
++ * allow overwrite per domain
++ * require strong key:<netbios_domain>
++ */
++ //TODO: add lpcfp_require_strong_key()
++ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
++ "__default__",
++ "require strong key",
++ require_strong_key);
++ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
++ "require strong key",
++ server_netbios_domain,
++ require_strong_key);
++
++ /*
++ * allow overwrite per domain
++ * client schannel:<netbios_domain>
++ */
++ require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
++ require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
++ "client schannel",
++ server_netbios_domain,
++ require_sign_or_seal);
++
++ /*
++ * allow overwrite per domain
++ * winbind sealed pipes:<netbios_domain>
++ */
++ seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
++ seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
++ "winbind sealed pipes",
++ server_netbios_domain,
++ seal_secure_channel);
++
++ /*
++ * allow overwrite per domain
++ * neutralize nt4 emulation:<netbios_domain>
++ */
++ //TODO: add lpcfp_neutralize_nt4_emulation()
++ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
++ "__default__",
++ "neutralize nt4 emulation",
++ neutralize_nt4_emulation);
++ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
++ "neutralize nt4 emulation",
++ server_netbios_domain,
++ neutralize_nt4_emulation);
++
++ proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
++ proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
++
++ switch (type) {
++ case SEC_CHAN_WKSTA:
++ if (lpcfg_security(lp_ctx) == SEC_ADS) {
++ /*
++ * AD domains should be secure
++ */
++ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
++ require_sign_or_seal = true;
++ require_strong_key = true;
++ }
++ break;
++
++ case SEC_CHAN_DOMAIN:
++ break;
++
++ case SEC_CHAN_DNS_DOMAIN:
++ /*
++ * AD domains should be secure
++ */
++ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
++ require_sign_or_seal = true;
++ require_strong_key = true;
++ neutralize_nt4_emulation = true;
++ break;
++
++ case SEC_CHAN_BDC:
++ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
++ require_sign_or_seal = true;
++ require_strong_key = true;
++ break;
++
++ case SEC_CHAN_RODC:
++ required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
++ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
++ require_sign_or_seal = true;
++ require_strong_key = true;
++ neutralize_nt4_emulation = true;
++ break;
++
++ default:
++ TALLOC_FREE(frame);
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ if (neutralize_nt4_emulation) {
++ proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
++ }
++
++ if (require_sign_or_seal == false) {
++ proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
++ } else {
++ required_flags |= NETLOGON_NEG_ARCFOUR;
++ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
++ }
++
++ if (reject_md5_servers) {
++ required_flags |= NETLOGON_NEG_ARCFOUR;
++ required_flags |= NETLOGON_NEG_PASSWORD_SET2;
++ required_flags |= NETLOGON_NEG_SUPPORTS_AES;
++ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
++ }
++
++ if (require_strong_key) {
++ required_flags |= NETLOGON_NEG_ARCFOUR;
++ required_flags |= NETLOGON_NEG_STRONG_KEYS;
++ required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
++ }
++
++ proposed_flags |= required_flags;
++
++ if (seal_secure_channel) {
++ auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
++ } else {
++ auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
++ }
++
++ status = netlogon_creds_cli_context_common(client_computer,
++ client_account,
++ type,
++ auth_level,
++ proposed_flags,
++ required_flags,
++ server_computer,
++ server_netbios_domain,
++ mem_ctx,
++ &context);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ if (msg_ctx != NULL) {
++ context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
++ if (context->db.g_ctx == NULL) {
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++ if (netlogon_creds_cli_global_db != NULL) {
++ context->db.ctx = netlogon_creds_cli_global_db;
++ *_context = context;
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++ }
++
++ status = netlogon_creds_cli_open_global_db(lp_ctx);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->db.ctx = netlogon_creds_cli_global_db;
++ *_context = context;
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
++ const char *client_account,
++ enum netr_SchannelType type,
++ uint32_t proposed_flags,
++ uint32_t required_flags,
++ enum dcerpc_AuthLevel auth_level,
++ const char *server_computer,
++ const char *server_netbios_domain,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_context)
++{
++ NTSTATUS status;
++ struct netlogon_creds_cli_context *context = NULL;
++
++ *_context = NULL;
++
++ status = netlogon_creds_cli_context_common(client_computer,
++ client_account,
++ type,
++ auth_level,
++ proposed_flags,
++ required_flags,
++ server_computer,
++ server_netbios_domain,
++ mem_ctx,
++ &context);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ context->db.ctx = db_open_rbt(context);
++ if (context->db.ctx == NULL) {
++ talloc_free(context);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ *_context = context;
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_context_copy(
++ const struct netlogon_creds_cli_context *src,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_dst)
++{
++ struct netlogon_creds_cli_context *dst;
++
++ dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
++ if (dst == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ *dst = *src;
++
++ dst->client.computer = talloc_strdup(dst, src->client.computer);
++ if (dst->client.computer == NULL) {
++ TALLOC_FREE(dst);
++ return NT_STATUS_NO_MEMORY;
++ }
++ dst->client.account = talloc_strdup(dst, src->client.account);
++ if (dst->client.account == NULL) {
++ TALLOC_FREE(dst);
++ return NT_STATUS_NO_MEMORY;
++ }
++ dst->server.computer = talloc_strdup(dst, src->server.computer);
++ if (dst->server.computer == NULL) {
++ TALLOC_FREE(dst);
++ return NT_STATUS_NO_MEMORY;
++ }
++ dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
++ if (dst->server.netbios_domain == NULL) {
++ TALLOC_FREE(dst);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ dst->db.key_name = talloc_strdup(dst, src->db.key_name);
++ if (dst->db.key_name == NULL) {
++ TALLOC_FREE(dst);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ dst->db.key_data = string_term_tdb_data(dst->db.key_name);
++
++ *_dst = dst;
++ return NT_STATUS_OK;
++}
++
++enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
++ struct netlogon_creds_cli_context *context)
++{
++ return context->client.auth_level;
++}
++
++struct netlogon_creds_cli_fetch_state {
++ TALLOC_CTX *mem_ctx;
++ struct netlogon_creds_CredentialState *creds;
++ uint32_t required_flags;
++ NTSTATUS status;
++};
++
++static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
++ void *private_data)
++{
++ struct netlogon_creds_cli_fetch_state *state =
++ (struct netlogon_creds_cli_fetch_state *)private_data;
++ enum ndr_err_code ndr_err;
++ DATA_BLOB blob;
++ uint32_t tmp_flags;
++
++ state->creds = talloc_zero(state->mem_ctx,
++ struct netlogon_creds_CredentialState);
++ if (state->creds == NULL) {
++ state->status = NT_STATUS_NO_MEMORY;
++ return;
++ }
++
++ blob.data = data.dptr;
++ blob.length = data.dsize;
++
++ ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
++ (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ TALLOC_FREE(state->creds);
++ state->status = ndr_map_error2ntstatus(ndr_err);
++ return;
++ }
++
++ tmp_flags = state->creds->negotiate_flags;
++ tmp_flags &= state->required_flags;
++ if (tmp_flags != state->required_flags) {
++ TALLOC_FREE(state->creds);
++ state->status = NT_STATUS_DOWNGRADE_DETECTED;
++ return;
++ }
++
++ state->status = NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **_creds)
++{
++ NTSTATUS status;
++ struct netlogon_creds_cli_fetch_state fstate = {
++ .mem_ctx = mem_ctx,
++ .status = NT_STATUS_INTERNAL_ERROR,
++ .required_flags = context->client.required_flags,
++ };
++ static const struct netr_Credential zero_creds;
++
++ *_creds = NULL;
++
++ status = dbwrap_parse_record(context->db.ctx,
++ context->db.key_data,
++ netlogon_creds_cli_fetch_parser,
++ &fstate);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++ status = fstate.status;
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ /*
++ * mark it as invalid for step operations.
++ */
++ fstate.creds->sequence = 0;
++ fstate.creds->seed = zero_creds;
++ fstate.creds->client = zero_creds;
++ fstate.creds->server = zero_creds;
++
++ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
++ *_creds = fstate.creds;
++ return NT_STATUS_OK;
++ }
++
++ /*
++ * It is really important to try SamLogonEx here,
++ * because multiple processes can talk to the same
++ * domain controller, without using the credential
++ * chain.
++ *
++ * With a normal SamLogon call, we must keep the
++ * credentials chain updated and intact between all
++ * users of the machine account (which would imply
++ * cross-node communication for every NTLM logon).
++ *
++ * The credentials chain is not per NETLOGON pipe
++ * connection, but globally on the server/client pair
++ * by computer name, while the client is free to use
++ * any computer name. We include the cluster node number
++ * in our computer name in order to avoid cross node
++ * coordination of the credential chain.
++ *
++ * It's also important to use NetlogonValidationSamInfo4 (6),
++ * because it relies on the rpc transport encryption
++ * and avoids using the global netlogon schannel
++ * session key to en/decrypt secret information
++ * like the user_session_key for network logons.
++ *
++ * [MS-APDS] 3.1.5.2 NTLM Network Logon
++ * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
++ * NETLOGON_NEG_AUTHENTICATED_RPC set together
++ * are the indication that the server supports
++ * NetlogonValidationSamInfo4 (6). And it must only
++ * be used if "SealSecureChannel" is used.
++ *
++ * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
++ * check is done in netlogon_creds_cli_LogonSamLogon*().
++ */
++ context->server.cached_flags = fstate.creds->negotiate_flags;
++ context->server.try_validation6 = true;
++ context->server.try_logon_ex = true;
++ context->server.try_logon_with = true;
++
++ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
++ context->server.try_validation6 = false;
++ context->server.try_logon_ex = false;
++ }
++ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
++ context->server.try_validation6 = false;
++ }
++
++ *_creds = fstate.creds;
++ return NT_STATUS_OK;
++}
++
++bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
++ const struct netlogon_creds_CredentialState *creds1)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct netlogon_creds_CredentialState *creds2;
++ DATA_BLOB blob1;
++ DATA_BLOB blob2;
++ NTSTATUS status;
++ enum ndr_err_code ndr_err;
++ int cmp;
++
++ status = netlogon_creds_cli_get(context, frame, &creds2);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
++ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
++ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ if (blob1.length != blob2.length) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ cmp = memcmp(blob1.data, blob2.data, blob1.length);
++ if (cmp != 0) {
++ TALLOC_FREE(frame);
++ return false;
++ }
++
++ TALLOC_FREE(frame);
++ return true;
++}
++
++NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
++ struct netlogon_creds_CredentialState **_creds)
++{
++ struct netlogon_creds_CredentialState *creds = *_creds;
++ NTSTATUS status;
++ enum ndr_err_code ndr_err;
++ DATA_BLOB blob;
++ TDB_DATA data;
++
++ *_creds = NULL;
++
++ if (context->db.locked_state == NULL) {
++ /*
++ * this was not the result of netlogon_creds_cli_lock*()
++ */
++ TALLOC_FREE(creds);
++ return NT_STATUS_INVALID_PAGE_PROTECTION;
++ }
++
++ if (context->db.locked_state->creds != creds) {
++ /*
++ * this was not the result of netlogon_creds_cli_lock*()
++ */
++ TALLOC_FREE(creds);
++ return NT_STATUS_INVALID_PAGE_PROTECTION;
++ }
++
++ ndr_err = ndr_push_struct_blob(&blob, creds, creds,
++ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ TALLOC_FREE(creds);
++ status = ndr_map_error2ntstatus(ndr_err);
++ return status;
++ }
++
++ data.dptr = blob.data;
++ data.dsize = blob.length;
++
++ status = dbwrap_store(context->db.ctx,
++ context->db.key_data,
++ data, TDB_REPLACE);
++ TALLOC_FREE(creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
++ struct netlogon_creds_CredentialState **_creds)
++{
++ struct netlogon_creds_CredentialState *creds = *_creds;
++ NTSTATUS status;
++
++ *_creds = NULL;
++
++ if (context->db.locked_state == NULL) {
++ /*
++ * this was not the result of netlogon_creds_cli_lock*()
++ */
++ TALLOC_FREE(creds);
++ return NT_STATUS_INVALID_PAGE_PROTECTION;
++ }
++
++ if (context->db.locked_state->creds != creds) {
++ /*
++ * this was not the result of netlogon_creds_cli_lock*()
++ */
++ TALLOC_FREE(creds);
++ return NT_STATUS_INVALID_PAGE_PROTECTION;
++ }
++
++ status = dbwrap_delete(context->db.ctx,
++ context->db.key_data);
++ TALLOC_FREE(creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ return NT_STATUS_OK;
++}
++
++struct netlogon_creds_cli_lock_state {
++ struct netlogon_creds_cli_locked_state *locked_state;
++ struct netlogon_creds_CredentialState *creds;
++};
++
++static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
++static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
++
++struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context)
++{
++ struct tevent_req *req;
++ struct netlogon_creds_cli_lock_state *state;
++ struct netlogon_creds_cli_locked_state *locked_state;
++ struct tevent_req *subreq;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct netlogon_creds_cli_lock_state);
++ if (req == NULL) {
++ return NULL;
++ }
++
++ if (context->db.locked_state != NULL) {
++ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
++ return tevent_req_post(req, ev);
++ }
++
++ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
++ if (tevent_req_nomem(locked_state, req)) {
++ return tevent_req_post(req, ev);
++ }
++ talloc_set_destructor(locked_state,
++ netlogon_creds_cli_locked_state_destructor);
++ locked_state->context = context;
++
++ context->db.locked_state = locked_state;
++ state->locked_state = locked_state;
++
++ if (context->db.g_ctx == NULL) {
++ netlogon_creds_cli_lock_fetch(req);
++ if (!tevent_req_is_in_progress(req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ return req;
++ }
++
++ subreq = g_lock_lock_send(state, ev,
++ context->db.g_ctx,
++ context->db.key_name,
++ G_LOCK_WRITE);
++ if (tevent_req_nomem(subreq, req)) {
++ return tevent_req_post(req, ev);
++ }
++ tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
++
++ return req;
++}
++
++static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_lock_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_lock_state);
++ NTSTATUS status;
++
++ status = g_lock_lock_recv(subreq);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ state->locked_state->is_glocked = true;
++
++ netlogon_creds_cli_lock_fetch(req);
++}
++
++static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
++{
++ struct netlogon_creds_cli_lock_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_lock_state);
++ struct netlogon_creds_cli_context *context = state->locked_state->context;
++ struct netlogon_creds_cli_fetch_state fstate = {
++ .status = NT_STATUS_INTERNAL_ERROR,
++ .required_flags = context->client.required_flags,
++ };
++ NTSTATUS status;
++
++ fstate.mem_ctx = state;
++ status = dbwrap_parse_record(context->db.ctx,
++ context->db.key_data,
++ netlogon_creds_cli_fetch_parser,
++ &fstate);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ status = fstate.status;
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ if (context->server.cached_flags == fstate.creds->negotiate_flags) {
++ state->creds = fstate.creds;
++ tevent_req_done(req);
++ return;
++ }
++
++ context->server.cached_flags = fstate.creds->negotiate_flags;
++ context->server.try_validation6 = true;
++ context->server.try_logon_ex = true;
++ context->server.try_logon_with = true;
++
++ if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
++ context->server.try_validation6 = false;
++ context->server.try_logon_ex = false;
++ }
++ if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
++ context->server.try_validation6 = false;
++ }
++
++ state->creds = fstate.creds;
++ tevent_req_done(req);
++ return;
++}
++
++NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **creds)
++{
++ struct netlogon_creds_cli_lock_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_lock_state);
++ NTSTATUS status;
++
++ if (tevent_req_is_nterror(req, &status)) {
++ tevent_req_received(req);
++ return status;
++ }
++
++ talloc_steal(state->creds, state->locked_state);
++ state->locked_state->creds = state->creds;
++ *creds = talloc_move(mem_ctx, &state->creds);
++ tevent_req_received(req);
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **creds)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct tevent_context *ev;
++ struct tevent_req *req;
++ NTSTATUS status = NT_STATUS_NO_MEMORY;
++
++ ev = samba_tevent_context_init(frame);
++ if (ev == NULL) {
++ goto fail;
++ }
++ req = netlogon_creds_cli_lock_send(frame, ev, context);
++ if (req == NULL) {
++ goto fail;
++ }
++ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
++ goto fail;
++ }
++ status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
++ fail:
++ TALLOC_FREE(frame);
++ return status;
++}
++
++struct netlogon_creds_cli_auth_state {
++ struct tevent_context *ev;
++ struct netlogon_creds_cli_context *context;
++ struct dcerpc_binding_handle *binding_handle;
++ struct samr_Password current_nt_hash;
++ struct samr_Password previous_nt_hash;
++ struct samr_Password used_nt_hash;
++ char *srv_name_slash;
++ uint32_t current_flags;
++ struct netr_Credential client_challenge;
++ struct netr_Credential server_challenge;
++ struct netlogon_creds_CredentialState *creds;
++ struct netr_Credential client_credential;
++ struct netr_Credential server_credential;
++ uint32_t rid;
++ bool try_auth3;
++ bool try_auth2;
++ bool require_auth2;
++ bool try_previous_nt_hash;
++ struct netlogon_creds_cli_locked_state *locked_state;
++};
++
++static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
++static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
++
++struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ struct samr_Password current_nt_hash,
++ const struct samr_Password *previous_nt_hash)
++{
++ struct tevent_req *req;
++ struct netlogon_creds_cli_auth_state *state;
++ struct netlogon_creds_cli_locked_state *locked_state;
++ NTSTATUS status;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct netlogon_creds_cli_auth_state);
++ if (req == NULL) {
++ return NULL;
++ }
++
++ state->ev = ev;
++ state->context = context;
++ state->binding_handle = b;
++ state->current_nt_hash = current_nt_hash;
++ if (previous_nt_hash != NULL) {
++ state->previous_nt_hash = *previous_nt_hash;
++ state->try_previous_nt_hash = true;
++ }
++
++ if (context->db.locked_state != NULL) {
++ tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
++ return tevent_req_post(req, ev);
++ }
++
++ locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
++ if (tevent_req_nomem(locked_state, req)) {
++ return tevent_req_post(req, ev);
++ }
++ talloc_set_destructor(locked_state,
++ netlogon_creds_cli_locked_state_destructor);
++ locked_state->context = context;
++
++ context->db.locked_state = locked_state;
++ state->locked_state = locked_state;
++
++ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
++ context->server.computer);
++ if (tevent_req_nomem(state->srv_name_slash, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ state->try_auth3 = true;
++ state->try_auth2 = true;
++
++ if (context->client.required_flags != 0) {
++ state->require_auth2 = true;
++ }
++
++ state->used_nt_hash = state->current_nt_hash;
++ state->current_flags = context->client.proposed_flags;
++
++ if (context->db.g_ctx != NULL) {
++ struct tevent_req *subreq;
++
++ subreq = g_lock_lock_send(state, ev,
++ context->db.g_ctx,
++ context->db.key_name,
++ G_LOCK_WRITE);
++ if (tevent_req_nomem(subreq, req)) {
++ return tevent_req_post(req, ev);
++ }
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_auth_locked,
++ req);
++
++ return req;
++ }
++
++ status = dbwrap_delete(state->context->db.ctx,
++ state->context->db.key_data);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
++ status = NT_STATUS_OK;
++ }
++ if (tevent_req_nterror(req, status)) {
++ return tevent_req_post(req, ev);
++ }
++
++ netlogon_creds_cli_auth_challenge_start(req);
++ if (!tevent_req_is_in_progress(req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ return req;
++}
++
++static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_auth_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_auth_state);
++ NTSTATUS status;
++
++ status = g_lock_lock_recv(subreq);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ state->locked_state->is_glocked = true;
++
++ status = dbwrap_delete(state->context->db.ctx,
++ state->context->db.key_data);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
++ status = NT_STATUS_OK;
++ }
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ netlogon_creds_cli_auth_challenge_start(req);
++}
++
++static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
++
++static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
++{
++ struct netlogon_creds_cli_auth_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_auth_state);
++ struct tevent_req *subreq;
++
++ TALLOC_FREE(state->creds);
++
++ generate_random_buffer(state->client_challenge.data,
++ sizeof(state->client_challenge.data));
++
++ subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.computer,
++ &state->client_challenge,
++ &state->server_challenge);
++ if (tevent_req_nomem(subreq, req)) {
++ return;
++ }
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_auth_challenge_done,
++ req);
++}
++
++static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
++
++static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_auth_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_auth_state);
++ NTSTATUS status;
++ NTSTATUS result;
++
++ status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ if (tevent_req_nterror(req, result)) {
++ return;
++ }
++
++ if (!state->try_auth3 && !state->try_auth2) {
++ state->current_flags = 0;
++ }
++
++ /* Calculate the session key and client credentials */
++
++ state->creds = netlogon_creds_client_init(state,
++ state->context->client.account,
++ state->context->client.computer,
++ state->context->client.type,
++ &state->client_challenge,
++ &state->server_challenge,
++ &state->used_nt_hash,
++ &state->client_credential,
++ state->current_flags);
++ if (tevent_req_nomem(state->creds, req)) {
++ return;
++ }
++
++ if (state->try_auth3) {
++ subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.account,
++ state->context->client.type,
++ state->context->client.computer,
++ &state->client_credential,
++ &state->server_credential,
++ &state->creds->negotiate_flags,
++ &state->rid);
++ if (tevent_req_nomem(subreq, req)) {
++ return;
++ }
++ } else if (state->try_auth2) {
++ state->rid = 0;
++
++ subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.account,
++ state->context->client.type,
++ state->context->client.computer,
++ &state->client_credential,
++ &state->server_credential,
++ &state->creds->negotiate_flags);
++ if (tevent_req_nomem(subreq, req)) {
++ return;
++ }
++ } else {
++ state->rid = 0;
++
++ subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.account,
++ state->context->client.type,
++ state->context->client.computer,
++ &state->client_credential,
++ &state->server_credential);
++ if (tevent_req_nomem(subreq, req)) {
++ return;
++ }
++ }
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_auth_srvauth_done,
++ req);
++}
++
++static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_auth_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_auth_state);
++ NTSTATUS status;
++ NTSTATUS result;
++ bool ok;
++ enum ndr_err_code ndr_err;
++ DATA_BLOB blob;
++ TDB_DATA data;
++ uint32_t tmp_flags;
++
++ if (state->try_auth3) {
++ status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
++ &result);
++ TALLOC_FREE(subreq);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ state->try_auth3 = false;
++ netlogon_creds_cli_auth_challenge_start(req);
++ return;
++ }
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ } else if (state->try_auth2) {
++ status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
++ &result);
++ TALLOC_FREE(subreq);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ state->try_auth2 = false;
++ if (state->require_auth2) {
++ status = NT_STATUS_DOWNGRADE_DETECTED;
++ tevent_req_nterror(req, status);
++ return;
++ }
++ netlogon_creds_cli_auth_challenge_start(req);
++ return;
++ }
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ } else {
++ status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
++ &result);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++ }
++
++ if (!NT_STATUS_IS_OK(result) &&
++ !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
++ {
++ tevent_req_nterror(req, result);
++ return;
++ }
++
++ tmp_flags = state->creds->negotiate_flags;
++ tmp_flags &= state->context->client.required_flags;
++ if (tmp_flags != state->context->client.required_flags) {
++ if (NT_STATUS_IS_OK(result)) {
++ tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
++ return;
++ }
++ tevent_req_nterror(req, result);
++ return;
++ }
++
++ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
++
++ tmp_flags = state->context->client.proposed_flags;
++ if ((state->current_flags == tmp_flags) &&
++ (state->creds->negotiate_flags != tmp_flags))
++ {
++ /*
++ * lets retry with the negotiated flags
++ */
++ state->current_flags = state->creds->negotiate_flags;
++ netlogon_creds_cli_auth_challenge_start(req);
++ return;
++ }
++
++ if (!state->try_previous_nt_hash) {
++ /*
++ * we already retried, giving up...
++ */
++ tevent_req_nterror(req, result);
++ return;
++ }
++
++ /*
++ * lets retry with the old nt hash.
++ */
++ state->try_previous_nt_hash = false;
++ state->used_nt_hash = state->previous_nt_hash;
++ state->current_flags = state->context->client.proposed_flags;
++ netlogon_creds_cli_auth_challenge_start(req);
++ return;
++ }
++
++ ok = netlogon_creds_client_check(state->creds,
++ &state->server_credential);
++ if (!ok) {
++ tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
++ return;
++ }
++
++ ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
++ (ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
++ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
++ status = ndr_map_error2ntstatus(ndr_err);
++ tevent_req_nterror(req, status);
++ return;
++ }
++
++ data.dptr = blob.data;
++ data.dsize = blob.length;
++
++ status = dbwrap_store(state->context->db.ctx,
++ state->context->db.key_data,
++ data, TDB_REPLACE);
++ TALLOC_FREE(state->locked_state);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ tevent_req_done(req);
++}
++
++NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
++{
++ NTSTATUS status;
++
++ if (tevent_req_is_nterror(req, &status)) {
++ tevent_req_received(req);
++ return status;
++ }
++
++ tevent_req_received(req);
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ struct samr_Password current_nt_hash,
++ const struct samr_Password *previous_nt_hash)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct tevent_context *ev;
++ struct tevent_req *req;
++ NTSTATUS status = NT_STATUS_NO_MEMORY;
++
++ ev = samba_tevent_context_init(frame);
++ if (ev == NULL) {
++ goto fail;
++ }
++ req = netlogon_creds_cli_auth_send(frame, ev, context, b,
++ current_nt_hash,
++ previous_nt_hash);
++ if (req == NULL) {
++ goto fail;
++ }
++ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
++ goto fail;
++ }
++ status = netlogon_creds_cli_auth_recv(req);
++ fail:
++ TALLOC_FREE(frame);
++ return status;
++}
++
++struct netlogon_creds_cli_check_state {
++ struct tevent_context *ev;
++ struct netlogon_creds_cli_context *context;
++ struct dcerpc_binding_handle *binding_handle;
++
++ char *srv_name_slash;
++
++ union netr_Capabilities caps;
++
++ struct netlogon_creds_CredentialState *creds;
++ struct netlogon_creds_CredentialState tmp_creds;
++ struct netr_Authenticator req_auth;
++ struct netr_Authenticator rep_auth;
++};
++
++static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
++ NTSTATUS status);
++static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
++
++struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b)
++{
++ struct tevent_req *req;
++ struct netlogon_creds_cli_check_state *state;
++ struct tevent_req *subreq;
++ enum dcerpc_AuthType auth_type;
++ enum dcerpc_AuthLevel auth_level;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct netlogon_creds_cli_check_state);
++ if (req == NULL) {
++ return NULL;
++ }
++
++ state->ev = ev;
++ state->context = context;
++ state->binding_handle = b;
++
++ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
++ context->server.computer);
++ if (tevent_req_nomem(state->srv_name_slash, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ dcerpc_binding_handle_auth_info(state->binding_handle,
++ &auth_type, &auth_level);
++
++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
++ return tevent_req_post(req, ev);
++ }
++
++ switch (auth_level) {
++ case DCERPC_AUTH_LEVEL_INTEGRITY:
++ case DCERPC_AUTH_LEVEL_PRIVACY:
++ break;
++ default:
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
++ return tevent_req_post(req, ev);
++ }
++
++ subreq = netlogon_creds_cli_lock_send(state, state->ev,
++ state->context);
++ if (tevent_req_nomem(subreq, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_check_locked,
++ req);
++
++ return req;
++}
++
++static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
++ NTSTATUS status)
++{
++ struct netlogon_creds_cli_check_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_check_state);
++
++ if (state->creds == NULL) {
++ return;
++ }
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
++ TALLOC_FREE(state->creds);
++ return;
++ }
++
++ netlogon_creds_cli_delete(state->context, &state->creds);
++}
++
++static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
++
++static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_check_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_check_state);
++ NTSTATUS status;
++
++ status = netlogon_creds_cli_lock_recv(subreq, state,
++ &state->creds);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ /*
++ * we defer all callbacks in order to cleanup
++ * the database record.
++ */
++ tevent_req_defer_callback(req, state->ev);
++
++ state->tmp_creds = *state->creds;
++ netlogon_creds_client_authenticator(&state->tmp_creds,
++ &state->req_auth);
++ ZERO_STRUCT(state->rep_auth);
++
++ subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.computer,
++ &state->req_auth,
++ &state->rep_auth,
++ 1,
++ &state->caps);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_check_caps,
++ req);
++}
++
++static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_check_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_check_state);
++ NTSTATUS status;
++ NTSTATUS result;
++ bool ok;
++
++ status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
++ &result);
++ TALLOC_FREE(subreq);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ /*
++ * Note that the negotiated flags are already checked
++ * for our required flags after the ServerAuthenticate3/2 call.
++ */
++ uint32_t negotiated = state->tmp_creds.negotiate_flags;
++
++ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
++ /*
++ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
++ * already, we expect this to work!
++ */
++ status = NT_STATUS_DOWNGRADE_DETECTED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
++ /*
++ * If we have negotiated NETLOGON_NEG_STRONG_KEYS
++ * we expect this to work at least as far as the
++ * NOT_SUPPORTED error handled below!
++ *
++ * NT 4.0 and Old Samba servers are not
++ * allowed without "require strong key = no"
++ */
++ status = NT_STATUS_DOWNGRADE_DETECTED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ /*
++ * If we not require NETLOGON_NEG_SUPPORTS_AES or
++ * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
++ * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
++ *
++ * This is needed against NT 4.0 and old Samba servers.
++ *
++ * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
++ * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
++ * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
++ * with the next request as the sequence number processing
++ * gets out of sync.
++ */
++ netlogon_creds_cli_check_cleanup(req, result);
++ tevent_req_done(req);
++ return;
++ }
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
++ /*
++ * Note that the negotiated flags are already checked
++ * for our required flags after the ServerAuthenticate3/2 call.
++ */
++ uint32_t negotiated = state->tmp_creds.negotiate_flags;
++
++ if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
++ /*
++ * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
++ * already, we expect this to work!
++ */
++ status = NT_STATUS_DOWNGRADE_DETECTED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ /*
++ * This is ok, the server does not support
++ * NETLOGON_NEG_SUPPORTS_AES.
++ *
++ * netr_LogonGetCapabilities() was
++ * netr_LogonDummyRoutine1() before
++ * NETLOGON_NEG_SUPPORTS_AES was invented.
++ */
++ netlogon_creds_cli_check_cleanup(req, result);
++ tevent_req_done(req);
++ return;
++ }
++
++ ok = netlogon_creds_client_check(&state->tmp_creds,
++ &state->rep_auth.cred);
++ if (!ok) {
++ status = NT_STATUS_ACCESS_DENIED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ if (tevent_req_nterror(req, result)) {
++ netlogon_creds_cli_check_cleanup(req, result);
++ return;
++ }
++
++ if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
++ status = NT_STATUS_DOWNGRADE_DETECTED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ /*
++ * This is the key check that makes this check secure. If we
++ * get OK here (rather than NOT_SUPPORTED), then the server
++ * did support AES. If the server only proposed STRONG_KEYS
++ * and not AES, then it should have failed with
++ * NOT_IMPLEMENTED. We always send AES as a client, so the
++ * server should always have returned it.
++ */
++ if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
++ status = NT_STATUS_DOWNGRADE_DETECTED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_check_cleanup(req, status);
++ return;
++ }
++
++ *state->creds = state->tmp_creds;
++ status = netlogon_creds_cli_store(state->context,
++ &state->creds);
++ netlogon_creds_cli_check_cleanup(req, status);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ tevent_req_done(req);
++}
++
++NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
++{
++ NTSTATUS status;
++
++ if (tevent_req_is_nterror(req, &status)) {
++ netlogon_creds_cli_check_cleanup(req, status);
++ tevent_req_received(req);
++ return status;
++ }
++
++ tevent_req_received(req);
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct tevent_context *ev;
++ struct tevent_req *req;
++ NTSTATUS status = NT_STATUS_NO_MEMORY;
++
++ ev = samba_tevent_context_init(frame);
++ if (ev == NULL) {
++ goto fail;
++ }
++ req = netlogon_creds_cli_check_send(frame, ev, context, b);
++ if (req == NULL) {
++ goto fail;
++ }
++ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
++ goto fail;
++ }
++ status = netlogon_creds_cli_check_recv(req);
++ fail:
++ TALLOC_FREE(frame);
++ return status;
++}
++
++struct netlogon_creds_cli_ServerPasswordSet_state {
++ struct tevent_context *ev;
++ struct netlogon_creds_cli_context *context;
++ struct dcerpc_binding_handle *binding_handle;
++ uint32_t old_timeout;
++
++ char *srv_name_slash;
++ enum dcerpc_AuthType auth_type;
++ enum dcerpc_AuthLevel auth_level;
++
++ struct samr_CryptPassword samr_crypt_password;
++ struct netr_CryptPassword netr_crypt_password;
++ struct samr_Password samr_password;
++
++ struct netlogon_creds_CredentialState *creds;
++ struct netlogon_creds_CredentialState tmp_creds;
++ struct netr_Authenticator req_auth;
++ struct netr_Authenticator rep_auth;
++};
++
++static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
++ NTSTATUS status);
++static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
++
++struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ const char *new_password,
++ const uint32_t *new_version)
++{
++ struct tevent_req *req;
++ struct netlogon_creds_cli_ServerPasswordSet_state *state;
++ struct tevent_req *subreq;
++ bool ok;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct netlogon_creds_cli_ServerPasswordSet_state);
++ if (req == NULL) {
++ return NULL;
++ }
++
++ state->ev = ev;
++ state->context = context;
++ state->binding_handle = b;
++
++ /*
++ * netr_ServerPasswordSet
++ */
++ E_md4hash(new_password, state->samr_password.hash);
++
++ /*
++ * netr_ServerPasswordSet2
++ */
++ ok = encode_pw_buffer(state->samr_crypt_password.data,
++ new_password, STR_UNICODE);
++ if (!ok) {
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
++ return tevent_req_post(req, ev);
++ }
++
++ if (new_version != NULL) {
++ struct NL_PASSWORD_VERSION version;
++ uint32_t len = IVAL(state->samr_crypt_password.data, 512);
++ uint32_t ofs = 512 - len;
++ uint8_t *p;
++
++ if (ofs < 12) {
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
++ return tevent_req_post(req, ev);
++ }
++ ofs -= 12;
++
++ version.ReservedField = 0;
++ version.PasswordVersionNumber = *new_version;
++ version.PasswordVersionPresent =
++ NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
++
++ p = state->samr_crypt_password.data + ofs;
++ SIVAL(p, 0, version.ReservedField);
++ SIVAL(p, 4, version.PasswordVersionNumber);
++ SIVAL(p, 8, version.PasswordVersionPresent);
++ }
++
++ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
++ context->server.computer);
++ if (tevent_req_nomem(state->srv_name_slash, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ dcerpc_binding_handle_auth_info(state->binding_handle,
++ &state->auth_type,
++ &state->auth_level);
++
++ subreq = netlogon_creds_cli_lock_send(state, state->ev,
++ state->context);
++ if (tevent_req_nomem(subreq, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_ServerPasswordSet_locked,
++ req);
++
++ return req;
++}
++
++static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
++ NTSTATUS status)
++{
++ struct netlogon_creds_cli_ServerPasswordSet_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_ServerPasswordSet_state);
++
++ if (state->creds == NULL) {
++ return;
++ }
++
++ dcerpc_binding_handle_set_timeout(state->binding_handle,
++ state->old_timeout);
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
++ TALLOC_FREE(state->creds);
++ return;
++ }
++
++ netlogon_creds_cli_delete(state->context, &state->creds);
++}
++
++static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
++
++static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_ServerPasswordSet_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_ServerPasswordSet_state);
++ NTSTATUS status;
++
++ status = netlogon_creds_cli_lock_recv(subreq, state,
++ &state->creds);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ return;
++ }
++
++ if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
++ switch (state->auth_level) {
++ case DCERPC_AUTH_LEVEL_INTEGRITY:
++ case DCERPC_AUTH_LEVEL_PRIVACY:
++ break;
++ default:
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
++ return;
++ }
++ } else {
++ uint32_t tmp = state->creds->negotiate_flags;
++
++ if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
++ /*
++ * if DCERPC_AUTH_TYPE_SCHANNEL is supported
++ * it should be used, which means
++ * we had a chance to verify no downgrade
++ * happened.
++ *
++ * This relies on netlogon_creds_cli_check*
++ * being called before, as first request after
++ * the DCERPC bind.
++ */
++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
++ return;
++ }
++ }
++
++ state->old_timeout = dcerpc_binding_handle_set_timeout(
++ state->binding_handle, 600000);
++
++ /*
++ * we defer all callbacks in order to cleanup
++ * the database record.
++ */
++ tevent_req_defer_callback(req, state->ev);
++
++ state->tmp_creds = *state->creds;
++ netlogon_creds_client_authenticator(&state->tmp_creds,
++ &state->req_auth);
++ ZERO_STRUCT(state->rep_auth);
++
++ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
++
++ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ netlogon_creds_aes_encrypt(&state->tmp_creds,
++ state->samr_crypt_password.data,
++ 516);
++ } else {
++ netlogon_creds_arcfour_crypt(&state->tmp_creds,
++ state->samr_crypt_password.data,
++ 516);
++ }
++
++ memcpy(state->netr_crypt_password.data,
++ state->samr_crypt_password.data, 512);
++ state->netr_crypt_password.length =
++ IVAL(state->samr_crypt_password.data, 512);
++
++ subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->tmp_creds.account_name,
++ state->tmp_creds.secure_channel_type,
++ state->tmp_creds.computer_name,
++ &state->req_auth,
++ &state->rep_auth,
++ &state->netr_crypt_password);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ return;
++ }
++ } else {
++ netlogon_creds_des_encrypt(&state->tmp_creds,
++ &state->samr_password);
++
++ subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->tmp_creds.account_name,
++ state->tmp_creds.secure_channel_type,
++ state->tmp_creds.computer_name,
++ &state->req_auth,
++ &state->rep_auth,
++ &state->samr_password);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ return;
++ }
++ }
++
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_ServerPasswordSet_done,
++ req);
++}
++
++static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_ServerPasswordSet_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_ServerPasswordSet_state);
++ NTSTATUS status;
++ NTSTATUS result;
++ bool ok;
++
++ if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
++ status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
++ &result);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ return;
++ }
++ } else {
++ status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
++ &result);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ return;
++ }
++ }
++
++ ok = netlogon_creds_client_check(&state->tmp_creds,
++ &state->rep_auth.cred);
++ if (!ok) {
++ status = NT_STATUS_ACCESS_DENIED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ return;
++ }
++
++ if (tevent_req_nterror(req, result)) {
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
++ return;
++ }
++
++ dcerpc_binding_handle_set_timeout(state->binding_handle,
++ state->old_timeout);
++
++ *state->creds = state->tmp_creds;
++ status = netlogon_creds_cli_store(state->context,
++ &state->creds);
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ return;
++ }
++
++ tevent_req_done(req);
++}
++
++NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
++{
++ NTSTATUS status;
++
++ if (tevent_req_is_nterror(req, &status)) {
++ netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
++ tevent_req_received(req);
++ return status;
++ }
++
++ tevent_req_received(req);
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_ServerPasswordSet(
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ const char *new_password,
++ const uint32_t *new_version)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct tevent_context *ev;
++ struct tevent_req *req;
++ NTSTATUS status = NT_STATUS_NO_MEMORY;
++
++ ev = samba_tevent_context_init(frame);
++ if (ev == NULL) {
++ goto fail;
++ }
++ req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
++ new_password,
++ new_version);
++ if (req == NULL) {
++ goto fail;
++ }
++ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
++ goto fail;
++ }
++ status = netlogon_creds_cli_ServerPasswordSet_recv(req);
++ fail:
++ TALLOC_FREE(frame);
++ return status;
++}
++
++struct netlogon_creds_cli_LogonSamLogon_state {
++ struct tevent_context *ev;
++ struct netlogon_creds_cli_context *context;
++ struct dcerpc_binding_handle *binding_handle;
++
++ char *srv_name_slash;
++
++ enum netr_LogonInfoClass logon_level;
++ const union netr_LogonLevel *const_logon;
++ union netr_LogonLevel *logon;
++ uint32_t flags;
++
++ uint16_t validation_level;
++ union netr_Validation *validation;
++ uint8_t authoritative;
++
++ /*
++ * do we need encryption at the application layer?
++ */
++ bool user_encrypt;
++ bool try_logon_ex;
++ bool try_validation6;
++
++ /*
++ * the read only credentials before we started the operation
++ */
++ struct netlogon_creds_CredentialState *ro_creds;
++
++ struct netlogon_creds_CredentialState *lk_creds;
++
++ struct netlogon_creds_CredentialState tmp_creds;
++ struct netr_Authenticator req_auth;
++ struct netr_Authenticator rep_auth;
++};
++
++static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
++static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
++ NTSTATUS status);
++
++struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ enum netr_LogonInfoClass logon_level,
++ const union netr_LogonLevel *logon,
++ uint32_t flags)
++{
++ struct tevent_req *req;
++ struct netlogon_creds_cli_LogonSamLogon_state *state;
++
++ req = tevent_req_create(mem_ctx, &state,
++ struct netlogon_creds_cli_LogonSamLogon_state);
++ if (req == NULL) {
++ return NULL;
++ }
++
++ state->ev = ev;
++ state->context = context;
++ state->binding_handle = b;
++
++ state->logon_level = logon_level;
++ state->const_logon = logon;
++ state->flags = flags;
++
++ state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
++ context->server.computer);
++ if (tevent_req_nomem(state->srv_name_slash, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ switch (logon_level) {
++ case NetlogonInteractiveInformation:
++ case NetlogonInteractiveTransitiveInformation:
++ case NetlogonServiceInformation:
++ case NetlogonServiceTransitiveInformation:
++ case NetlogonGenericInformation:
++ state->user_encrypt = true;
++ break;
++
++ case NetlogonNetworkInformation:
++ case NetlogonNetworkTransitiveInformation:
++ break;
++ }
++
++ state->validation = talloc_zero(state, union netr_Validation);
++ if (tevent_req_nomem(state->validation, req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ netlogon_creds_cli_LogonSamLogon_start(req);
++ if (!tevent_req_is_in_progress(req)) {
++ return tevent_req_post(req, ev);
++ }
++
++ /*
++ * we defer all callbacks in order to cleanup
++ * the database record.
++ */
++ tevent_req_defer_callback(req, state->ev);
++ return req;
++}
++
++static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
++ NTSTATUS status)
++{
++ struct netlogon_creds_cli_LogonSamLogon_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_LogonSamLogon_state);
++
++ if (state->lk_creds == NULL) {
++ return;
++ }
++
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ /*
++ * This is a hack to recover from a bug in old
++ * Samba servers, when LogonSamLogonEx() fails:
++ *
++ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
++ *
++ * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
++ *
++ * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
++ * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
++ * If the sign/seal check fails.
++ *
++ * In that case we need to cleanup the netlogon session.
++ *
++ * It's the job of the caller to disconnect the current
++ * connection, if netlogon_creds_cli_LogonSamLogon()
++ * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
++ */
++ if (!state->context->server.try_logon_with) {
++ status = NT_STATUS_NETWORK_ACCESS_DENIED;
++ }
++ }
++
++ if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
++ !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
++ TALLOC_FREE(state->lk_creds);
++ return;
++ }
++
++ netlogon_creds_cli_delete(state->context, &state->lk_creds);
++}
++
++static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
++
++static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
++{
++ struct netlogon_creds_cli_LogonSamLogon_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_LogonSamLogon_state);
++ struct tevent_req *subreq;
++ NTSTATUS status;
++ enum dcerpc_AuthType auth_type;
++ enum dcerpc_AuthLevel auth_level;
++
++ TALLOC_FREE(state->ro_creds);
++ TALLOC_FREE(state->logon);
++ ZERO_STRUCTP(state->validation);
++
++ dcerpc_binding_handle_auth_info(state->binding_handle,
++ &auth_type, &auth_level);
++
++ state->try_logon_ex = state->context->server.try_logon_ex;
++ state->try_validation6 = state->context->server.try_validation6;
++
++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
++ state->try_logon_ex = false;
++ }
++
++ if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
++ state->try_validation6 = false;
++ }
++
++ if (state->try_logon_ex) {
++ if (state->try_validation6) {
++ state->validation_level = 6;
++ } else {
++ state->validation_level = 3;
++ state->user_encrypt = true;
++ }
++
++ state->logon = netlogon_creds_shallow_copy_logon(state,
++ state->logon_level,
++ state->const_logon);
++ if (tevent_req_nomem(state->logon, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ if (state->user_encrypt) {
++ status = netlogon_creds_cli_get(state->context,
++ state,
++ &state->ro_creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ status = NT_STATUS_ACCESS_DENIED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
++ state->logon_level,
++ state->logon);
++ }
++
++ subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.computer,
++ state->logon_level,
++ state->logon,
++ state->validation_level,
++ state->validation,
++ &state->authoritative,
++ &state->flags);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_LogonSamLogon_done,
++ req);
++ return;
++ }
++
++ if (state->lk_creds == NULL) {
++ subreq = netlogon_creds_cli_lock_send(state, state->ev,
++ state->context);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_LogonSamLogon_done,
++ req);
++ return;
++ }
++
++ state->tmp_creds = *state->lk_creds;
++ netlogon_creds_client_authenticator(&state->tmp_creds,
++ &state->req_auth);
++ ZERO_STRUCT(state->rep_auth);
++
++ state->logon = netlogon_creds_shallow_copy_logon(state,
++ state->logon_level,
++ state->const_logon);
++ if (tevent_req_nomem(state->logon, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
++ state->logon_level,
++ state->logon);
++
++ state->validation_level = 3;
++
++ if (state->context->server.try_logon_with) {
++ subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.computer,
++ &state->req_auth,
++ &state->rep_auth,
++ state->logon_level,
++ state->logon,
++ state->validation_level,
++ state->validation,
++ &state->authoritative,
++ &state->flags);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++ } else {
++ state->flags = 0;
++
++ subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
++ state->binding_handle,
++ state->srv_name_slash,
++ state->context->client.computer,
++ &state->req_auth,
++ &state->rep_auth,
++ state->logon_level,
++ state->logon,
++ state->validation_level,
++ state->validation,
++ &state->authoritative);
++ if (tevent_req_nomem(subreq, req)) {
++ status = NT_STATUS_NO_MEMORY;
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++ }
++
++ tevent_req_set_callback(subreq,
++ netlogon_creds_cli_LogonSamLogon_done,
++ req);
++}
++
++static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
++{
++ struct tevent_req *req =
++ tevent_req_callback_data(subreq,
++ struct tevent_req);
++ struct netlogon_creds_cli_LogonSamLogon_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_LogonSamLogon_state);
++ NTSTATUS status;
++ NTSTATUS result;
++ bool ok;
++
++ if (state->try_logon_ex) {
++ status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
++ state->validation,
++ &result);
++ TALLOC_FREE(subreq);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ state->context->server.try_validation6 = false;
++ state->context->server.try_logon_ex = false;
++ netlogon_creds_cli_LogonSamLogon_start(req);
++ return;
++ }
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ if ((state->validation_level == 6) &&
++ (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
++ NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
++ NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
++ {
++ state->context->server.try_validation6 = false;
++ netlogon_creds_cli_LogonSamLogon_start(req);
++ return;
++ }
++
++ if (tevent_req_nterror(req, result)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
++ return;
++ }
++
++ if (state->ro_creds == NULL) {
++ tevent_req_done(req);
++ return;
++ }
++
++ ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
++ if (!ok) {
++ /*
++ * We got a race, lets retry with on authenticator
++ * protection.
++ */
++ TALLOC_FREE(state->ro_creds);
++ state->try_logon_ex = false;
++ netlogon_creds_cli_LogonSamLogon_start(req);
++ return;
++ }
++
++ netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
++ state->validation_level,
++ state->validation);
++
++ tevent_req_done(req);
++ return;
++ }
++
++ if (state->lk_creds == NULL) {
++ status = netlogon_creds_cli_lock_recv(subreq, state,
++ &state->lk_creds);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ netlogon_creds_cli_LogonSamLogon_start(req);
++ return;
++ }
++
++ if (state->context->server.try_logon_with) {
++ status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
++ state->validation,
++ &result);
++ TALLOC_FREE(subreq);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ state->context->server.try_logon_with = false;
++ netlogon_creds_cli_LogonSamLogon_start(req);
++ return;
++ }
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++ } else {
++ status = dcerpc_netr_LogonSamLogon_recv(subreq,
++ state->validation,
++ &result);
++ TALLOC_FREE(subreq);
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++ }
++
++ ok = netlogon_creds_client_check(&state->tmp_creds,
++ &state->rep_auth.cred);
++ if (!ok) {
++ status = NT_STATUS_ACCESS_DENIED;
++ tevent_req_nterror(req, status);
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ *state->lk_creds = state->tmp_creds;
++ status = netlogon_creds_cli_store(state->context,
++ &state->lk_creds);
++ if (tevent_req_nterror(req, status)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ return;
++ }
++
++ if (tevent_req_nterror(req, result)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
++ return;
++ }
++
++ netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
++ state->validation_level,
++ state->validation);
++
++ tevent_req_done(req);
++}
++
++NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ uint16_t *validation_level,
++ union netr_Validation **validation,
++ uint8_t *authoritative,
++ uint32_t *flags)
++{
++ struct netlogon_creds_cli_LogonSamLogon_state *state =
++ tevent_req_data(req,
++ struct netlogon_creds_cli_LogonSamLogon_state);
++ NTSTATUS status;
++
++ /* authoritative is also returned on error */
++ *authoritative = state->authoritative;
++
++ if (tevent_req_is_nterror(req, &status)) {
++ netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
++ tevent_req_received(req);
++ return status;
++ }
++
++ *validation_level = state->validation_level;
++ *validation = talloc_move(mem_ctx, &state->validation);
++ *flags = state->flags;
++
++ tevent_req_received(req);
++ return NT_STATUS_OK;
++}
++
++NTSTATUS netlogon_creds_cli_LogonSamLogon(
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ enum netr_LogonInfoClass logon_level,
++ const union netr_LogonLevel *logon,
++ TALLOC_CTX *mem_ctx,
++ uint16_t *validation_level,
++ union netr_Validation **validation,
++ uint8_t *authoritative,
++ uint32_t *flags)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct tevent_context *ev;
++ struct tevent_req *req;
++ NTSTATUS status = NT_STATUS_NO_MEMORY;
++
++ ev = samba_tevent_context_init(frame);
++ if (ev == NULL) {
++ goto fail;
++ }
++ req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
++ logon_level, logon,
++ *flags);
++ if (req == NULL) {
++ goto fail;
++ }
++ if (!tevent_req_poll_ntstatus(req, ev, &status)) {
++ goto fail;
++ }
++ status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
++ validation_level,
++ validation,
++ authoritative,
++ flags);
++ fail:
++ TALLOC_FREE(frame);
++ return status;
++}
+diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
+new file mode 100644
+index 0000000..f8f2bef
+--- /dev/null
++++ b/libcli/auth/netlogon_creds_cli.h
+@@ -0,0 +1,138 @@
++/*
++ Unix SMB/CIFS implementation.
++
++ module to store/fetch session keys for the schannel client
++
++ Copyright (C) Stefan Metzmacher 2013
++
++ This program is free software; you can redistribute it and/or modify
++ it under the terms of the GNU General Public License as published by
++ the Free Software Foundation; either version 3 of the License, or
++ (at your option) any later version.
++
++ This program is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ GNU General Public License for more details.
++
++ You should have received a copy of the GNU General Public License
++ along with this program. If not, see <http://www.gnu.org/licenses/>.
++*/
++
++#ifndef NETLOGON_CREDS_CLI_H
++#define NETLOGON_CREDS_CLI_H
++
++#include "librpc/gen_ndr/dcerpc.h"
++#include "librpc/gen_ndr/schannel.h"
++
++struct netlogon_creds_cli_context;
++struct messaging_context;
++struct dcerpc_binding_handle;
++
++NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
++
++NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
++ struct messaging_context *msg_ctx,
++ const char *client_account,
++ enum netr_SchannelType type,
++ const char *server_computer,
++ const char *server_netbios_domain,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_context);
++NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
++ const char *client_account,
++ enum netr_SchannelType type,
++ enum dcerpc_AuthLevel auth_level,
++ uint32_t proposed_flags,
++ uint32_t required_flags,
++ const char *server_computer,
++ const char *server_netbios_domain,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_context);
++NTSTATUS netlogon_creds_cli_context_copy(
++ const struct netlogon_creds_cli_context *src,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **_dst);
++
++enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
++ struct netlogon_creds_cli_context *context);
++
++NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **_creds);
++bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
++ const struct netlogon_creds_CredentialState *creds1);
++
++NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
++ struct netlogon_creds_CredentialState **_creds);
++NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
++ struct netlogon_creds_CredentialState **_creds);
++
++struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context);
++NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **creds);
++NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_CredentialState **creds);
++
++struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ struct samr_Password current_nt_hash,
++ const struct samr_Password *previous_nt_hash);
++NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
++NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ struct samr_Password current_nt_hash,
++ const struct samr_Password *previous_nt_hash);
++
++struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b);
++NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
++NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b);
++
++struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ const char *new_password,
++ const uint32_t *new_version);
++NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
++NTSTATUS netlogon_creds_cli_ServerPasswordSet(
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ const char *new_password,
++ const uint32_t *new_version);
++
++struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
++ struct tevent_context *ev,
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ enum netr_LogonInfoClass logon_level,
++ const union netr_LogonLevel *logon,
++ uint32_t flags);
++NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
++ TALLOC_CTX *mem_ctx,
++ uint16_t *validation_level,
++ union netr_Validation **validation,
++ uint8_t *authoritative,
++ uint32_t *flags);
++NTSTATUS netlogon_creds_cli_LogonSamLogon(
++ struct netlogon_creds_cli_context *context,
++ struct dcerpc_binding_handle *b,
++ enum netr_LogonInfoClass logon_level,
++ const union netr_LogonLevel *logon,
++ TALLOC_CTX *mem_ctx,
++ uint16_t *validation_level,
++ union netr_Validation **validation,
++ uint8_t *authoritative,
++ uint32_t *flags);
++
++#endif /* NETLOGON_CREDS_CLI_H */
+diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
+index ca2be2d..51eb293 100755
+--- a/libcli/auth/wscript_build
++++ b/libcli/auth/wscript_build
+@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
+ deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
+ )
+
++bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
++ source='netlogon_creds_cli.c',
++ deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
++ )
+
+ bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
+ source='pam_errors.c',
+--
+1.9.3
+
+
+From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 13 Dec 2013 17:31:45 +0100
+Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
+ netlogon_creds_cli_context_common()
+
+Until all callers are fixed to pass the same 'server_computer'
+value, we try to calculate a server_netbios_name and use this
+as unique identifier for a specific domain controller.
+
+Otherwise winbind would use 'hostname.example.com'
+while 'net rpc testjoin' would use 'HOSTNAME',
+which leads to 2 records in netlogon_creds_cli.tdb
+for the same domain controller.
+
+Once all callers are fixed we can think about reverting this
+commit.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
+---
+ libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
+ 1 file changed, 48 insertions(+), 10 deletions(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 75d6b2c..a872b31 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
+ struct netlogon_creds_cli_context **_context)
+ {
+ struct netlogon_creds_cli_context *context = NULL;
++ TALLOC_CTX *frame = talloc_stackframe();
++ char *_key_name = NULL;
++ char *server_netbios_name = NULL;
++ char *p = NULL;
+
+ *_context = NULL;
+
+ context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
+ if (context == NULL) {
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->client.computer = talloc_strdup(context, client_computer);
+ if (context->client.computer == NULL) {
+- talloc_free(context);
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->client.account = talloc_strdup(context, client_account);
+ if (context->client.account == NULL) {
+- talloc_free(context);
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
+
+ context->server.computer = talloc_strdup(context, server_computer);
+ if (context->server.computer == NULL) {
+- talloc_free(context);
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
+ if (context->server.netbios_domain == NULL) {
+- talloc_free(context);
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
+- client_computer,
+- client_account,
+- server_computer,
+- server_netbios_domain);
++ /*
++ * TODO:
++ * Force the callers to provide a unique
++ * value for server_computer and use this directly.
++ *
++ * For now we have to deal with
++ * "HOSTNAME" vs. "hostname.example.com".
++ */
++ server_netbios_name = talloc_strdup(frame, server_computer);
++ if (server_netbios_name == NULL) {
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ p = strchr(server_netbios_name, '.');
++ if (p != NULL) {
++ p[0] = '\0';
++ }
++
++ _key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
++ client_computer,
++ client_account,
++ server_netbios_name,
++ server_netbios_domain);
++ if (_key_name == NULL) {
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ context->db.key_name = talloc_strdup_upper(context, _key_name);
+ if (context->db.key_name == NULL) {
+- talloc_free(context);
++ TALLOC_FREE(context);
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ context->db.key_data = string_term_tdb_data(context->db.key_name);
+
+ *_context = context;
++ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+--
+1.9.3
+
+
+From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 19:01:28 +0200
+Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
+---
+ source3/param/loadparm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 40f3242..7d95256 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
+ Globals.security = SEC_USER;
+ Globals.bEncryptPasswords = true;
+ Globals.clientSchannel = Auto;
++ Globals.bWinbindSealedPipes = true;
+ Globals.serverSchannel = Auto;
+ Globals.bReadRaw = true;
+ Globals.bWriteRaw = true;
+--
+1.9.3
+
+
+From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 18:39:56 +0200
+Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
+ defaulting to false
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
+---
+ .../smbdotconf/winbind/netutralizent4emulation.xml | 19 +++++++++++++++++++
+ lib/param/param_functions.c | 1 +
+ lib/param/param_table.c | 9 +++++++++
+ 3 files changed, 29 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
+
+diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
+new file mode 100644
+index 0000000..8294a90
+--- /dev/null
++++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
+@@ -0,0 +1,19 @@
++<samba:parameter name="neutralize nt4 emulation"
++ context="G"
++ type="boolean"
++ advanced="1" developer="1"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>This option controls whether winbindd sends
++ the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
++ the NT4 emulation of a domain controller.</para>
++
++ <para>Typically you should not need set this.
++ It can be useful for upgrades from NT4 to AD domains.</para>
++
++ <para>The behavior can be controlled per netbios domain
++ by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
++</description>
++
++<value type="default">no</value>
++</samba:parameter>
+diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
+index 60f9c07..aef091b 100644
+--- a/lib/param/param_functions.c
++++ b/lib/param/param_functions.c
+@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
+ FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
+ FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
+ FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
++FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
+ FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
+ FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
+ FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index 8e3f952..edf6829 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
++ {
++ .label = "neutralize nt4 emulation",
++ .type = P_BOOL,
++ .p_class = P_GLOBAL,
++ .offset = GLOBAL_VAR(bNeutralizeNT4Emulation),
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
+
+ {N_("DNS options"), P_SEP, P_SEPARATOR},
+ {
+--
+1.9.3
+
+
+From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 18:39:56 +0200
+Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
+ defaulting to false
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
+---
+ docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
+ lib/param/param_functions.c | 1 +
+ lib/param/param_table.c | 9 +++++++++
+ 3 files changed, 33 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+
+diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+new file mode 100644
+index 0000000..18f8bcb
+--- /dev/null
++++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+@@ -0,0 +1,23 @@
++<samba:parameter name="reject md5 servers"
++ context="G"
++ type="boolean"
++ advanced="1"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>This option controls whether winbindd requires support
++ for aes support for the netlogon secure channel.</para>
++
++ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
++ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
++
++ <para>You can set this to yes if all domain controllers support aes.
++ This will prevent downgrade attacks.</para>
++
++ <para>The behavior can be controlled per netbios domain
++ by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
++
++ <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
++</description>
++
++<value type="default">no</value>
++</samba:parameter>
+diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
+index aef091b..ecd7f8e 100644
+--- a/lib/param/param_functions.c
++++ b/lib/param/param_functions.c
+@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
+ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
+ FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
+ FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
++FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
+ FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
+ FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
+ FN_GLOBAL_BOOL(stat_cache, bStatCache)
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index edf6829..b53f850 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
++ {
++ .label = "reject md5 servers",
++ .type = P_BOOL,
++ .p_class = P_GLOBAL,
++ .offset = GLOBAL_VAR(bRejectMD5Servers),
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
+
+ {N_("DNS options"), P_SEP, P_SEPARATOR},
+ {
+--
+1.9.3
+
+
+From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 18:39:56 +0200
+Subject: [PATCH 167/249] lib/param: add "require strong key" option,
+ defaulting to true
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
+---
+ docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
+ lib/param/loadparm.c | 1 +
+ lib/param/param_functions.c | 1 +
+ lib/param/param_table.c | 9 ++++++++
+ 4 files changed, 38 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml
+
+diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
+new file mode 100644
+index 0000000..de749bb
+--- /dev/null
++++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
+@@ -0,0 +1,27 @@
++<samba:parameter name="require strong key"
++ context="G"
++ type="boolean"
++ advanced="1"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>This option controls whether winbindd requires support
++ for md5 strong key support for the netlogon secure channel.</para>
++
++ <para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
++ NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
++
++ <para>You can set this to no if some domain controllers only support des.
++ This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
++
++ <para>The behavior can be controlled per netbios domain
++ by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
++
++ <para>Note for active directory domain this option is hardcoded to 'yes'</para>
++
++ <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
++
++ <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
++</description>
++
++<value type="default">yes</value>
++</samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 23b45e2..a84a166 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+
+ lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
+ lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
++ lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
+ lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
+ lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
+ lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
+diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
+index ecd7f8e..41b137f 100644
+--- a/lib/param/param_functions.c
++++ b/lib/param/param_functions.c
+@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
+ FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
+ FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
+ FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
++FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
+ FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
+ FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
+ FN_GLOBAL_BOOL(stat_cache, bStatCache)
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index b53f850..36e8554 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
++ {
++ .label = "require strong key",
++ .type = P_BOOL,
++ .p_class = P_GLOBAL,
++ .offset = GLOBAL_VAR(bRequireStrongKey),
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
+
+ {N_("DNS options"), P_SEP, P_SEPARATOR},
+ {
+--
+1.9.3
+
+
+From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 19:01:47 +0200
+Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
+---
+ source3/param/loadparm.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 7d95256..ed46e53 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
+ Globals.bEncryptPasswords = true;
+ Globals.clientSchannel = Auto;
+ Globals.bWinbindSealedPipes = true;
++ Globals.bRequireStrongKey = true;
+ Globals.serverSchannel = Auto;
+ Globals.bReadRaw = true;
+ Globals.bWriteRaw = true;
+--
+1.9.3
+
+
+From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 18:48:15 +0200
+Subject: [PATCH 169/249] libcli/auth: make use of real options in
+ netlogon_creds_cli_context_global()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
+---
+ libcli/auth/netlogon_creds_cli.c | 18 +++---------------
+ 1 file changed, 3 insertions(+), 15 deletions(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index a872b31..6590b21 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+ * allow overwrite per domain
+ * reject md5 servers:<netbios_domain>
+ */
+- //TODO: add lpcfp_reject_md5_servers()
+- reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
+- "__default__",
+- "reject md5 servers",
+- reject_md5_servers);
++ reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
+ reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
+ "reject md5 servers",
+ server_netbios_domain,
+@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+ * allow overwrite per domain
+ * require strong key:<netbios_domain>
+ */
+- //TODO: add lpcfp_require_strong_key()
+- require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
+- "__default__",
+- "require strong key",
+- require_strong_key);
++ require_strong_key = lpcfg_require_strong_key(lp_ctx);
+ require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
+ "require strong key",
+ server_netbios_domain,
+@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+ * allow overwrite per domain
+ * neutralize nt4 emulation:<netbios_domain>
+ */
+- //TODO: add lpcfp_neutralize_nt4_emulation()
+- neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
+- "__default__",
+- "neutralize nt4 emulation",
+- neutralize_nt4_emulation);
++ neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
+ neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
+ "neutralize nt4 emulation",
+ server_netbios_domain,
+--
+1.9.3
+
+
+From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 23 Dec 2013 10:45:27 +0100
+Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
+ ads and other options.
+
+It implies 'require strong key = yes' and 'client schannel = yes'.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
+---
+ docs-xml/smbdotconf/security/security.xml | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
+index 406089f..2f5c3f7 100644
+--- a/docs-xml/smbdotconf/security/security.xml
++++ b/docs-xml/smbdotconf/security/security.xml
+@@ -99,7 +99,10 @@
+
+ <para>Note that this mode does NOT make Samba operate as a Active Directory Domain
+ Controller. </para>
+-
++
++ <para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
++ and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
++
+ <para>Read the chapter about Domain Membership in the HOWTO for details.</para>
+ </description>
+
+--
+1.9.3
+
+
+From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 23 Dec 2013 10:46:57 +0100
+Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
+ schannel' with 'require strong key = yes'
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
+---
+ docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
+index e229182..ac4cc59 100644
+--- a/docs-xml/smbdotconf/security/clientschannel.xml
++++ b/docs-xml/smbdotconf/security/clientschannel.xml
+@@ -12,6 +12,11 @@
+ enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access
+ if the server is not able to speak netlogon schannel.
+ </para>
++
++ <para>Note that for active directory domains this is hardcoded to
++ <smbconfoption name="client schannel">yes</smbconfoption>.</para>
++
++ <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+ </description>
+ <value type="default">auto</value>
+ <value type="example">yes</value>
+--
+1.9.3
+
+
+From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 19:31:58 +0200
+Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
+ option for all connections
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
+---
+ source3/winbindd/winbindd.h | 3 +++
+ source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
+ 2 files changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index 72eb3ec..afde685 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -25,6 +25,7 @@
+
+ #include "nsswitch/winbind_struct_protocol.h"
+ #include "nsswitch/libwbclient/wbclient.h"
++#include "librpc/gen_ndr/dcerpc.h"
+ #include "librpc/gen_ndr/wbint.h"
+
+ #include "talloc_dict.h"
+@@ -105,6 +106,8 @@ struct getpwent_user {
+ struct winbindd_cm_conn {
+ struct cli_state *cli;
+
++ enum dcerpc_AuthLevel auth_level;
++
+ struct rpc_pipe_client *samr_pipe;
+ struct policy_handle sam_connect_handle, sam_domain_handle;
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index c4f59d3..6c1244e 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
+ }
+
+ if (NT_STATUS_IS_OK(result)) {
++ bool seal_pipes = true;
+
+ winbindd_set_locator_kdc_envs(domain);
+
+@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
+ */
+ store_current_dc_in_gencache(domain->name, domain->dcname,
+ new_conn->cli);
++
++ seal_pipes = lp_winbind_sealed_pipes();
++ seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
++ domain->name,
++ seal_pipes);
++
++ if (seal_pipes) {
++ new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
++ } else {
++ new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
++ }
+ } else {
+ /* Ensure we setup the retry handler. */
+ set_domain_offline(domain);
+@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
+ }
+ }
+
++ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
++
+ if (conn->cli) {
+ cli_shutdown(conn->cli);
+ }
+@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ &ndr_table_samr,
+ NCACN_NP,
+ GENSEC_OID_NTLMSSP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
++ conn->auth_level,
+ smbXcli_conn_remote_name(conn->cli->conn),
+ domain_name,
+ machine_account,
+@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+
+ if (conn->lsa_pipe_tcp &&
+ conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
+- conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
++ conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
+ rpccli_is_connected(conn->lsa_pipe_tcp)) {
+ goto done;
+ }
+@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ result = cli_rpc_pipe_open_spnego
+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
+ GENSEC_OID_NTLMSSP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
++ conn->auth_level,
+ smbXcli_conn_remote_name(conn->cli->conn),
+ conn->cli->domain, conn->cli->user_name, conn->cli->password,
+ &conn->lsa_pipe);
+--
+1.9.3
+
+
+From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 14 Nov 2013 18:53:06 +0100
+Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
+---
+ docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+index 26f446e..63f5588 100644
+--- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
++++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+@@ -4,12 +4,12 @@
+ advanced="1" developer="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+ <description>
+- <para>This option controls whether any requests made over the Samba 4 winbind
++ <para>This option controls whether any requests from winbindd to domain controllers
+ pipe will be sealed. Disabling sealing can be useful for debugging
+ purposes.</para>
+
+- <para>Note that this option only applies to the Samba 4 winbind and not
+- to the standard winbind.</para>
++ <para>The behavior can be controlled per netbios domain
++ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
+ </description>
+
+ <value type="default">yes</value>
+--
+1.9.3
+
+
+From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 27 Jul 2013 11:30:13 +0200
+Subject: [PATCH 174/249] s3:rpc_client: make use of the new
+ netlogon_creds_cli_context
+
+This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
+and lets the secure channel session state be stored in node local database.
+
+This is the proper fix for a large number of bugs:
+https://bugzilla.samba.org/show_bug.cgi?id=6563
+https://bugzilla.samba.org/show_bug.cgi?id=7944
+https://bugzilla.samba.org/show_bug.cgi?id=7945
+https://bugzilla.samba.org/show_bug.cgi?id=7568
+https://bugzilla.samba.org/show_bug.cgi?id=8599
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
+---
+ source3/libnet/libnet_join.c | 3 +-
+ source3/libnet/libnet_samsync.c | 19 +-
+ source3/rpc_client/cli_netlogon.c | 436 ++++++++-------------------------
+ source3/rpc_client/cli_pipe.c | 139 +++--------
+ source3/rpc_client/cli_pipe.h | 2 +-
+ source3/rpc_client/cli_pipe_schannel.c | 3 +-
+ source3/rpc_client/rpc_client.h | 2 +-
+ source3/rpcclient/cmd_netlogon.c | 57 ++++-
+ source3/winbindd/winbindd.h | 9 -
+ source3/winbindd/winbindd_cm.c | 36 +--
+ source3/winbindd/winbindd_pam.c | 136 ++--------
+ source3/wscript_build | 6 +-
+ 12 files changed, 250 insertions(+), 598 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index c1eccda..5dc620f 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ status = cli_rpc_pipe_open_schannel_with_key(
+ cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+- netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
++ netbios_domain_name,
++ netlogon_pipe->netlogon_creds, &pipe_hnd);
+
+ cli_shutdown(cli);
+
+diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
+index a103785..02d3fc6 100644
+--- a/source3/libnet/libnet_samsync.c
++++ b/source3/libnet/libnet_samsync.c
+@@ -30,6 +30,7 @@
+ #include "../librpc/gen_ndr/ndr_netlogon_c.h"
+ #include "../libcli/security/security.h"
+ #include "messages.h"
++#include "../libcli/auth/netlogon_creds_cli.h"
+
+ /**
+ * Fix up the delta, dealing with encryption issues so that the final
+@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
+
+ do {
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+- netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
++ status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
++ mem_ctx, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ netlogon_creds_client_authenticator(creds, &credential);
+
+ if (ctx->single_object_replication &&
+ !ctx->force_full_replication) {
+@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(creds);
+ return status;
+ }
+
+ /* Check returned credentials. */
+- if (!netlogon_creds_client_check(ctx->cli->dc,
++ if (!netlogon_creds_client_check(creds,
+ &return_authenticator.cred)) {
++ TALLOC_FREE(creds);
+ DEBUG(0,("credentials chain check failed\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
++ TALLOC_FREE(creds);
+ return result;
+ }
+
+ if (NT_STATUS_IS_ERR(result)) {
++ TALLOC_FREE(creds);
+ break;
+ }
+
+ samsync_fix_delta_array(mem_ctx,
+- ctx->cli->dc,
++ creds,
+ database_id,
+ delta_enum_array);
++ TALLOC_FREE(creds);
+
+ /* Process results */
+ callback_status = ctx->ops->process_objects(mem_ctx, database_id,
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 5e8a2fc..fcd24d6 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -23,11 +23,13 @@
+ #include "includes.h"
+ #include "rpc_client/rpc_client.h"
+ #include "../libcli/auth/libcli_auth.h"
++#include "../libcli/auth/netlogon_creds_cli.h"
+ #include "../librpc/gen_ndr/ndr_netlogon_c.h"
+ #include "rpc_client/cli_netlogon.h"
+ #include "rpc_client/init_netlogon.h"
+ #include "rpc_client/util_netlogon.h"
+ #include "../libcli/security/security.h"
++#include "lib/param/param.h"
+
+ /****************************************************************************
+ Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
+@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+ enum netr_SchannelType sec_chan_type,
+ uint32_t *neg_flags_inout)
+ {
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct loadparm_context *lp_ctx;
+ NTSTATUS status;
+- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+- struct netr_Credential clnt_chal_send;
+- struct netr_Credential srv_chal_recv;
+ struct samr_Password password;
+- bool retried = false;
+ fstring mach_acct;
+- uint32_t neg_flags = *neg_flags_inout;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+ if (!ndr_syntax_id_equal(&cli->abstract_syntax,
+ &ndr_table_netlogon.syntax_id)) {
++ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- TALLOC_FREE(cli->dc);
+-
+- /* Store the machine account password we're going to use. */
+- memcpy(password.hash, machine_pwd, 16);
+-
+- fstr_sprintf( mach_acct, "%s$", machine_account);
+-
+- again:
+- /* Create the client challenge. */
+- generate_random_buffer(clnt_chal_send.data, 8);
+-
+- /* Get the server challenge. */
+- status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
+- cli->srv_name_slash,
+- clnt_name,
+- &clnt_chal_send,
+- &srv_chal_recv,
+- &result);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
++ if (!strequal(lp_netbios_name(), clnt_name)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+- /* Calculate the session key and client credentials */
++ TALLOC_FREE(cli->netlogon_creds);
+
+- cli->dc = netlogon_creds_client_init(cli,
+- mach_acct,
+- clnt_name,
+- sec_chan_type,
+- &clnt_chal_send,
+- &srv_chal_recv,
+- &password,
+- &clnt_chal_send,
+- neg_flags);
++ fstr_sprintf( mach_acct, "%s$", machine_account);
+
+- if (!cli->dc) {
++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
++ if (lp_ctx == NULL) {
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+-
+- /*
+- * Send client auth-2 challenge and receive server repy.
+- */
+-
+- status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
+- cli->srv_name_slash,
+- cli->dc->account_name,
+- sec_chan_type,
+- cli->dc->computer_name,
+- &clnt_chal_send, /* input. */
+- &srv_chal_recv, /* output. */
+- &neg_flags,
+- &result);
++ status = netlogon_creds_cli_context_global(lp_ctx,
++ NULL, /* msg_ctx */
++ mach_acct,
++ sec_chan_type,
++ server_name,
++ domain,
++ cli, &cli->netlogon_creds);
++ talloc_unlink(frame, lp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
+ return status;
+ }
+- /* we might be talking to NT4, so let's downgrade in that case and retry
+- * with the returned neg_flags - gd */
+
+- if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
+- retried = true;
+- TALLOC_FREE(cli->dc);
+- goto again;
++ status = netlogon_creds_cli_get(cli->netlogon_creds,
++ frame, &creds);
++ if (NT_STATUS_IS_OK(status)) {
++ DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
++ "cached credential\n",
++ cli->desthost));
++ *neg_flags_inout = creds->negotiate_flags;
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
+ }
+
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
+- }
+-
+- /*
+- * Check the returned value using the initial
+- * server received challenge.
+- */
+-
+- if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
+- /*
+- * Server replied with bad credential. Fail.
+- */
+- DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
+- "replied with bad credential\n",
+- cli->desthost ));
+- return NT_STATUS_ACCESS_DENIED;
+- }
++ /* Store the machine account password we're going to use. */
++ memcpy(password.hash, machine_pwd, 16);
+
+ DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
+ "chain established.\n",
+ cli->desthost ));
+
+- cli->dc->negotiate_flags = neg_flags;
+- *neg_flags_inout = neg_flags;
++ status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
++ password, NULL);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ status = netlogon_creds_cli_get(cli->netlogon_creds,
++ frame, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_INTERNAL_ERROR;
++ }
+
++ *neg_flags_inout = creds->negotiate_flags;
++ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ const char *username,
+ const char *password,
+ const char *workstation,
+- uint16_t validation_level,
++ uint16_t _ignored_validation_level,
+ int logon_type)
+ {
+- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS status;
+- struct netr_Authenticator clnt_creds;
+- struct netr_Authenticator ret_creds;
+ union netr_LogonLevel *logon;
+- union netr_Validation validation;
+- uint8_t authoritative;
++ uint16_t validation_level = 0;
++ union netr_Validation *validation = NULL;
++ uint8_t authoritative = 0;
++ uint32_t flags = 0;
+ fstring clnt_name_slash;
+- struct dcerpc_binding_handle *b = cli->binding_handle;
+-
+- ZERO_STRUCT(ret_creds);
+
+ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+ if (!logon) {
+@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+
+ /* Initialise input parameters */
+
+- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
+-
+ switch (logon_type) {
+ case NetlogonInteractiveInformation: {
+
+@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+
+ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
+
+- if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
+- netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
+- } else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+- netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
+- netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
+- } else {
+- netlogon_creds_des_encrypt(cli->dc, &lmpassword);
+- netlogon_creds_des_encrypt(cli->dc, &ntpassword);
+- }
+-
+ password_info->identity_info.domain_name.string = domain;
+ password_info->identity_info.parameter_control = logon_parameters;
+ password_info->identity_info.logon_id_low = 0xdead;
+@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
+
+- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
+- cli->srv_name_slash,
+- lp_netbios_name(),
+- &clnt_creds,
+- &ret_creds,
+- logon_type,
+- logon,
+- validation_level,
+- &validation,
+- &authoritative,
+- &result);
++ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
++ cli->binding_handle,
++ logon_type,
++ logon,
++ mem_ctx,
++ &validation_level,
++ &validation,
++ &authoritative,
++ &flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+- /* Always check returned credentials */
+- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
+- DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
+- return NT_STATUS_ACCESS_DENIED;
+- }
+-
+- return result;
++ return NT_STATUS_OK;
+ }
+
+ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ const char *domain,
+ const char *workstation,
+ const uint8 chal[8],
+- uint16_t validation_level,
++ uint16_t _ignored_validation_level,
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3)
+ {
+- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS status;
+ const char *workstation_name_slash;
+- const char *server_name_slash;
+- struct netr_Authenticator clnt_creds;
+- struct netr_Authenticator ret_creds;
+ union netr_LogonLevel *logon = NULL;
+ struct netr_NetworkInfo *network_info;
+- uint8_t authoritative;
+- union netr_Validation validation;
++ uint16_t validation_level = 0;
++ union netr_Validation *validation = NULL;
++ uint8_t authoritative = 0;
++ uint32_t flags = 0;
+ struct netr_ChallengeResponse lm;
+ struct netr_ChallengeResponse nt;
+- struct dcerpc_binding_handle *b = cli->binding_handle;
+
+ *info3 = NULL;
+
+- ZERO_STRUCT(ret_creds);
+-
+ ZERO_STRUCT(lm);
+ ZERO_STRUCT(nt);
+
+@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
+-
+- if (server[0] != '\\' && server[1] != '\\') {
+- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
+- } else {
+- server_name_slash = server;
+- }
+-
+ if (workstation[0] != '\\' && workstation[1] != '\\') {
+ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
+ } else {
+ workstation_name_slash = workstation;
+ }
+
+- if (!workstation_name_slash || !server_name_slash) {
++ if (!workstation_name_slash) {
+ DEBUG(0, ("talloc_asprintf failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+
+ /* Marshall data and send request */
+
+- status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
+- server_name_slash,
+- lp_netbios_name(),
+- &clnt_creds,
+- &ret_creds,
+- NetlogonNetworkInformation,
+- logon,
+- validation_level,
+- &validation,
+- &authoritative,
+- &result);
++ status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
++ cli->binding_handle,
++ NetlogonNetworkInformation,
++ logon,
++ mem_ctx,
++ &validation_level,
++ &validation,
++ &authoritative,
++ &flags);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+- /* Always check returned credentials. */
+- if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
+- DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
+- return NT_STATUS_ACCESS_DENIED;
+- }
+-
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
+- }
+-
+- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
+- &validation);
+-
+- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
++ status = map_validation_to_info3(mem_ctx,
++ validation_level, validation,
++ info3);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+
+- return result;
++ return NT_STATUS_OK;
+ }
+
+ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
+@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3)
+ {
+- NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+- NTSTATUS status;
+- const char *workstation_name_slash;
+- const char *server_name_slash;
+- union netr_LogonLevel *logon = NULL;
+- struct netr_NetworkInfo *network_info;
+- uint8_t authoritative;
+- union netr_Validation validation;
+- struct netr_ChallengeResponse lm;
+- struct netr_ChallengeResponse nt;
+- uint32_t flags = 0;
+- struct dcerpc_binding_handle *b = cli->binding_handle;
+-
+- *info3 = NULL;
+-
+- ZERO_STRUCT(lm);
+- ZERO_STRUCT(nt);
+-
+- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+- if (!logon) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
+- if (!network_info) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- if (server[0] != '\\' && server[1] != '\\') {
+- server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
+- } else {
+- server_name_slash = server;
+- }
+-
+- if (workstation[0] != '\\' && workstation[1] != '\\') {
+- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
+- } else {
+- workstation_name_slash = workstation;
+- }
+-
+- if (!workstation_name_slash || !server_name_slash) {
+- DEBUG(0, ("talloc_asprintf failed!\n"));
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- /* Initialise input parameters */
+-
+- lm.data = lm_response.data;
+- lm.length = lm_response.length;
+- nt.data = nt_response.data;
+- nt.length = nt_response.length;
+-
+- network_info->identity_info.domain_name.string = domain;
+- network_info->identity_info.parameter_control = logon_parameters;
+- network_info->identity_info.logon_id_low = 0xdead;
+- network_info->identity_info.logon_id_high = 0xbeef;
+- network_info->identity_info.account_name.string = username;
+- network_info->identity_info.workstation.string = workstation_name_slash;
+-
+- memcpy(network_info->challenge, chal, 8);
+- network_info->nt = nt;
+- network_info->lm = lm;
+-
+- logon->network = network_info;
+-
+- /* Marshall data and send request */
+-
+- status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
+- server_name_slash,
+- lp_netbios_name(),
+- NetlogonNetworkInformation,
+- logon,
+- validation_level,
+- &validation,
+- &authoritative,
+- &flags,
+- &result);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
+- }
+-
+- netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
+- &validation);
+-
+- result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
+- }
+-
+- return result;
++ return rpccli_netlogon_sam_network_logon(cli,
++ mem_ctx,
++ logon_parameters,
++ server,
++ username,
++ domain,
++ workstation,
++ chal,
++ validation_level,
++ lm_response,
++ nt_response,
++ info3);
+ }
+
+ /*********************************************************
+@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+ const unsigned char new_trust_passwd_hash[16],
+ enum netr_SchannelType sec_channel_type)
+ {
+- NTSTATUS result, status;
+- struct netr_Authenticator clnt_creds, srv_cred;
+- struct dcerpc_binding_handle *b = cli->binding_handle;
++ NTSTATUS result;
+
+- if (!cli->dc) {
++ if (cli->netlogon_creds == NULL) {
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+ NETLOGON_NEG_SUPPORTS_AES;
+ result = rpccli_netlogon_setup_creds(cli,
+@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+ }
+ }
+
+- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
+-
+- if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
+-
+- struct netr_CryptPassword new_password;
+- uint32_t old_timeout;
+-
+- init_netr_CryptPassword(new_trust_pwd_cleartext,
+- cli->dc,
+- &new_password);
+-
+- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
+-
+- status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
+- cli->srv_name_slash,
+- cli->dc->account_name,
+- sec_channel_type,
+- cli->dc->computer_name,
+- &clnt_creds,
+- &srv_cred,
+- &new_password,
+- &result);
+-
+- dcerpc_binding_handle_set_timeout(b, old_timeout);
+-
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
+- nt_errstr(status)));
+- return status;
+- }
+- } else {
+-
+- struct samr_Password new_password;
+- uint32_t old_timeout;
+-
+- memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
+- netlogon_creds_des_encrypt(cli->dc, &new_password);
+-
+- old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
+-
+- status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
+- cli->srv_name_slash,
+- cli->dc->account_name,
+- sec_channel_type,
+- cli->dc->computer_name,
+- &clnt_creds,
+- &srv_cred,
+- &new_password,
+- &result);
+-
+- dcerpc_binding_handle_set_timeout(b, old_timeout);
+-
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
+- nt_errstr(status)));
+- return status;
+- }
+- }
+-
+- /* Always check returned credentials. */
+- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
+- DEBUG(0,("credentials chain check failed\n"));
+- return NT_STATUS_ACCESS_DENIED;
+- }
+-
++ result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
++ cli->binding_handle,
++ new_trust_pwd_cleartext,
++ NULL); /* new_version */
+ if (!NT_STATUS_IS_OK(result)) {
+- DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
++ DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
+ nt_errstr(result)));
+ return result;
+ }
+
+- return result;
++ return NT_STATUS_OK;
+ }
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index a45023f..fe1613d 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -24,6 +24,7 @@
+ #include "librpc/gen_ndr/ndr_epmapper_c.h"
+ #include "../librpc/gen_ndr/ndr_dssetup.h"
+ #include "../libcli/auth/schannel.h"
++#include "../libcli/auth/netlogon_creds_cli.h"
+ #include "auth_generic.h"
+ #include "librpc/gen_ndr/ndr_dcerpc.h"
+ #include "librpc/gen_ndr/ndr_netlogon_c.h"
+@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+- struct netlogon_creds_CredentialState **pdc,
++ struct netlogon_creds_cli_context *netlogon_creds,
+ struct rpc_pipe_client **_rpccli)
+ {
+ struct rpc_pipe_client *rpccli;
+ struct pipe_auth_data *rpcauth;
++ struct netlogon_creds_CredentialState *creds = NULL;
+ NTSTATUS status;
+- NTSTATUS result;
+- struct netlogon_creds_CredentialState save_creds;
+- struct netr_Authenticator auth;
+- struct netr_Authenticator return_auth;
+- union netr_Capabilities capabilities;
+ const char *target_service = table->authservices->names[0];
++ int rpc_pipe_bind_dbglvl = 0;
+
+ status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
++ status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
++ nt_errstr(status)));
++ TALLOC_FREE(rpccli);
++ return status;
++ }
++
+ status = rpccli_generic_bind_data(rpccli,
+ DCERPC_AUTH_TYPE_SCHANNEL,
+ auth_level,
+ NULL,
+ target_service,
+ domain,
+- (*pdc)->computer_name,
++ creds->computer_name,
+ NULL,
+ CRED_AUTO_USE_KERBEROS,
+- *pdc,
++ creds,
+ &rpcauth);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
+@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ return status;
+ }
+
+- /*
+- * The credentials on a new netlogon pipe are the ones we are passed
+- * in - copy them over
+- *
+- * This may get overwritten... in rpc_pipe_bind()...
+- */
+- rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
+- if (rpccli->dc == NULL) {
+- TALLOC_FREE(rpccli);
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+ status = rpc_pipe_bind(rpccli, rpcauth);
++ if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
++ rpc_pipe_bind_dbglvl = 1;
++ netlogon_creds_cli_delete(netlogon_creds, &creds);
++ }
+ if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
+- "cli_rpc_pipe_bind failed with error %s\n",
+- nt_errstr(status) ));
++ DEBUG(rpc_pipe_bind_dbglvl,
++ ("cli_rpc_pipe_open_schannel_with_key: "
++ "rpc_pipe_bind failed with error %s\n",
++ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+- if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
+- goto done;
+- }
+-
+- save_creds = *rpccli->dc;
+- ZERO_STRUCT(return_auth);
+- ZERO_STRUCT(capabilities);
++ TALLOC_FREE(creds);
+
+- netlogon_creds_client_authenticator(&save_creds, &auth);
+-
+- status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
+- talloc_tos(),
+- rpccli->srv_name_slash,
+- save_creds.computer_name,
+- &auth, &return_auth,
+- 1, &capabilities,
+- &result);
+- if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- DEBUG(5, ("AES was negotiated and the error was %s - "
+- "downgrade detected\n",
+- nt_errstr(status)));
+- TALLOC_FREE(rpccli);
+- return NT_STATUS_INVALID_NETWORK_RESPONSE;
+- }
+-
+- /* This is probably an old Samba Version */
+- DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
+- nt_errstr(status)));
++ if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
+ goto done;
+ }
+
++ status = netlogon_creds_cli_check(netlogon_creds,
++ rpccli->binding_handle);
+ if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
++ DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
+ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+ return status;
+ }
+
+- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+- if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- /* This means AES isn't supported. */
+- DEBUG(5, ("AES was negotiated and the result was %s - "
+- "downgrade detected\n",
+- nt_errstr(result)));
+- TALLOC_FREE(rpccli);
+- return NT_STATUS_INVALID_NETWORK_RESPONSE;
+- }
+-
+- /* This is probably an old Windows version */
+- DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
+- nt_errstr(result)));
+- goto done;
+- }
+-
+- /*
+- * We need to check the credential state here, cause win2k3 and earlier
+- * returns NT_STATUS_NOT_IMPLEMENTED
+- */
+- if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
+- /*
+- * Server replied with bad credential. Fail.
+- */
+- DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
+- "replied with bad credential\n",
+- rpccli->desthost));
+- TALLOC_FREE(rpccli);
+- return NT_STATUS_INVALID_NETWORK_RESPONSE;
+- }
+- *rpccli->dc = save_creds;
+-
+- if (!NT_STATUS_IS_OK(result)) {
+- DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
+- nt_errstr(result)));
+- TALLOC_FREE(rpccli);
+- return result;
+- }
+-
+- if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
+- /* This means AES isn't supported. */
+- DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
+- "was OK - downgrade detected\n"));
+- TALLOC_FREE(rpccli);
+- return NT_STATUS_INVALID_NETWORK_RESPONSE;
+- }
+-
+- if (save_creds.negotiate_flags != capabilities.server_capabilities) {
+- DEBUG(0, ("The client capabilities don't match the server "
+- "capabilities: local[0x%08X] remote[0x%08X]\n",
+- save_creds.negotiate_flags,
+- capabilities.server_capabilities));
++ status = netlogon_creds_cli_context_copy(netlogon_creds,
++ rpccli,
++ &rpccli->netlogon_creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
++ nt_errstr(status)));
+ TALLOC_FREE(rpccli);
+- return NT_STATUS_INVALID_NETWORK_RESPONSE;
++ return status;
+ }
+
+ done:
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 826f9bf..cf0c5c6 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+- struct netlogon_creds_CredentialState **pdc,
++ struct netlogon_creds_cli_context *netlogon_creds,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index aaae44b..e3d65c8 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
++ cli, table, transport, auth_level, domain,
++ netlogon_pipe->netlogon_creds,
+ &result);
+
+ /* Now we've bound using the session key we can close the netlog pipe. */
+diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
+index 8024f01..7c4cceb 100644
+--- a/source3/rpc_client/rpc_client.h
++++ b/source3/rpc_client/rpc_client.h
+@@ -50,7 +50,7 @@ struct rpc_pipe_client {
+ struct pipe_auth_data *auth;
+
+ /* The following is only non-null on a netlogon client pipe. */
+- struct netlogon_creds_CredentialState *dc;
++ struct netlogon_creds_cli_context *netlogon_creds;
+ };
+
+ #endif /* _RPC_CLIENT_H */
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index d92434b..2e0b5e5 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -26,6 +26,7 @@
+ #include "../librpc/gen_ndr/ndr_netlogon_c.h"
+ #include "rpc_client/cli_netlogon.h"
+ #include "secrets.h"
++#include "../libcli/auth/netlogon_creds_cli.h"
+
+ static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx, int argc,
+@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
+
+ do {
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+- netlogon_creds_client_authenticator(cli->dc, &credential);
++ status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ mem_ctx, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ netlogon_creds_client_authenticator(creds, &credential);
+
+ status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
+ logon_server,
+@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
+ 0xffff,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(creds);
+ return status;
+ }
+
+ /* Check returned credentials. */
+- if (!netlogon_creds_client_check(cli->dc,
++ if (!netlogon_creds_client_check(creds,
+ &return_authenticator.cred)) {
+ DEBUG(0,("credentials chain check failed\n"));
++ TALLOC_FREE(creds);
+ return NT_STATUS_ACCESS_DENIED;
+ }
++ TALLOC_FREE(creds);
+
+ if (NT_STATUS_IS_ERR(result)) {
+ break;
+@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
+
+ do {
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
++
++ status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ mem_ctx, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
+
+- netlogon_creds_client_authenticator(cli->dc, &credential);
++ netlogon_creds_client_authenticator(creds, &credential);
+
+ status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
+ logon_server,
+@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
+ 0xffff,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(creds);
+ return status;
+ }
+
+ /* Check returned credentials. */
+- if (!netlogon_creds_client_check(cli->dc,
++ if (!netlogon_creds_client_check(creds,
+ &return_authenticator.cred)) {
+ DEBUG(0,("credentials chain check failed\n"));
++ TALLOC_FREE(creds);
+ return NT_STATUS_ACCESS_DENIED;
+ }
++ TALLOC_FREE(creds);
+
+ if (NT_STATUS_IS_ERR(result)) {
+ break;
+@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ struct netr_ChangeLogEntry e;
+ uint32_t rid = 500;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+ if (argc > 2) {
+ fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
+@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ return status;
+ }
+
+- netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
++ status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ mem_ctx, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ netlogon_creds_client_authenticator(creds, &clnt_creds);
+
+ ZERO_STRUCT(e);
+
+@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ &delta_enum_array,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(creds);
+ return status;
+ }
+
+- if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
++ if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
+ DEBUG(0,("credentials chain check failed\n"));
++ TALLOC_FREE(creds);
+ return NT_STATUS_ACCESS_DENIED;
+ }
++ TALLOC_FREE(creds);
+
+ return result;
+ }
+@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
+ union netr_Capabilities capabilities;
+ uint32_t level = 1;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+ if (argc > 2) {
+ fprintf(stderr, "Usage: %s <level>\n", argv[0]);
+@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
+
+ ZERO_STRUCT(return_authenticator);
+
+- netlogon_creds_client_authenticator(cli->dc, &credential);
++ status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ mem_ctx, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ netlogon_creds_client_authenticator(creds, &credential);
+
+ status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
+ cli->desthost,
+@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
+ &capabilities,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(creds);
+ return status;
+ }
+
+- if (!netlogon_creds_client_check(cli->dc,
++ if (!netlogon_creds_client_check(creds,
+ &return_authenticator.cred)) {
+ DEBUG(0,("credentials chain check failed\n"));
++ TALLOC_FREE(creds);
+ return NT_STATUS_ACCESS_DENIED;
+ }
++ TALLOC_FREE(creds);
+
+ printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index afde685..b5fc010 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -165,16 +165,7 @@ struct winbindd_domain {
+ time_t startup_time; /* When we set "startup" true. monotonic clock */
+ bool startup; /* are we in the first 30 seconds after startup_time ? */
+
+- bool can_do_samlogon_ex; /* Due to the lack of finer control what type
+- * of DC we have, let us try to do a
+- * credential-chain less samlogon_ex call
+- * with AD and schannel. If this fails with
+- * DCERPC_FAULT_OP_RNG_ERROR, then set this
+- * to False. This variable is around so that
+- * we don't have to try _ex every time. */
+-
+ bool can_do_ncacn_ip_tcp;
+- bool can_do_validation6;
+
+ /* Lookup methods for this domain (LDAP or RPC) */
+ struct winbindd_methods *methods;
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 6c1244e..e0d1d0c 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
+ domain->active_directory ? "" : "NOT "));
+
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+- domain->can_do_validation6 = domain->active_directory;
+
+ domain->initialized = True;
+
+@@ -2248,7 +2247,6 @@ done:
+ domain->name, domain->active_directory ? "" : "NOT "));
+
+ domain->can_do_ncacn_ip_tcp = domain->active_directory;
+- domain->can_do_validation6 = domain->active_directory;
+
+ TALLOC_FREE(cli);
+
+@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
+ ***********************************************************************/
+
+ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
+- struct netlogon_creds_CredentialState **ppdc)
++ struct netlogon_creds_cli_context **ppdc)
+ {
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct rpc_pipe_client *netlogon_pipe;
+@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
+ /* Return a pointer to the struct netlogon_creds_CredentialState from the
+ netlogon pipe. */
+
+- if (!domain->conn.netlogon_pipe->dc) {
++ if (!domain->conn.netlogon_pipe->netlogon_creds) {
+ return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
+ }
+
+- *ppdc = domain->conn.netlogon_pipe->dc;
++ *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
+ return NT_STATUS_OK;
+ }
+
+@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ {
+ struct winbindd_cm_conn *conn;
+ NTSTATUS status, result;
+- struct netlogon_creds_CredentialState *p_creds;
++ struct netlogon_creds_cli_context *p_creds;
+ char *machine_password = NULL;
+ char *machine_account = NULL;
+ const char *domain_name = NULL;
+@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ status = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, &ndr_table_samr, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+- domain->name, &p_creds, &conn->samr_pipe);
++ domain->name, p_creds, &conn->samr_pipe);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
+@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli)
+ {
+ struct winbindd_cm_conn *conn;
+- struct netlogon_creds_CredentialState *creds;
++ struct netlogon_creds_cli_context *creds;
+ NTSTATUS status;
+
+ DEBUG(10,("cm_connect_lsa_tcp\n"));
+@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ NCACN_IP_TCP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name,
+- &creds,
++ creds,
+ &conn->lsa_pipe_tcp);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
+@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ {
+ struct winbindd_cm_conn *conn;
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+- struct netlogon_creds_CredentialState *p_creds;
++ struct netlogon_creds_cli_context *p_creds;
+
+ result = init_dc_connection_rpc(domain);
+ if (!NT_STATUS_IS_OK(result))
+@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ result = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+- domain->name, &p_creds, &conn->lsa_pipe);
++ domain->name, p_creds, &conn->lsa_pipe);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
+@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ no_schannel:
+ if ((lp_client_schannel() == False) ||
+ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+- /*
+- * NetSamLogonEx only works for schannel
+- */
+- domain->can_do_samlogon_ex = False;
+
+ /* We're done - just keep the existing connection to NETLOGON
+ * open */
+@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+
+ result = cli_rpc_pipe_open_schannel_with_key(
+ conn->cli, &ndr_table_netlogon, NCACN_NP,
+- DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
++ DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
++ netlogon_pipe->netlogon_creds,
+ &conn->netlogon_pipe);
+
+ /* We can now close the initial netlogon pipe. */
+@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ return result;
+ }
+
+- /*
+- * Always try netr_LogonSamLogonEx. We will fall back for NT4
+- * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
+- * supported). We used to only try SamLogonEx for AD, but
+- * Samba DCs can also do it. And because we don't distinguish
+- * between Samba and NT4, always try it once.
+- */
+- domain->can_do_samlogon_ex = true;
+-
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index c356686..39483a5 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+
+ do {
+ struct rpc_pipe_client *netlogon_pipe;
+- const struct pipe_auth_data *auth;
+- uint32_t neg_flags = 0;
+
+ ZERO_STRUCTP(info3);
+ retry = false;
+@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ }
+ netr_attempts = 0;
+
+- auth = netlogon_pipe->auth;
+- if (netlogon_pipe->dc) {
+- neg_flags = netlogon_pipe->dc->negotiate_flags;
+- }
+-
+- /* It is really important to try SamLogonEx here,
+- * because in a clustered environment, we want to use
+- * one machine account from multiple physical
+- * computers.
+- *
+- * With a normal SamLogon call, we must keep the
+- * credentials chain updated and intact between all
+- * users of the machine account (which would imply
+- * cross-node communication for every NTLM logon).
+- *
+- * (The credentials chain is not per NETLOGON pipe
+- * connection, but globally on the server/client pair
+- * by machine name).
+- *
+- * When using SamLogonEx, the credentials are not
+- * supplied, but the session key is implied by the
+- * wrapping SamLogon context.
+- *
+- * -- abartlet 21 April 2008
+- *
+- * It's also important to use NetlogonValidationSamInfo4 (6),
+- * because it relies on the rpc transport encryption
+- * and avoids using the global netlogon schannel
+- * session key to en/decrypt secret information
+- * like the user_session_key for network logons.
+- *
+- * [MS-APDS] 3.1.5.2 NTLM Network Logon
+- * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
+- * NETLOGON_NEG_AUTHENTICATED_RPC set together
+- * are the indication that the server supports
+- * NetlogonValidationSamInfo4 (6). And it must only
+- * be used if "SealSecureChannel" is used.
+- *
+- * -- metze 4 February 2011
+- */
+-
+- if (auth == NULL) {
+- domain->can_do_validation6 = false;
+- } else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+- domain->can_do_validation6 = false;
+- } else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+- domain->can_do_validation6 = false;
+- } else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
+- domain->can_do_validation6 = false;
+- } else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+- domain->can_do_validation6 = false;
+- }
+-
+- if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
+- result = rpccli_netlogon_sam_network_logon_ex(
+- netlogon_pipe,
+- mem_ctx,
+- logon_parameters,
+- server, /* server name */
+- username, /* user name */
+- domainname, /* target domain */
+- workstation, /* workstation */
+- chal,
+- 6,
+- lm_response,
+- nt_response,
+- info3);
+- } else {
+- result = rpccli_netlogon_sam_network_logon(
++ result = rpccli_netlogon_sam_network_logon(
+ netlogon_pipe,
+ mem_ctx,
+ logon_parameters,
+@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ domainname, /* target domain */
+ workstation, /* workstation */
+ chal,
+- domain->can_do_validation6 ? 6 : 3,
++ -1, /* ignored */
+ lm_response,
+ nt_response,
+ info3);
+- }
+-
+- if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+-
+- /*
+- * It's likely that the server also does not support
+- * validation level 6
+- */
+- domain->can_do_validation6 = false;
+-
+- if (domain->can_do_samlogon_ex) {
+- DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
+- "retrying with NetSamLogon\n"));
+- domain->can_do_samlogon_ex = false;
+- retry = true;
+- continue;
+- }
+-
+-
+- /* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
+- * (no Ex). This happens against old Samba
+- * DCs. Drop the connection.
+- */
+- invalidate_cm_connection(&domain->conn);
+- result = NT_STATUS_LOGON_FAILURE;
+- break;
+- }
+-
+- if (domain->can_do_validation6 &&
+- (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
+- NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
+- NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
+- DEBUG(3,("Got a DC that can not do validation level 6, "
+- "retrying with level 3\n"));
+- domain->can_do_validation6 = false;
+- retry = true;
+- continue;
+- }
+
+ /*
+ * we increment this after the "feature negotiation"
+@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ retry = true;
+ }
+
++ if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
++ /*
++ * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
++ * (no Ex). This happens against old Samba
++ * DCs, if LogonSamLogonEx() fails with an error
++ * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
++ *
++ * The server will log something like this:
++ * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
++ *
++ * This sets the whole connection into a fault_state mode
++ * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
++ *
++ * This also happens to our retry with LogonSamLogonWithFlags()
++ * and LogonSamLogon().
++ *
++ * In order to recover from this situation, we need to
++ * drop the connection.
++ */
++ invalidate_cm_connection(&domain->conn);
++ result = NT_STATUS_LOGON_FAILURE;
++ break;
++ }
++
+ } while ( (attempts < 2) && retry );
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
+diff --git a/source3/wscript_build b/source3/wscript_build
+index 13d15c3..0d3ba8e 100755
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
+ deps='''ndr ndr-standard
+ RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
+ LIBTSOCKET gse dcerpc-binding
+- libsmb
+- ndr-table''',
++ libsmb ndr-table NETLOGON_CREDS_CLI
++ ''',
+ vars=locals(),
+ private_library=True)
+
+@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
+
+ bld.SAMBA3_LIBRARY('libcli_netlogon3',
+ source=LIBCLI_NETLOGON_SRC,
+- deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
++ deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
+ private_library=True)
+
+ bld.SAMBA3_LIBRARY('cli_spoolss',
+--
+1.9.3
+
+
+From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 17:03:00 +0200
+Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
+ cli_rpc_pipe_open_schannel_with_key()
+
+This means the auth level is now based on the "winbindd sealed pipes" option,
+defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
+---
+ source3/libnet/libnet_join.c | 1 -
+ source3/rpc_client/cli_pipe.c | 4 +++-
+ source3/rpc_client/cli_pipe.h | 1 -
+ source3/rpc_client/cli_pipe_schannel.c | 2 +-
+ source3/winbindd/winbindd_cm.c | 5 +----
+ 5 files changed, 5 insertions(+), 8 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 5dc620f..b2805ee 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+ cli, &ndr_table_netlogon, NCACN_NP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
+ netbios_domain_name,
+ netlogon_pipe->netlogon_creds, &pipe_hnd);
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index fe1613d..31cd7f5 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
+ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+- enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+ struct netlogon_creds_cli_context *netlogon_creds,
+ struct rpc_pipe_client **_rpccli)
+@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct rpc_pipe_client *rpccli;
+ struct pipe_auth_data *rpcauth;
+ struct netlogon_creds_CredentialState *creds = NULL;
++ enum dcerpc_AuthLevel auth_level;
+ NTSTATUS status;
+ const char *target_service = table->authservices->names[0];
+ int rpc_pipe_bind_dbglvl = 0;
+@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ return status;
+ }
+
++ auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
++
+ status = rpccli_generic_bind_data(rpccli,
+ DCERPC_AUTH_TYPE_SCHANNEL,
+ auth_level,
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index cf0c5c6..c21c55d 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
+ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+- enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+ struct netlogon_creds_cli_context *netlogon_creds,
+ struct rpc_pipe_client **presult);
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index e3d65c8..8f9161f 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+- cli, table, transport, auth_level, domain,
++ cli, table, transport, domain,
+ netlogon_pipe->netlogon_creds,
+ &result);
+
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index e0d1d0c..1546002 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ }
+ status = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, &ndr_table_samr, NCACN_NP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name, p_creds, &conn->samr_pipe);
+
+ if (!NT_STATUS_IS_OK(status)) {
+@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
+ status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
+ &ndr_table_lsarpc,
+ NCACN_IP_TCP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name,
+ creds,
+ &conn->lsa_pipe_tcp);
+@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
+ }
+ result = cli_rpc_pipe_open_schannel_with_key
+ (conn->cli, &ndr_table_lsarpc, NCACN_NP,
+- DCERPC_AUTH_LEVEL_PRIVACY,
+ domain->name, p_creds, &conn->lsa_pipe);
+
+ if (!NT_STATUS_IS_OK(result)) {
+@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+
+ result = cli_rpc_pipe_open_schannel_with_key(
+ conn->cli, &ndr_table_netlogon, NCACN_NP,
+- DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
++ domain->name,
+ netlogon_pipe->netlogon_creds,
+ &conn->netlogon_pipe);
+
+--
+1.9.3
+
+
+From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 7 Aug 2013 11:27:25 +0200
+Subject: [PATCH 176/249] s3:rpc_client: add
+ rpccli_{create,setup}_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
+---
+ source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
+ source3/rpc_client/cli_netlogon.h | 16 ++++++
+ 2 files changed, 121 insertions(+)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index fcd24d6..89aec37 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -21,15 +21,19 @@
+ */
+
+ #include "includes.h"
++#include "libsmb/libsmb.h"
+ #include "rpc_client/rpc_client.h"
++#include "rpc_client/cli_pipe.h"
+ #include "../libcli/auth/libcli_auth.h"
+ #include "../libcli/auth/netlogon_creds_cli.h"
+ #include "../librpc/gen_ndr/ndr_netlogon_c.h"
++#include "../librpc/gen_ndr/schannel.h"
+ #include "rpc_client/cli_netlogon.h"
+ #include "rpc_client/init_netlogon.h"
+ #include "rpc_client/util_netlogon.h"
+ #include "../libcli/security/security.h"
+ #include "lib/param/param.h"
++#include "libcli/smb/smbXcli_base.h"
+
+ /****************************************************************************
+ Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
+@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+ return NT_STATUS_OK;
+ }
+
++NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
++ const char *server_netbios_domain,
++ const char *client_account,
++ enum netr_SchannelType sec_chan_type,
++ struct messaging_context *msg_ctx,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **netlogon_creds)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct loadparm_context *lp_ctx;
++ NTSTATUS status;
++
++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
++ if (lp_ctx == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++ status = netlogon_creds_cli_context_global(lp_ctx,
++ msg_ctx,
++ client_account,
++ sec_chan_type,
++ server_computer,
++ server_netbios_domain,
++ mem_ctx, netlogon_creds);
++ TALLOC_FREE(frame);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ return NT_STATUS_OK;
++}
++
++NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
++ struct netlogon_creds_cli_context *netlogon_creds,
++ bool force_reauth,
++ struct samr_Password current_nt_hash,
++ const struct samr_Password *previous_nt_hash)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct rpc_pipe_client *netlogon_pipe = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ NTSTATUS status;
++
++ status = netlogon_creds_cli_get(netlogon_creds,
++ frame, &creds);
++ if (NT_STATUS_IS_OK(status)) {
++ const char *action = "using";
++
++ if (force_reauth) {
++ action = "overwrite";
++ }
++
++ DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
++ __FUNCTION__, action,
++ creds->account_name, creds->computer_name,
++ smbXcli_conn_remote_name(cli->conn)));
++ if (!force_reauth) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++ }
++ TALLOC_FREE(creds);
++ }
++
++ status = cli_rpc_pipe_open_noauth(cli,
++ &ndr_table_netlogon,
++ &netlogon_pipe);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
++ __FUNCTION__,
++ smbXcli_conn_remote_name(cli->conn),
++ nt_errstr(status)));
++ TALLOC_FREE(frame);
++ return status;
++ }
++ talloc_steal(frame, netlogon_pipe);
++
++ status = netlogon_creds_cli_auth(netlogon_creds,
++ netlogon_pipe->binding_handle,
++ current_nt_hash,
++ previous_nt_hash);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ status = netlogon_creds_cli_get(netlogon_creds,
++ frame, &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_INTERNAL_ERROR;
++ }
++
++ DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
++ __FUNCTION__,
++ creds->account_name, creds->computer_name,
++ smbXcli_conn_remote_name(cli->conn)));
++
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++}
++
+ /* Logon domain user */
+
+ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index ad59d5b..82e0923 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -23,6 +23,10 @@
+ #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
+ #define _RPC_CLIENT_CLI_NETLOGON_H_
+
++struct cli_state;
++struct messaging_context;
++struct netlogon_creds_cli_context;
++
+ /* The following definitions come from rpc_client/cli_netlogon.c */
+
+ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+ const unsigned char machine_pwd[16],
+ enum netr_SchannelType sec_chan_type,
+ uint32_t *neg_flags_inout);
++NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
++ const char *server_netbios_domain,
++ const char *client_account,
++ enum netr_SchannelType sec_chan_type,
++ struct messaging_context *msg_ctx,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **netlogon_creds);
++NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
++ struct netlogon_creds_cli_context *netlogon_creds,
++ bool force_reauth,
++ struct samr_Password current_nt_hash,
++ const struct samr_Password *previous_nt_hash);
+ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+--
+1.9.3
+
+
+From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Dec 2013 20:05:56 +0100
+Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
+---
+ source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
+ source3/rpc_client/cli_netlogon.h | 1 +
+ 2 files changed, 22 insertions(+)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 89aec37..9342fc3 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+ return NT_STATUS_OK;
+ }
+
++NTSTATUS rpccli_pre_open_netlogon_creds(void)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct loadparm_context *lp_ctx;
++ NTSTATUS status;
++
++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
++ if (lp_ctx == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = netlogon_creds_cli_open_global_db(lp_ctx);
++ TALLOC_FREE(frame);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ return NT_STATUS_OK;
++}
++
+ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
+ const char *server_netbios_domain,
+ const char *client_account,
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index 82e0923..3096c48 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+ const unsigned char machine_pwd[16],
+ enum netr_SchannelType sec_chan_type,
+ uint32_t *neg_flags_inout);
++NTSTATUS rpccli_pre_open_netlogon_creds(void);
+ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
+ const char *server_netbios_domain,
+ const char *client_account,
+--
+1.9.3
+
+
+From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 14:07:43 +0200
+Subject: [PATCH 178/249] s3:rpc_client: remove unused
+ rpccli_netlogon_sam_network_logon_ex()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
+---
+ source3/rpc_client/cli_netlogon.c | 27 ---------------------------
+ source3/rpc_client/cli_netlogon.h | 12 ------------
+ 2 files changed, 39 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 9342fc3..253d060 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ return NT_STATUS_OK;
+ }
+
+-NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- uint32 logon_parameters,
+- const char *server,
+- const char *username,
+- const char *domain,
+- const char *workstation,
+- const uint8 chal[8],
+- uint16_t validation_level,
+- DATA_BLOB lm_response,
+- DATA_BLOB nt_response,
+- struct netr_SamInfo3 **info3)
+-{
+- return rpccli_netlogon_sam_network_logon(cli,
+- mem_ctx,
+- logon_parameters,
+- server,
+- username,
+- domain,
+- workstation,
+- chal,
+- validation_level,
+- lm_response,
+- nt_response,
+- info3);
+-}
+-
+ /*********************************************************
+ Change the domain password on the PDC.
+
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index 3096c48..f10e5c7 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3);
+-NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- uint32 logon_parameters,
+- const char *server,
+- const char *username,
+- const char *domain,
+- const char *workstation,
+- const uint8 chal[8],
+- uint16_t validation_level,
+- DATA_BLOB lm_response,
+- DATA_BLOB nt_response,
+- struct netr_SamInfo3 **info3);
+ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *account_name,
+--
+1.9.3
+
+
+From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 14:36:24 +0200
+Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
+---
+ source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
+ source3/rpc_client/cli_netlogon.h | 14 ++++++
+ 2 files changed, 117 insertions(+)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 253d060..e335423 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ return NT_STATUS_OK;
+ }
+
++NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
++ struct dcerpc_binding_handle *binding_handle,
++ TALLOC_CTX *mem_ctx,
++ uint32_t logon_parameters,
++ const char *username,
++ const char *domain,
++ const char *workstation,
++ const uint8 chal[8],
++ DATA_BLOB lm_response,
++ DATA_BLOB nt_response,
++ uint8_t *authoritative,
++ uint32_t *flags,
++ struct netr_SamInfo3 **info3)
++{
++ NTSTATUS status;
++ const char *workstation_name_slash;
++ union netr_LogonLevel *logon = NULL;
++ struct netr_NetworkInfo *network_info;
++ uint16_t validation_level = 0;
++ union netr_Validation *validation = NULL;
++ uint8_t _authoritative = 0;
++ uint32_t _flags = 0;
++ struct netr_ChallengeResponse lm;
++ struct netr_ChallengeResponse nt;
++
++ *info3 = NULL;
++
++ if (authoritative == NULL) {
++ authoritative = &_authoritative;
++ }
++ if (flags == NULL) {
++ flags = &_flags;
++ }
++
++ ZERO_STRUCT(lm);
++ ZERO_STRUCT(nt);
++
++ logon = talloc_zero(mem_ctx, union netr_LogonLevel);
++ if (!logon) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
++ if (!network_info) {
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ if (workstation[0] != '\\' && workstation[1] != '\\') {
++ workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
++ } else {
++ workstation_name_slash = workstation;
++ }
++
++ if (!workstation_name_slash) {
++ DEBUG(0, ("talloc_asprintf failed!\n"));
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ /* Initialise input parameters */
++
++ lm.data = lm_response.data;
++ lm.length = lm_response.length;
++ nt.data = nt_response.data;
++ nt.length = nt_response.length;
++
++ network_info->identity_info.domain_name.string = domain;
++ network_info->identity_info.parameter_control = logon_parameters;
++ network_info->identity_info.logon_id_low = 0xdead;
++ network_info->identity_info.logon_id_high = 0xbeef;
++ network_info->identity_info.account_name.string = username;
++ network_info->identity_info.workstation.string = workstation_name_slash;
++
++ memcpy(network_info->challenge, chal, 8);
++ network_info->nt = nt;
++ network_info->lm = lm;
++
++ logon->network = network_info;
++
++ /* Marshall data and send request */
++
++ status = netlogon_creds_cli_LogonSamLogon(creds,
++ binding_handle,
++ NetlogonNetworkInformation,
++ logon,
++ mem_ctx,
++ &validation_level,
++ &validation,
++ authoritative,
++ flags);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ status = map_validation_to_info3(mem_ctx,
++ validation_level, validation,
++ info3);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ return NT_STATUS_OK;
++}
++
+ /*********************************************************
+ Change the domain password on the PDC.
+
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index f10e5c7..54ed7ae 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -26,6 +26,7 @@
+ struct cli_state;
+ struct messaging_context;
+ struct netlogon_creds_cli_context;
++struct dcerpc_binding_handle;
+
+ /* The following definitions come from rpc_client/cli_netlogon.c */
+
+@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
+ struct netr_SamInfo3 **info3);
++NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
++ struct dcerpc_binding_handle *binding_handle,
++ TALLOC_CTX *mem_ctx,
++ uint32_t logon_parameters,
++ const char *username,
++ const char *domain,
++ const char *workstation,
++ const uint8 chal[8],
++ DATA_BLOB lm_response,
++ DATA_BLOB nt_response,
++ uint8_t *authoritative,
++ uint32_t *flags,
++ struct netr_SamInfo3 **info3);
+ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *account_name,
+--
+1.9.3
+
+
+From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 14:56:06 +0200
+Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
+---
+ source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
+ source3/rpc_client/cli_netlogon.h | 8 +++
+ 2 files changed, 141 insertions(+)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index e335423..a9f8604 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ return NT_STATUS_OK;
+ }
+
++NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
++ struct dcerpc_binding_handle *binding_handle,
++ uint32_t logon_parameters,
++ const char *domain,
++ const char *username,
++ const char *password,
++ const char *workstation,
++ enum netr_LogonInfoClass logon_type)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ NTSTATUS status;
++ union netr_LogonLevel *logon;
++ uint16_t validation_level = 0;
++ union netr_Validation *validation = NULL;
++ uint8_t authoritative = 0;
++ uint32_t flags = 0;
++ char *workstation_slash = NULL;
++
++ logon = talloc_zero(frame, union netr_LogonLevel);
++ if (logon == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ if (workstation == NULL) {
++ workstation = lp_netbios_name();
++ }
++
++ workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
++ if (workstation_slash == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ /* Initialise input parameters */
++
++ switch (logon_type) {
++ case NetlogonInteractiveInformation: {
++
++ struct netr_PasswordInfo *password_info;
++
++ struct samr_Password lmpassword;
++ struct samr_Password ntpassword;
++
++ password_info = talloc_zero(frame, struct netr_PasswordInfo);
++ if (password_info == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
++
++ password_info->identity_info.domain_name.string = domain;
++ password_info->identity_info.parameter_control = logon_parameters;
++ password_info->identity_info.logon_id_low = 0xdead;
++ password_info->identity_info.logon_id_high = 0xbeef;
++ password_info->identity_info.account_name.string = username;
++ password_info->identity_info.workstation.string = workstation_slash;
++
++ password_info->lmpassword = lmpassword;
++ password_info->ntpassword = ntpassword;
++
++ logon->password = password_info;
++
++ break;
++ }
++ case NetlogonNetworkInformation: {
++ struct netr_NetworkInfo *network_info;
++ uint8 chal[8];
++ unsigned char local_lm_response[24];
++ unsigned char local_nt_response[24];
++ struct netr_ChallengeResponse lm;
++ struct netr_ChallengeResponse nt;
++
++ ZERO_STRUCT(lm);
++ ZERO_STRUCT(nt);
++
++ network_info = talloc_zero(frame, struct netr_NetworkInfo);
++ if (network_info == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ generate_random_buffer(chal, 8);
++
++ SMBencrypt(password, chal, local_lm_response);
++ SMBNTencrypt(password, chal, local_nt_response);
++
++ lm.length = 24;
++ lm.data = local_lm_response;
++
++ nt.length = 24;
++ nt.data = local_nt_response;
++
++ network_info->identity_info.domain_name.string = domain;
++ network_info->identity_info.parameter_control = logon_parameters;
++ network_info->identity_info.logon_id_low = 0xdead;
++ network_info->identity_info.logon_id_high = 0xbeef;
++ network_info->identity_info.account_name.string = username;
++ network_info->identity_info.workstation.string = workstation_slash;
++
++ memcpy(network_info->challenge, chal, 8);
++ network_info->nt = nt;
++ network_info->lm = lm;
++
++ logon->network = network_info;
++
++ break;
++ }
++ default:
++ DEBUG(0, ("switch value %d not supported\n",
++ logon_type));
++ TALLOC_FREE(frame);
++ return NT_STATUS_INVALID_INFO_CLASS;
++ }
++
++ status = netlogon_creds_cli_LogonSamLogon(creds,
++ binding_handle,
++ logon_type,
++ logon,
++ frame,
++ &validation_level,
++ &validation,
++ &authoritative,
++ &flags);
++ TALLOC_FREE(frame);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ return NT_STATUS_OK;
++}
++
+ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+ uint16_t validation_level,
+ union netr_Validation *validation,
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index 54ed7ae..d4c6670 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ const char *workstation,
+ uint16_t validation_level,
+ int logon_type);
++NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
++ struct dcerpc_binding_handle *binding_handle,
++ uint32_t logon_parameters,
++ const char *domain,
++ const char *username,
++ const char *password,
++ const char *workstation,
++ enum netr_LogonInfoClass logon_type);
+ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ uint32 logon_parameters,
+--
+1.9.3
+
+
+From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Dec 2013 20:06:14 +0100
+Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
+ the parent
+
+This opens the CLEAR_IF_FIRST tdb in the long living parent.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
+---
+ source3/winbindd/winbindd.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
+index 69a17bf..a90c8fe 100644
+--- a/source3/winbindd/winbindd.c
++++ b/source3/winbindd/winbindd.c
+@@ -31,6 +31,7 @@
+ #include "../librpc/gen_ndr/srv_lsa.h"
+ #include "../librpc/gen_ndr/srv_samr.h"
+ #include "secrets.h"
++#include "rpc_client/cli_netlogon.h"
+ #include "idmap.h"
+ #include "lib/addrchange.h"
+ #include "serverid.h"
+@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
+ return False;
+ }
+
++ status = rpccli_pre_open_netlogon_creds();
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
++ nt_errstr(status)));
++ exit(1);
++ }
++
+ /* Unblock all signals we are interested in as they may have been
+ blocked by the parent process. */
+
+--
+1.9.3
+
+
+From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 7 Aug 2013 11:32:44 +0200
+Subject: [PATCH 182/249] s3:winbindd: make use of
+ rpccli_{create,setup}_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
+---
+ source3/winbindd/winbindd.h | 3 +
+ source3/winbindd/winbindd_cm.c | 125 ++++++++++++++++++++---------------
+ source3/winbindd/winbindd_dual_srv.c | 1 +
+ 3 files changed, 77 insertions(+), 52 deletions(-)
+
+diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
+index b5fc010..8f89e27 100644
+--- a/source3/winbindd/winbindd.h
++++ b/source3/winbindd/winbindd.h
+@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
+ struct policy_handle lsa_policy;
+
+ struct rpc_pipe_client *netlogon_pipe;
++ struct netlogon_creds_cli_context *netlogon_creds;
++ uint32_t netlogon_flags;
++ bool netlogon_force_reauth;
+ };
+
+ /* Async child */
+diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
+index 1546002..7b6cc96 100644
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -79,6 +79,7 @@
+ #include "auth/gensec/gensec.h"
+ #include "../libcli/smb/smbXcli_base.h"
+ #include "lib/param/loadparm.h"
++#include "libcli/auth/netlogon_creds_cli.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_WINBIND
+@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
+ }
+
+ conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
++ conn->netlogon_force_reauth = false;
++ conn->netlogon_flags = 0;
++ TALLOC_FREE(conn->netlogon_creds);
+
+ if (conn->cli) {
+ cli_shutdown(conn->cli);
+@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct rpc_pipe_client *netlogon_pipe;
+
+- if (lp_client_schannel() == False) {
+- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
++ *ppdc = NULL;
++
++ if ((!IS_DC) && (!domain->primary)) {
++ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
++ }
++
++ if (domain->conn.netlogon_creds != NULL) {
++ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
++ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
++ }
++ *ppdc = domain->conn.netlogon_creds;
++ return NT_STATUS_OK;
+ }
+
+ result = cm_connect_netlogon(domain, &netlogon_pipe);
+@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
+ return result;
+ }
+
+- /* Return a pointer to the struct netlogon_creds_CredentialState from the
+- netlogon pipe. */
++ if (domain->conn.netlogon_creds == NULL) {
++ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
++ }
+
+- if (!domain->conn.netlogon_pipe->netlogon_creds) {
+- return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
++ if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
++ return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+ }
+
+- *ppdc = domain->conn.netlogon_pipe->netlogon_creds;
++ *ppdc = domain->conn.netlogon_creds;
+ return NT_STATUS_OK;
+ }
+
+@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
+ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ struct rpc_pipe_client **cli)
+ {
++ struct messaging_context *msg_ctx = winbind_messaging_context();
+ struct winbindd_cm_conn *conn;
+ NTSTATUS result;
+-
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
+- uint8_t mach_pwd[16];
+ enum netr_SchannelType sec_chan_type;
++ const char *_account_name;
+ const char *account_name;
+- struct rpc_pipe_client *netlogon_pipe = NULL;
++ struct samr_Password current_nt_hash;
++ struct samr_Password *previous_nt_hash = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ bool ok;
+
+ *cli = NULL;
+
+@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ }
+
+ TALLOC_FREE(conn->netlogon_pipe);
+-
+- result = cli_rpc_pipe_open_noauth(conn->cli,
+- &ndr_table_netlogon,
+- &netlogon_pipe);
+- if (!NT_STATUS_IS_OK(result)) {
+- return result;
+- }
++ conn->netlogon_flags = 0;
++ TALLOC_FREE(conn->netlogon_creds);
+
+ if ((!IS_DC) && (!domain->primary)) {
+- /* Clear the schannel request bit and drop down */
+- neg_flags &= ~NETLOGON_NEG_SCHANNEL;
+ goto no_schannel;
+ }
+
+- if (lp_client_schannel() != False) {
+- neg_flags |= NETLOGON_NEG_SCHANNEL;
++ ok = get_trust_pw_hash(domain->name,
++ current_nt_hash.hash,
++ &_account_name,
++ &sec_chan_type);
++ if (!ok) {
++ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+- if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
+- &sec_chan_type))
+- {
+- TALLOC_FREE(netlogon_pipe);
+- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
++ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
++ if (account_name == NULL) {
++ return NT_STATUS_NO_MEMORY;
+ }
+
+- result = rpccli_netlogon_setup_creds(
+- netlogon_pipe,
+- domain->dcname, /* server name. */
+- domain->name, /* domain name */
+- lp_netbios_name(), /* client name */
+- account_name, /* machine account */
+- mach_pwd, /* machine password */
+- sec_chan_type, /* from get_trust_pw */
+- &neg_flags);
++ result = rpccli_create_netlogon_creds(domain->dcname,
++ domain->name,
++ account_name,
++ sec_chan_type,
++ msg_ctx,
++ domain,
++ &conn->netlogon_creds);
++ if (!NT_STATUS_IS_OK(result)) {
++ SAFE_FREE(previous_nt_hash);
++ return result;
++ }
+
++ result = rpccli_setup_netlogon_creds(conn->cli,
++ conn->netlogon_creds,
++ conn->netlogon_force_reauth,
++ current_nt_hash,
++ previous_nt_hash);
++ conn->netlogon_force_reauth = false;
++ SAFE_FREE(previous_nt_hash);
+ if (!NT_STATUS_IS_OK(result)) {
+- TALLOC_FREE(netlogon_pipe);
+ return result;
+ }
+
+- if ((lp_client_schannel() == True) &&
+- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+- DEBUG(3, ("Server did not offer schannel\n"));
+- TALLOC_FREE(netlogon_pipe);
+- return NT_STATUS_ACCESS_DENIED;
++ result = netlogon_creds_cli_get(conn->netlogon_creds,
++ talloc_tos(),
++ &creds);
++ if (!NT_STATUS_IS_OK(result)) {
++ return result;
+ }
++ conn->netlogon_flags = creds->negotiate_flags;
++ TALLOC_FREE(creds);
+
+ no_schannel:
+- if ((lp_client_schannel() == False) ||
+- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
++ if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
++ result = cli_rpc_pipe_open_noauth(conn->cli,
++ &ndr_table_netlogon,
++ &conn->netlogon_pipe);
++ if (!NT_STATUS_IS_OK(result)) {
++ invalidate_cm_connection(conn);
++ return result;
++ }
+
+- /* We're done - just keep the existing connection to NETLOGON
+- * open */
+- conn->netlogon_pipe = netlogon_pipe;
+ *cli = conn->netlogon_pipe;
+ return NT_STATUS_OK;
+ }
+@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
+ result = cli_rpc_pipe_open_schannel_with_key(
+ conn->cli, &ndr_table_netlogon, NCACN_NP,
+ domain->name,
+- netlogon_pipe->netlogon_creds,
++ conn->netlogon_creds,
+ &conn->netlogon_pipe);
+-
+- /* We can now close the initial netlogon pipe. */
+- TALLOC_FREE(netlogon_pipe);
+-
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
+ "was %s\n", nt_errstr(result)));
+diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
+index b873655..001591a 100644
+--- a/source3/winbindd/winbindd_dual_srv.c
++++ b/source3/winbindd/winbindd_dual_srv.c
+@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
+
+ again:
+ invalidate_cm_connection(&domain->conn);
++ domain->conn.netlogon_force_reauth = true;
+
+ {
+ struct rpc_pipe_client *netlogon_pipe;
+--
+1.9.3
+
+
+From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 13:07:45 +0200
+Subject: [PATCH 183/249] s3:auth_domain: simplify
+ connect_to_domain_password_server()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
+---
+ source3/auth/auth_domain.c | 31 ++++++++++++-------------------
+ 1 file changed, 12 insertions(+), 19 deletions(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index 9f88c4a..ae27bf0 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
+ *
+ **/
+
+-static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
++static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+ const char *domain,
+ const char *dc_name,
+ const struct sockaddr_storage *dc_ss,
+ struct rpc_pipe_client **pipe_ret)
+ {
+- NTSTATUS result;
++ NTSTATUS result;
++ struct cli_state *cli = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+
+- *cli = NULL;
++ *cli_ret = NULL;
+
+ *pipe_ret = NULL;
+
+@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
+ }
+
+ /* Attempt connection */
+- result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
++ result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
+ "IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
+
+ if (!NT_STATUS_IS_OK(result)) {
+@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
+ result = NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+- if (*cli) {
+- cli_shutdown(*cli);
+- *cli = NULL;
+- }
+-
+ TALLOC_FREE(mutex);
+ return result;
+ }
+@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
+ if (lp_client_schannel()) {
+ /* We also setup the creds chain in the open_schannel call. */
+ result = cli_rpc_pipe_open_schannel(
+- *cli, &ndr_table_netlogon, NCACN_NP,
++ cli, &ndr_table_netlogon, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
+ } else {
+ result = cli_rpc_pipe_open_noauth(
+- *cli, &ndr_table_netlogon, &netlogon_pipe);
++ cli, &ndr_table_netlogon, &netlogon_pipe);
+ }
+
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
+ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+- cli_shutdown(*cli);
+- *cli = NULL;
++ cli_shutdown(cli);
+ TALLOC_FREE(mutex);
+ return result;
+ }
+@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+ DEBUG(0, ("connect_to_domain_password_server: could not fetch "
+ "trust account password for domain '%s'\n",
+ domain));
+- cli_shutdown(*cli);
+- *cli = NULL;
++ cli_shutdown(cli);
+ TALLOC_FREE(mutex);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+ &neg_flags);
+
+ if (!NT_STATUS_IS_OK(result)) {
+- cli_shutdown(*cli);
+- *cli = NULL;
++ cli_shutdown(cli);
+ TALLOC_FREE(mutex);
+ return result;
+ }
+@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+ DEBUG(0, ("connect_to_domain_password_server: unable to open "
+ "the domain client session to machine %s. Error "
+ "was : %s.\n", dc_name, nt_errstr(result)));
+- cli_shutdown(*cli);
+- *cli = NULL;
++ cli_shutdown(cli);
+ TALLOC_FREE(mutex);
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+ /* We exit here with the mutex *locked*. JRA */
+
++ *cli_ret = cli;
+ *pipe_ret = netlogon_pipe;
+
+ return NT_STATUS_OK;
+--
+1.9.3
+
+
+From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 15:01:10 +0200
+Subject: [PATCH 184/249] s3:auth_domain: make use of
+ rpccli_{create,setup}_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
+---
+ source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
+ 1 file changed, 85 insertions(+), 51 deletions(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index ae27bf0..bf2671c 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -27,6 +27,7 @@
+ #include "secrets.h"
+ #include "passdb.h"
+ #include "libsmb/libsmb.h"
++#include "libcli/auth/netlogon_creds_cli.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_AUTH
+@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+ const struct sockaddr_storage *dc_ss,
+ struct rpc_pipe_client **pipe_ret)
+ {
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct messaging_context *msg_ctx = server_messaging_context();
+ NTSTATUS result;
+ struct cli_state *cli = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
++ struct netlogon_creds_cli_context *netlogon_creds = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ uint32_t netlogon_flags = 0;
++ enum netr_SchannelType sec_chan_type = 0;
++ const char *_account_name = NULL;
++ const char *account_name = NULL;
++ struct samr_Password current_nt_hash;
++ struct samr_Password *previous_nt_hash = NULL;
++ bool ok;
+
+ *cli_ret = NULL;
+
+@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+
+ mutex = grab_named_mutex(NULL, dc_name, 10);
+ if (mutex == NULL) {
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+ }
+
+ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
+ return result;
+ }
+
+@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+ * We now have an anonymous connection to IPC$ on the domain password server.
+ */
+
+- /*
+- * Even if the connect succeeds we need to setup the netlogon
+- * pipe here. We do this as we may just have changed the domain
+- * account password on the PDC and yet we may be talking to
+- * a BDC that doesn't have this replicated yet. In this case
+- * a successful connect to a DC needs to take the netlogon connect
+- * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
+- */
++ ok = get_trust_pw_hash(domain,
++ current_nt_hash.hash,
++ &_account_name,
++ &sec_chan_type);
++ if (!ok) {
++ cli_shutdown(cli);
++ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
++ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
++ }
+
+- /* open the netlogon pipe. */
+- if (lp_client_schannel()) {
+- /* We also setup the creds chain in the open_schannel call. */
+- result = cli_rpc_pipe_open_schannel(
+- cli, &ndr_table_netlogon, NCACN_NP,
+- DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
+- } else {
+- result = cli_rpc_pipe_open_noauth(
+- cli, &ndr_table_netlogon, &netlogon_pipe);
++ account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
++ if (account_name == NULL) {
++ cli_shutdown(cli);
++ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
+ }
+
++ result = rpccli_create_netlogon_creds(dc_name,
++ domain,
++ account_name,
++ sec_chan_type,
++ msg_ctx,
++ talloc_tos(),
++ &netlogon_creds);
+ if (!NT_STATUS_IS_OK(result)) {
+- DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
+-machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+ cli_shutdown(cli);
+ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
++ SAFE_FREE(previous_nt_hash);
+ return result;
+ }
+
+- if (!lp_client_schannel()) {
+- /* We need to set up a creds chain on an unauthenticated netlogon pipe. */
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
+- enum netr_SchannelType sec_chan_type = 0;
+- unsigned char machine_pwd[16];
+- const char *account_name;
+-
+- if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
+- &sec_chan_type))
+- {
+- DEBUG(0, ("connect_to_domain_password_server: could not fetch "
+- "trust account password for domain '%s'\n",
+- domain));
+- cli_shutdown(cli);
+- TALLOC_FREE(mutex);
+- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+- }
++ result = rpccli_setup_netlogon_creds(cli,
++ netlogon_creds,
++ false, /* force_reauth */
++ current_nt_hash,
++ previous_nt_hash);
++ SAFE_FREE(previous_nt_hash);
++ if (!NT_STATUS_IS_OK(result)) {
++ cli_shutdown(cli);
++ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
++ return result;
++ }
+
+- result = rpccli_netlogon_setup_creds(netlogon_pipe,
+- dc_name, /* server name */
+- domain, /* domain */
+- lp_netbios_name(), /* client name */
+- account_name, /* machine account name */
+- machine_pwd,
+- sec_chan_type,
+- &neg_flags);
+-
+- if (!NT_STATUS_IS_OK(result)) {
+- cli_shutdown(cli);
+- TALLOC_FREE(mutex);
+- return result;
+- }
++ result = netlogon_creds_cli_get(netlogon_creds,
++ talloc_tos(),
++ &creds);
++ if (!NT_STATUS_IS_OK(result)) {
++ cli_shutdown(cli);
++ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
++ return result;
++ }
++ netlogon_flags = creds->negotiate_flags;
++ TALLOC_FREE(creds);
++
++ if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
++ result = cli_rpc_pipe_open_schannel_with_key(
++ cli, &ndr_table_netlogon, NCACN_NP,
++ domain, netlogon_creds, &netlogon_pipe);
++ } else {
++ result = cli_rpc_pipe_open_noauth(cli,
++ &ndr_table_netlogon,
++ &netlogon_pipe);
++ }
++
++ if (!NT_STATUS_IS_OK(result)) {
++ DEBUG(0,("connect_to_domain_password_server: "
++ "unable to open the domain client session to "
++ "machine %s. Flags[0x%08X] Error was : %s.\n",
++ dc_name, (unsigned)netlogon_flags,
++ nt_errstr(result)));
++ cli_shutdown(cli);
++ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
++ return result;
+ }
+
+ if(!netlogon_pipe) {
+@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+ "was : %s.\n", dc_name, nt_errstr(result)));
+ cli_shutdown(cli);
+ TALLOC_FREE(mutex);
++ TALLOC_FREE(frame);
+ return NT_STATUS_NO_LOGON_SERVERS;
+ }
+
+@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
+ *cli_ret = cli;
+ *pipe_ret = netlogon_pipe;
+
++ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+--
+1.9.3
+
+
+From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 27 Aug 2013 15:02:26 +0200
+Subject: [PATCH 185/249] s3:auth_domain: make use of
+ rpccli_netlogon_network_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
+---
+ source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
+ 1 file changed, 22 insertions(+), 14 deletions(-)
+
+diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
+index bf2671c..937841c 100644
+--- a/source3/auth/auth_domain.c
++++ b/source3/auth/auth_domain.c
+@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+ const char *domain,
+ const char *dc_name,
+ const struct sockaddr_storage *dc_ss,
+- struct rpc_pipe_client **pipe_ret)
++ struct rpc_pipe_client **pipe_ret,
++ struct netlogon_creds_cli_context **creds_ret)
+ {
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct messaging_context *msg_ctx = server_messaging_context();
+@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+ *cli_ret = NULL;
+
+ *pipe_ret = NULL;
++ *creds_ret = NULL;
+
+ /* TODO: Send a SAMLOGON request to determine whether this is a valid
+ logonserver. We can avoid a 30-second timeout if the DC is down
+@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
+
+ *cli_ret = cli;
+ *pipe_ret = netlogon_pipe;
++ *creds_ret = netlogon_creds;
+
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
+ struct netr_SamInfo3 *info3 = NULL;
+ struct cli_state *cli = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
++ struct netlogon_creds_cli_context *netlogon_creds = NULL;
+ NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
+ int i;
++ uint8_t authoritative = 0;
++ uint32_t flags = 0;
+
+ /*
+ * At this point, smb_apasswd points to the lanman response to
+@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
+ domain,
+ dc_name,
+ dc_ss,
+- &netlogon_pipe);
++ &netlogon_pipe,
++ &netlogon_creds);
+ }
+
+ if ( !NT_STATUS_IS_OK(nt_status) ) {
+@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
+ * in the info3 structure.
+ */
+
+- nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
+- mem_ctx,
+- user_info->logon_parameters, /* flags such as 'allow workstation logon' */
+- dc_name, /* server name */
+- user_info->client.account_name, /* user name logging on. */
+- user_info->client.domain_name, /* domain name */
+- user_info->workstation_name, /* workstation name */
+- chal, /* 8 byte challenge. */
+- 3, /* validation level */
+- user_info->password.response.lanman, /* lanman 24 byte response */
+- user_info->password.response.nt, /* nt 24 byte response */
+- &info3); /* info3 out */
++ nt_status = rpccli_netlogon_network_logon(netlogon_creds,
++ netlogon_pipe->binding_handle,
++ mem_ctx,
++ user_info->logon_parameters, /* flags such as 'allow workstation logon' */
++ user_info->client.account_name, /* user name logging on. */
++ user_info->client.domain_name, /* domain name */
++ user_info->workstation_name, /* workstation name */
++ chal, /* 8 byte challenge. */
++ user_info->password.response.lanman, /* lanman 24 byte response */
++ user_info->password.response.nt, /* nt 24 byte response */
++ &authoritative,
++ &flags,
++ &info3); /* info3 out */
+
+ /* Let go as soon as possible so we avoid any potential deadlocks
+ with winbind lookup up users or groups. */
+--
+1.9.3
+
+
+From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 2 Sep 2013 19:32:23 +0200
+Subject: [PATCH 186/249] s3:libnet_join: make use of
+ rpccli_{create,setup}_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
+---
+ source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
+ source3/libnet/libnet_join.h | 5 +-
+ source3/utils/net_rpc.c | 4 +-
+ 3 files changed, 86 insertions(+), 33 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index b2805ee..6e653c3 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -40,6 +40,8 @@
+ #include "libsmb/libsmb.h"
+ #include "../libcli/smb/smbXcli_base.h"
+ #include "lib/param/loadparm.h"
++#include "libcli/auth/netlogon_creds_cli.h"
++#include "auth/credentials/credentials.h"
+
+ /****************************************************************
+ ****************************************************************/
+@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
+ /****************************************************************
+ ****************************************************************/
+
+-NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+- const char *machine_name,
++NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
++ const char *netbios_domain_name,
+ const char *dc_name,
+ const bool use_kerberos)
+ {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
++ TALLOC_CTX *frame = talloc_stackframe();
+ struct cli_state *cli = NULL;
+- struct rpc_pipe_client *pipe_hnd = NULL;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
++ struct netlogon_creds_cli_context *netlogon_creds = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ uint32_t netlogon_flags = 0;
++ enum netr_SchannelType sec_chan_type = 0;
+ NTSTATUS status;
+ char *machine_password = NULL;
+- char *machine_account = NULL;
++ const char *machine_name = NULL;
++ const char *machine_account = NULL;
+ int flags = 0;
++ struct samr_Password current_nt_hash;
++ struct samr_Password *previous_nt_hash = NULL;
++ bool ok;
+
+ if (!dc_name) {
++ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (!secrets_init()) {
++ TALLOC_FREE(frame);
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+- machine_password = secrets_fetch_machine_password(netbios_domain_name,
+- NULL, NULL);
+- if (!machine_password) {
+- return NT_STATUS_NO_TRUST_LSA_SECRET;
++ ok = get_trust_pw_clear(netbios_domain_name,
++ &machine_password,
++ &machine_name,
++ &sec_chan_type);
++ if (!ok) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+- if (asprintf(&machine_account, "%s$", machine_name) == -1) {
++ machine_account = talloc_asprintf(frame, "%s$", machine_name);
++ if (machine_account == NULL) {
+ SAFE_FREE(machine_password);
+- return NT_STATUS_NO_MEMORY;
++ SAFE_FREE(previous_nt_hash);
++ TALLOC_FREE(frame);
++ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+ if (use_kerberos) {
+@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ NULL, 0,
+ "IPC$", "IPC",
+ machine_account,
+- NULL,
++ netbios_domain_name,
+ machine_password,
+ flags,
+ SMB_SIGNING_DEFAULT);
+- free(machine_account);
+- free(machine_password);
++
++ E_md4hash(machine_password, current_nt_hash.hash);
++ SAFE_FREE(machine_password);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ status = cli_full_connection(&cli, NULL,
+@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
++ SAFE_FREE(previous_nt_hash);
++ TALLOC_FREE(frame);
+ return status;
+ }
+
+- status = get_schannel_session_key(cli, netbios_domain_name,
+- &neg_flags, &netlogon_pipe);
++ status = rpccli_create_netlogon_creds(dc_name,
++ netbios_domain_name,
++ machine_account,
++ sec_chan_type,
++ msg_ctx,
++ frame,
++ &netlogon_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+- if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
+- cli_shutdown(cli);
+- return NT_STATUS_OK;
+- }
++ SAFE_FREE(previous_nt_hash);
++ cli_shutdown(cli);
++ TALLOC_FREE(frame);
++ return status;
++ }
+
+- DEBUG(0,("libnet_join_ok: failed to get schannel session "
+- "key from server %s for domain %s. Error was %s\n",
+- smbXcli_conn_remote_name(cli->conn),
+- netbios_domain_name, nt_errstr(status)));
++ status = rpccli_setup_netlogon_creds(cli,
++ netlogon_creds,
++ true, /* force_reauth */
++ current_nt_hash,
++ previous_nt_hash);
++ SAFE_FREE(previous_nt_hash);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(0,("connect_to_domain_password_server: "
++ "unable to open the domain client session to "
++ "machine %s. Flags[0x%08X] Error was : %s.\n",
++ dc_name, (unsigned)netlogon_flags,
++ nt_errstr(status)));
++ cli_shutdown(cli);
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ status = netlogon_creds_cli_get(netlogon_creds,
++ talloc_tos(),
++ &creds);
++ if (!NT_STATUS_IS_OK(status)) {
+ cli_shutdown(cli);
++ TALLOC_FREE(frame);
+ return status;
+ }
++ netlogon_flags = creds->negotiate_flags;
++ TALLOC_FREE(creds);
+
+- if (!lp_client_schannel()) {
++ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+ cli_shutdown(cli);
++ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ status = cli_rpc_pipe_open_schannel_with_key(
+ cli, &ndr_table_netlogon, NCACN_NP,
+ netbios_domain_name,
+- netlogon_pipe->netlogon_creds, &pipe_hnd);
++ netlogon_creds, &netlogon_pipe);
+
+- cli_shutdown(cli);
++ TALLOC_FREE(netlogon_pipe);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("libnet_join_ok: failed to open schannel session "
+@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+ "Error was %s\n",
+ smbXcli_conn_remote_name(cli->conn),
+ netbios_domain_name, nt_errstr(status)));
++ cli_shutdown(cli);
++ TALLOC_FREE(frame);
+ return status;
+ }
+
++ cli_shutdown(cli);
++ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
+ {
+ NTSTATUS status;
+
+- status = libnet_join_ok(r->out.netbios_domain_name,
+- r->in.machine_name,
++ status = libnet_join_ok(r->in.msg_ctx,
++ r->out.netbios_domain_name,
+ r->in.dc_name,
+ r->in.use_kerberos);
+ if (!NT_STATUS_IS_OK(status)) {
+diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
+index 58c33b2..b7e2f0b 100644
+--- a/source3/libnet/libnet_join.h
++++ b/source3/libnet/libnet_join.h
+@@ -23,8 +23,9 @@
+
+ /* The following definitions come from libnet/libnet_join.c */
+
+-NTSTATUS libnet_join_ok(const char *netbios_domain_name,
+- const char *machine_name,
++struct messaging_context;
++NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
++ const char *netbios_domain_name,
+ const char *dc_name,
+ const bool use_kerberos);
+ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index dff8801..9de74c0 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
+ }
+
+ /* Display success or failure */
+- status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
++ status = libnet_join_ok(c->msg_ctx,
++ c->opt_workgroup,
++ dc,
+ c->opt_kerberos);
+ if (!NT_STATUS_IS_OK(status)) {
+ fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
+--
+1.9.3
+
+
+From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 5 Sep 2013 20:57:02 +0200
+Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
+ in libnet_join_joindomain_rpc_unsecure
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
+---
+ source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 51 insertions(+), 15 deletions(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 6e653c3..a87eb38 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+ struct libnet_JoinCtx *r,
+ struct cli_state *cli)
+ {
+- struct rpc_pipe_client *pipe_hnd = NULL;
+- unsigned char orig_trust_passwd_hash[16];
+- unsigned char new_trust_passwd_hash[16];
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct rpc_pipe_client *netlogon_pipe = NULL;
++ struct netlogon_creds_cli_context *netlogon_creds = NULL;
++ struct samr_Password current_nt_hash;
++ const char *account_name = NULL;
+ NTSTATUS status;
+
+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+- &pipe_hnd);
++ &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
+ return status;
+ }
+
+@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
+ r->in.machine_password = generate_random_password(mem_ctx,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+- NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
++ if (r->in.machine_password == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
+ }
+
+- E_md4hash(r->in.machine_password, new_trust_passwd_hash);
+-
+ /* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
+- E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
++ E_md4hash(r->in.admin_password, current_nt_hash.hash);
+
+- status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
+- r->in.machine_name,
+- orig_trust_passwd_hash,
+- r->in.machine_password,
+- new_trust_passwd_hash,
+- r->in.secure_channel_type);
++ account_name = talloc_asprintf(frame, "%s$",
++ r->in.machine_name);
++ if (account_name == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
+
+- return status;
++ status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
++ r->in.domain_name,
++ account_name,
++ r->in.secure_channel_type,
++ r->in.msg_ctx,
++ frame,
++ &netlogon_creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ status = rpccli_setup_netlogon_creds(cli,
++ netlogon_creds,
++ true, /* force_reauth */
++ current_nt_hash,
++ NULL); /* previous_nt_hash */
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
++ netlogon_pipe->binding_handle,
++ r->in.machine_password,
++ NULL); /* new_version */
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
+ }
+
+ /****************************************************************
+--
+1.9.3
+
+
+From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 11 Sep 2013 10:06:41 +0200
+Subject: [PATCH 188/249] s3:rpc_client: use
+ rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
+---
+ source3/rpc_client/cli_pipe.h | 7 --
+ source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
+ 2 files changed, 66 insertions(+), 103 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index c21c55d..2a76130 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *cli,
+ DATA_BLOB *session_key);
+
+-/* The following definitions come from rpc_client/cli_pipe_schannel.c */
+-
+-NTSTATUS get_schannel_session_key(struct cli_state *cli,
+- const char *domain,
+- uint32 *pneg_flags,
+- struct rpc_pipe_client **presult);
+-
+ #endif /* _CLI_PIPE_H */
+
+ /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index 8f9161f..1fcf62e 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -23,67 +23,15 @@
+ #include "../libcli/auth/schannel.h"
+ #include "rpc_client/cli_netlogon.h"
+ #include "rpc_client/cli_pipe.h"
+-#include "librpc/gen_ndr/ndr_dcerpc.h"
+ #include "librpc/rpc/dcerpc.h"
+ #include "passdb.h"
+ #include "libsmb/libsmb.h"
+-#include "auth/gensec/gensec.h"
+ #include "../libcli/smb/smbXcli_base.h"
++#include "libcli/auth/netlogon_creds_cli.h"
+
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_RPC_CLI
+
+-
+-/****************************************************************************
+- Get a the schannel session key out of an already opened netlogon pipe.
+- ****************************************************************************/
+-static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
+- struct cli_state *cli,
+- const char *domain,
+- uint32 *pneg_flags)
+-{
+- enum netr_SchannelType sec_chan_type = 0;
+- unsigned char machine_pwd[16];
+- const char *machine_account;
+- NTSTATUS status;
+-
+- /* Get the machine account credentials from secrets.tdb. */
+- if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
+- &sec_chan_type))
+- {
+- DEBUG(0, ("get_schannel_session_key: could not fetch "
+- "trust account password for domain '%s'\n",
+- domain));
+- return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+- }
+-
+- status = rpccli_netlogon_setup_creds(netlogon_pipe,
+- smbXcli_conn_remote_name(cli->conn), /* server name */
+- domain, /* domain */
+- lp_netbios_name(), /* client name */
+- machine_account, /* machine account name */
+- machine_pwd,
+- sec_chan_type,
+- pneg_flags);
+-
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(3, ("get_schannel_session_key_common: "
+- "rpccli_netlogon_setup_creds failed with result %s "
+- "to server %s, domain %s, machine account %s.\n",
+- nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
+- machine_account ));
+- return status;
+- }
+-
+- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
+- DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
+- smbXcli_conn_remote_name(cli->conn)));
+- return NT_STATUS_INVALID_NETWORK_RESPONSE;
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+ /****************************************************************************
+ Open a named pipe to an SMB server and bind using schannel (bind type 68).
+ Fetch the session key ourselves using a temporary netlogon pipe.
+@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+ const char *domain,
+ struct rpc_pipe_client **presult)
+ {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
+- struct rpc_pipe_client *netlogon_pipe = NULL;
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct messaging_context *msg_ctx = NULL;
++ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
+ struct rpc_pipe_client *result = NULL;
+ NTSTATUS status;
++ struct netlogon_creds_cli_context *netlogon_creds = NULL;
++ struct netlogon_creds_CredentialState *creds = NULL;
++ uint32_t netlogon_flags = 0;
++ enum netr_SchannelType sec_chan_type = 0;
++ const char *_account_name = NULL;
++ const char *account_name = NULL;
++ struct samr_Password current_nt_hash;
++ struct samr_Password *previous_nt_hash = NULL;
++ bool ok;
++
++ ok = get_trust_pw_hash(domain,
++ current_nt_hash.hash,
++ &_account_name,
++ &sec_chan_type);
++ if (!ok) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
++ }
++
++ account_name = talloc_asprintf(frame, "%s$", _account_name);
++ if (account_name == NULL) {
++ SAFE_FREE(previous_nt_hash);
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = rpccli_create_netlogon_creds(dc_name,
++ domain,
++ account_name,
++ sec_chan_type,
++ msg_ctx,
++ frame,
++ &netlogon_creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ SAFE_FREE(previous_nt_hash);
++ TALLOC_FREE(frame);
++ return status;
++ }
+
+- status = get_schannel_session_key(cli, domain, &neg_flags,
+- &netlogon_pipe);
++ status = rpccli_setup_netlogon_creds(cli,
++ netlogon_creds,
++ false, /* force_reauth */
++ current_nt_hash,
++ previous_nt_hash);
++ SAFE_FREE(previous_nt_hash);
+ if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
+- "key from server %s for domain %s.\n",
+- smbXcli_conn_remote_name(cli->conn), domain ));
++ TALLOC_FREE(frame);
+ return status;
+ }
+
++ status = netlogon_creds_cli_get(netlogon_creds,
++ frame,
++ &creds);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++ netlogon_flags = creds->negotiate_flags;
++ TALLOC_FREE(creds);
++
++ if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_DOWNGRADE_DETECTED;
++ }
++
+ status = cli_rpc_pipe_open_schannel_with_key(
+ cli, table, transport, domain,
+- netlogon_pipe->netlogon_creds,
++ netlogon_creds,
+ &result);
+
+- /* Now we've bound using the session key we can close the netlog pipe. */
+- TALLOC_FREE(netlogon_pipe);
+-
+ if (NT_STATUS_IS_OK(status)) {
+ *presult = result;
+ }
+
++ TALLOC_FREE(frame);
+ return status;
+ }
+-
+-/****************************************************************************
+- Open a netlogon pipe and get the schannel session key.
+- Now exposed to external callers.
+- ****************************************************************************/
+-
+-
+-NTSTATUS get_schannel_session_key(struct cli_state *cli,
+- const char *domain,
+- uint32 *pneg_flags,
+- struct rpc_pipe_client **presult)
+-{
+- struct rpc_pipe_client *netlogon_pipe = NULL;
+- NTSTATUS status;
+-
+- status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
+- &netlogon_pipe);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
+- pneg_flags);
+- if (!NT_STATUS_IS_OK(status)) {
+- TALLOC_FREE(netlogon_pipe);
+- return status;
+- }
+-
+- *presult = netlogon_pipe;
+- return NT_STATUS_OK;
+-}
+--
+1.9.3
+
+
+From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:24:44 +0200
+Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
+---
+ source3/rpcclient/rpcclient.c | 5 +++++
+ source3/rpcclient/rpcclient.h | 2 ++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 0cbec20..39bf613 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -33,6 +33,7 @@
+ #include "libsmb/libsmb.h"
+ #include "auth/gensec/gensec.h"
+ #include "../libcli/smb/smbXcli_base.h"
++#include "messages.h"
+
+ enum pipe_auth_type_spnego {
+ PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
+@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
+ static unsigned int timeout = 0;
+ static enum dcerpc_transport_t default_transport = NCACN_NP;
+
++struct messaging_context *rpcclient_msg_ctx;
+ struct user_auth_info *rpcclient_auth_info;
+
+ /* List to hold groups of commands.
+@@ -985,6 +987,9 @@ out_free:
+ /* We must load interfaces after we load the smb.conf */
+ load_interfaces();
+
++ rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
++ samba_tevent_context_init(talloc_autofree_context()));
++
+ /*
+ * Get password
+ * from stdin if necessary
+diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
+index 762c54a..219da2a 100644
+--- a/source3/rpcclient/rpcclient.h
++++ b/source3/rpcclient/rpcclient.h
+@@ -41,4 +41,6 @@ struct cmd_set {
+ const char *usage;
+ };
+
++extern struct messaging_context *rpcclient_msg_ctx;
++
+ #endif /* RPCCLIENT_H */
+--
+1.9.3
+
+
+From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:29:30 +0200
+Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
+---
+ source3/rpcclient/rpcclient.c | 3 +++
+ source3/rpcclient/rpcclient.h | 1 +
+ 2 files changed, 4 insertions(+)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 39bf613..a875ff5 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
+
+ struct messaging_context *rpcclient_msg_ctx;
+ struct user_auth_info *rpcclient_auth_info;
++struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
+
+ /* List to hold groups of commands.
+ *
+@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ }
+ }
+
++ rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
++
+ /* Run command */
+
+ if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
+diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
+index 219da2a..9288249 100644
+--- a/source3/rpcclient/rpcclient.h
++++ b/source3/rpcclient/rpcclient.h
+@@ -42,5 +42,6 @@ struct cmd_set {
+ };
+
+ extern struct messaging_context *rpcclient_msg_ctx;
++extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
+
+ #endif /* RPCCLIENT_H */
+--
+1.9.3
+
+
+From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:57:09 +0200
+Subject: [PATCH 191/249] s3:rpcclient: remove unused
+ rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()
+
+rpccli_netlogon_setup_creds() is already called in the main do_cmd()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
+---
+ source3/rpcclient/cmd_netlogon.c | 21 +--------------------
+ 1 file changed, 1 insertion(+), 20 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 2e0b5e5..8a865a9 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+ NTSTATUS result;
+ const char *server_name = cli->desthost;
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
+ struct netr_Authenticator clnt_creds, srv_cred;
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+- unsigned char trust_passwd_hash[16];
+- enum netr_SchannelType sec_channel_type = 0;
+ struct netr_ChangeLogEntry e;
+ uint32_t rid = 500;
+ struct dcerpc_binding_handle *b = cli->binding_handle;
+@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ sscanf(argv[1], "%d", &rid);
+ }
+
+- if (!secrets_fetch_trust_account_password(lp_workgroup(),
+- trust_passwd_hash,
+- NULL, &sec_channel_type)) {
++ if (cli->netlogon_creds == NULL) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+- status = rpccli_netlogon_setup_creds(cli,
+- server_name, /* server name */
+- lp_workgroup(), /* domain */
+- lp_netbios_name(), /* client name */
+- lp_netbios_name(), /* machine account name */
+- trust_passwd_hash,
+- sec_channel_type,
+- &neg_flags);
+-
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+ status = netlogon_creds_cli_lock(cli->netlogon_creds,
+ mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+--
+1.9.3
+
+
+From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 19:00:22 +0200
+Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
+ instead of cli->netlogon_creds
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
+---
+ source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 8a865a9..59e1e4e 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+ struct netlogon_creds_CredentialState *creds = NULL;
+
+- status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ if (rpcclient_netlogon_creds == NULL) {
++ return NT_STATUS_UNSUCCESSFUL;
++ }
++
++ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
+ mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+ struct netlogon_creds_CredentialState *creds = NULL;
+
+- status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ if (rpcclient_netlogon_creds == NULL) {
++ return NT_STATUS_UNSUCCESSFUL;
++ }
++
++ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
+ mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
+ sscanf(argv[1], "%d", &rid);
+ }
+
+- if (cli->netlogon_creds == NULL) {
++ if (rpcclient_netlogon_creds == NULL) {
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+- status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
+ mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
+
+ ZERO_STRUCT(return_authenticator);
+
+- status = netlogon_creds_cli_lock(cli->netlogon_creds,
++ if (rpcclient_netlogon_creds == NULL) {
++ return NT_STATUS_UNSUCCESSFUL;
++ }
++
++ status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
+ mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+--
+1.9.3
+
+
+From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 19:59:11 +0200
+Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
+---
+ source3/utils/net.h | 1 +
+ source3/utils/net_rpc.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/source3/utils/net.h b/source3/utils/net.h
+index e97734a..ce19c57 100644
+--- a/source3/utils/net.h
++++ b/source3/utils/net.h
+@@ -90,6 +90,7 @@ struct net_context {
+ bool smb_encrypt;
+ struct libnetapi_ctx *netapi_ctx;
+ struct messaging_context *msg_ctx;
++ struct netlogon_creds_cli_context *netlogon_creds;
+
+ bool display_usage;
+ void *private_data;
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 9de74c0..3bf3f30 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
+ nt_errstr(nt_status) ));
+ goto fail;
+ }
++ c->netlogon_creds = pipe_hnd->netlogon_creds;
+ } else {
+ if (conn_flags & NET_FLAGS_SEAL) {
+ nt_status = cli_rpc_pipe_open_generic_auth(
+--
+1.9.3
+
+
+From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sun, 15 Sep 2013 13:19:52 +0200
+Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()
+
+This protects the password change using a domain specific g_lock,
+so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
+even on multiple cluster nodes doesn't race anymore.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
+---
+ source3/include/proto.h | 8 ++
+ source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 187 insertions(+)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index 216a377..edda119 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
+ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+ TALLOC_CTX *mem_ctx,
+ const char *domain) ;
++struct netlogon_creds_cli_context;
++struct messaging_context;
++struct dcerpc_binding_handle;
++NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
++ struct messaging_context *msg_ctx,
++ struct dcerpc_binding_handle *b,
++ const char *domain,
++ bool force);
+
+ /* The following definitions come from param/loadparm.c */
+
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index 52fb481..b1bc006 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -20,12 +20,15 @@
+
+ #include "includes.h"
+ #include "../libcli/auth/libcli_auth.h"
++#include "../libcli/auth/netlogon_creds_cli.h"
+ #include "rpc_client/cli_netlogon.h"
+ #include "rpc_client/cli_pipe.h"
+ #include "../librpc/gen_ndr/ndr_netlogon.h"
+ #include "secrets.h"
+ #include "passdb.h"
+ #include "libsmb/libsmb.h"
++#include "source3/include/messages.h"
++#include "source3/include/g_lock.h"
+
+ /*********************************************************
+ Change the domain password on the PDC.
+@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+
+ return nt_status;
+ }
++
++struct trust_pw_change_state {
++ struct g_lock_ctx *g_ctx;
++ char *g_lock_key;
++};
++
++static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
++{
++ g_lock_unlock(state->g_ctx, state->g_lock_key);
++ return 0;
++}
++
++NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
++ struct messaging_context *msg_ctx,
++ struct dcerpc_binding_handle *b,
++ const char *domain,
++ bool force)
++{
++ TALLOC_CTX *frame = talloc_stackframe();
++ struct trust_pw_change_state *state;
++ struct samr_Password current_nt_hash;
++ const struct samr_Password *previous_nt_hash = NULL;
++ enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
++ const char *account_name;
++ char *new_trust_passwd;
++ char *pwd;
++ struct dom_sid sid;
++ time_t pass_last_set_time;
++ struct timeval g_timeout = { 0, };
++ int timeout = 0;
++ struct timeval tv = { 0, };
++ NTSTATUS status;
++
++ state = talloc_zero(frame, struct trust_pw_change_state);
++ if (state == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ state->g_ctx = g_lock_ctx_init(state, msg_ctx);
++ if (state->g_ctx == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ state->g_lock_key = talloc_asprintf(state,
++ "trust_password_change_%s",
++ domain);
++ if (state->g_lock_key == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ g_timeout = timeval_current_ofs(10, 0);
++ status = g_lock_lock(state->g_ctx,
++ state->g_lock_key,
++ G_LOCK_WRITE, g_timeout);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(1, ("could not get g_lock on [%s]!\n",
++ state->g_lock_key));
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ talloc_set_destructor(state, trust_pw_change_state_destructor);
++
++ if (!get_trust_pw_hash(domain, current_nt_hash.hash,
++ &account_name,
++ &sec_channel_type)) {
++ DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
++ TALLOC_FREE(frame);
++ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
++ }
++
++ switch (sec_channel_type) {
++ case SEC_CHAN_WKSTA:
++ pwd = secrets_fetch_machine_password(domain,
++ &pass_last_set_time,
++ NULL);
++ if (pwd == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
++ }
++ break;
++ case SEC_CHAN_DOMAIN:
++ if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
++ }
++ break;
++ default:
++ TALLOC_FREE(frame);
++ return NT_STATUS_NOT_SUPPORTED;
++ }
++
++ timeout = lp_machine_password_timeout();
++ if (timeout == 0) {
++ if (!force) {
++ DEBUG(10,("machine password never expires\n"));
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++ }
++ }
++
++ tv.tv_sec = pass_last_set_time;
++ DEBUG(10, ("password last changed %s\n",
++ timeval_string(talloc_tos(), &tv, false)));
++ tv.tv_sec += timeout;
++ DEBUGADD(10, ("password valid until %s\n",
++ timeval_string(talloc_tos(), &tv, false)));
++
++ if (!force && !timeval_expired(&tv)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++ }
++
++ /* Create a random machine account password */
++ new_trust_passwd = generate_random_password(frame,
++ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
++ DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
++ if (new_trust_passwd == NULL) {
++ DEBUG(0, ("generate_random_password failed\n"));
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = netlogon_creds_cli_auth(context, b,
++ current_nt_hash,
++ previous_nt_hash);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ status = netlogon_creds_cli_ServerPasswordSet(context, b,
++ new_trust_passwd, NULL);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
++ DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
++ current_timestring(talloc_tos(), False)));
++
++ /*
++ * Return the result of trying to write the new password
++ * back into the trust account file.
++ */
++
++ switch (sec_channel_type) {
++
++ case SEC_CHAN_WKSTA:
++ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_INTERNAL_DB_CORRUPTION;
++ }
++ break;
++
++ case SEC_CHAN_DOMAIN:
++ /*
++ * we need to get the sid first for the
++ * pdb_set_trusteddom_pw call
++ */
++ if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_INTERNAL_DB_CORRUPTION;
++ }
++ break;
++
++ default:
++ break;
++ }
++
++ TALLOC_FREE(frame);
++ return NT_STATUS_OK;
++}
+--
+1.9.3
+
+
+From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:33:51 +0200
+Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
+---
+ source3/rpcclient/cmd_netlogon.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 59e1e4e..000d65c 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
+ return NT_STATUS_OK;
+ }
+
+- /* Perform the sam logon */
+-
+- result = trust_pw_find_change_and_store_it(cli, mem_ctx,
+- lp_workgroup());
+-
++ result = trust_pw_change(rpcclient_netlogon_creds,
++ rpcclient_msg_ctx,
++ cli->binding_handle,
++ lp_workgroup(),
++ true); /* force */
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+--
+1.9.3
+
+
+From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:34:48 +0200
+Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
+---
+ source3/utils/net_rpc.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index 3bf3f30..ba49f3e 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
+ {
+ NTSTATUS status;
+
+- status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
++ status = trust_pw_change(c->netlogon_creds,
++ c->msg_ctx,
++ pipe_hnd->binding_handle,
++ c->opt_target_workgroup,
++ true); /* force */
+ if (!NT_STATUS_IS_OK(status)) {
+ d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
+ nt_errstr(status));
+--
+1.9.3
+
+
+From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:35:39 +0200
+Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
+ the netlogon connection
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
+---
+ source3/winbindd/winbindd_dual.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
+index 64af571..b26cdca 100644
+--- a/source3/winbindd/winbindd_dual.c
++++ b/source3/winbindd/winbindd_dual.c
+@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
+ "password was changed and we didn't know it. "
+ "Killing connections to domain %s\n",
+ child->domain->name));
+- TALLOC_FREE(child->domain->conn.netlogon_pipe);
++ invalidate_cm_connection(&child->domain->conn);
+ }
+
+ if (!calculate_next_machine_pwd_change(child->domain->name,
+--
+1.9.3
+
+
+From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:36:43 +0200
+Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
+ periodic password changes
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
+---
+ source3/winbindd/winbindd_dual.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
+index b26cdca..1d6a5ba 100644
+--- a/source3/winbindd/winbindd_dual.c
++++ b/source3/winbindd/winbindd_dual.c
+@@ -29,6 +29,7 @@
+
+ #include "includes.h"
+ #include "winbindd.h"
++#include "rpc_client/rpc_client.h"
+ #include "nsswitch/wb_reqtrans.h"
+ #include "secrets.h"
+ #include "../lib/util/select.h"
+@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
+ struct timeval now,
+ void *private_data)
+ {
++ struct messaging_context *msg_ctx = winbind_messaging_context();
+ struct winbindd_child *child =
+ (struct winbindd_child *)private_data;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+- TALLOC_CTX *frame;
+ NTSTATUS result;
+ struct timeval next_change;
+
+@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
+ return;
+ }
+
+- frame = talloc_stackframe();
+-
+- result = trust_pw_find_change_and_store_it(netlogon_pipe,
+- frame,
+- child->domain->name);
+- TALLOC_FREE(frame);
++ result = trust_pw_change(child->domain->conn.netlogon_creds,
++ msg_ctx,
++ netlogon_pipe->binding_handle,
++ child->domain->name,
++ false); /* force */
+
+ DEBUG(10, ("machine_password_change_handler: "
+- "trust_pw_find_change_and_store_it returned %s\n",
++ "trust_pw_change returned %s\n",
+ nt_errstr(result)));
+
+ if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
+--
+1.9.3
+
+
+From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:37:34 +0200
+Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
+ _wbint_ChangeMachineAccount()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
+---
+ source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
+ 1 file changed, 7 insertions(+), 28 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
+index 001591a..f064467 100644
+--- a/source3/winbindd/winbindd_dual_srv.c
++++ b/source3/winbindd/winbindd_dual_srv.c
+@@ -622,48 +622,27 @@ again:
+ NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
+ struct wbint_ChangeMachineAccount *r)
+ {
++ struct messaging_context *msg_ctx = winbind_messaging_context();
+ struct winbindd_domain *domain;
+- int num_retries = 0;
+ NTSTATUS status;
+ struct rpc_pipe_client *netlogon_pipe;
+- TALLOC_CTX *tmp_ctx;
+
+-again:
+ domain = wb_child_domain();
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
+
+- invalidate_cm_connection(&domain->conn);
+-
+- {
+- status = cm_connect_netlogon(domain, &netlogon_pipe);
+- }
+-
+- /* There is a race condition between fetching the trust account
+- password and the periodic machine password change. So it's
+- possible that the trust account password has been changed on us.
+- We are returned NT_STATUS_ACCESS_DENIED if this happens. */
+-
+-#define MAX_RETRIES 3
+-
+- if ((num_retries < MAX_RETRIES)
+- && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+- num_retries++;
+- goto again;
+- }
+-
++ status = cm_connect_netlogon(domain, &netlogon_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
+ goto done;
+ }
+
+- tmp_ctx = talloc_new(p->mem_ctx);
+-
+- status = trust_pw_find_change_and_store_it(netlogon_pipe,
+- tmp_ctx,
+- domain->name);
+- talloc_destroy(tmp_ctx);
++ status = trust_pw_change(domain->conn.netlogon_creds,
++ msg_ctx,
++ netlogon_pipe->binding_handle,
++ domain->name,
++ true); /* force */
+
+ /* Pass back result code - zero for success, other values for
+ specific failures. */
+--
+1.9.3
+
+
+From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 18:39:52 +0200
+Subject: [PATCH 200/249] s3:libsmb: remove unused
+ trust_pw_find_change_and_store_it()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
+---
+ source3/include/proto.h | 3 --
+ source3/libsmb/trusts_util.c | 81 --------------------------------------------
+ 2 files changed, 84 deletions(-)
+
+diff --git a/source3/include/proto.h b/source3/include/proto.h
+index edda119..18348e5 100644
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
+
+ /* The following definitions come from libsmb/trusts_util.c */
+
+-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- const char *domain) ;
+ struct netlogon_creds_cli_context;
+ struct messaging_context;
+ struct dcerpc_binding_handle;
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index b1bc006..b38aec6 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -36,87 +36,6 @@
+ already setup the connection to the NETLOGON pipe
+ **********************************************************/
+
+-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- const char *domain)
+-{
+- unsigned char old_trust_passwd_hash[16];
+- unsigned char new_trust_passwd_hash[16];
+- enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
+- const char *account_name;
+- char *new_trust_passwd;
+- NTSTATUS nt_status;
+-
+- if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
+- &sec_channel_type)) {
+- DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
+- return NT_STATUS_UNSUCCESSFUL;
+- }
+-
+- switch (sec_channel_type) {
+- case SEC_CHAN_WKSTA:
+- case SEC_CHAN_DOMAIN:
+- break;
+- default:
+- return NT_STATUS_NOT_SUPPORTED;
+- }
+-
+- /* Create a random machine account password */
+- new_trust_passwd = generate_random_password(mem_ctx,
+- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+- DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+- if (new_trust_passwd == NULL) {
+- DEBUG(0, ("generate_random_password failed\n"));
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- E_md4hash(new_trust_passwd, new_trust_passwd_hash);
+-
+- nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
+- account_name,
+- old_trust_passwd_hash,
+- new_trust_passwd,
+- new_trust_passwd_hash,
+- sec_channel_type);
+-
+- if (NT_STATUS_IS_OK(nt_status)) {
+- DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
+- current_timestring(talloc_tos(), False)));
+- /*
+- * Return the result of trying to write the new password
+- * back into the trust account file.
+- */
+-
+- switch (sec_channel_type) {
+-
+- case SEC_CHAN_WKSTA:
+- if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
+- nt_status = NT_STATUS_UNSUCCESSFUL;
+- }
+- break;
+-
+- case SEC_CHAN_DOMAIN: {
+- char *pwd;
+- struct dom_sid sid;
+- time_t pass_last_set_time;
+-
+- /* we need to get the sid first for the
+- * pdb_set_trusteddom_pw call */
+-
+- if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
+- nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+- }
+- if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
+- nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
+- }
+- break;
+- }
+- }
+- }
+-
+- return nt_status;
+-}
+-
+ struct trust_pw_change_state {
+ struct g_lock_ctx *g_ctx;
+ char *g_lock_key;
+--
+1.9.3
+
+
+From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 19:19:39 +0200
+Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
+ from the caller.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
+---
+ source3/libnet/libnet_samsync.c | 2 +-
+ source3/libnet/libnet_samsync.h | 1 +
+ source3/utils/net_rpc_samsync.c | 1 +
+ 3 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
+index 02d3fc6..e7e1393 100644
+--- a/source3/libnet/libnet_samsync.c
++++ b/source3/libnet/libnet_samsync.c
+@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
+ struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+ struct netlogon_creds_CredentialState *creds = NULL;
+
+- status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
++ status = netlogon_creds_cli_lock(ctx->netlogon_creds,
+ mem_ctx, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
+index efdbb37..e1d66ec 100644
+--- a/source3/libnet/libnet_samsync.h
++++ b/source3/libnet/libnet_samsync.h
+@@ -75,6 +75,7 @@ struct samsync_context {
+ struct samsync_object *objects;
+
+ struct rpc_pipe_client *cli;
++ struct netlogon_creds_cli_context *netlogon_creds;
+ struct messaging_context *msg_ctx;
+
+ const struct samsync_ops *ops;
+diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
+index 772651f..6377ad4 100644
+--- a/source3/utils/net_rpc_samsync.c
++++ b/source3/utils/net_rpc_samsync.c
+@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
+
+ ctx->mode = NET_SAMSYNC_MODE_DUMP;
+ ctx->cli = pipe_hnd;
++ ctx->netlogon_creds = c->netlogon_creds;
+ ctx->ops = &libnet_samsync_display_ops;
+ ctx->domain_name = domain_name;
+
+--
+1.9.3
+
+
+From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 20:51:25 +0200
+Subject: [PATCH 202/249] s3:rpcclient: make use of
+ rpccli_{create,setup}_netlogon_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
+---
+ source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
+ 1 file changed, 41 insertions(+), 18 deletions(-)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index a875ff5..490f8df 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ {
+ NTSTATUS ntresult;
+ WERROR wresult;
++ bool ok;
+
+ TALLOC_CTX *mem_ctx;
+
+@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ return ntresult;
+ }
+
+- if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
+- &ndr_table_netlogon.syntax_id)) {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
+- enum netr_SchannelType sec_channel_type;
+- uchar trust_password[16];
+- const char *machine_account;
++ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
++ &ndr_table_netlogon.syntax_id);
++ if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
++ const char *dc_name = cmd_entry->rpc_pipe->desthost;
++ const char *domain = get_cmdline_auth_info_domain(auth_info);
++ enum netr_SchannelType sec_chan_type = 0;
++ const char *_account_name = NULL;
++ const char *account_name = NULL;
++ struct samr_Password current_nt_hash;
++ struct samr_Password *previous_nt_hash = NULL;
+
+ if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
+- trust_password, &machine_account,
+- &sec_channel_type))
++ current_nt_hash.hash, &_account_name,
++ &sec_chan_type))
+ {
+ DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
+ get_cmdline_auth_info_domain(auth_info),
+@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+ }
+
+- ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
+- cmd_entry->rpc_pipe->desthost, /* server name */
+- get_cmdline_auth_info_domain(auth_info), /* domain */
+- lp_netbios_name(), /* client name */
+- machine_account, /* machine account name */
+- trust_password,
+- sec_channel_type,
+- &neg_flags);
++ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
++ if (account_name == NULL) {
++ SAFE_FREE(previous_nt_hash);
++ TALLOC_FREE(mem_ctx);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ ntresult = rpccli_create_netlogon_creds(dc_name,
++ domain,
++ account_name,
++ sec_chan_type,
++ rpcclient_msg_ctx,
++ talloc_autofree_context(),
++ &rpcclient_netlogon_creds);
++ if (!NT_STATUS_IS_OK(ntresult)) {
++ SAFE_FREE(previous_nt_hash);
++ TALLOC_FREE(mem_ctx);
++ return ntresult;
++ }
+
++ ntresult = rpccli_setup_netlogon_creds(cli,
++ rpcclient_netlogon_creds,
++ false, /* force_reauth */
++ current_nt_hash,
++ previous_nt_hash);
++ SAFE_FREE(previous_nt_hash);
+ if (!NT_STATUS_IS_OK(ntresult)) {
+ DEBUG(0, ("Could not initialise credentials for %s.\n",
+ cmd_entry->table->name));
+ TALLOC_FREE(cmd_entry->rpc_pipe);
+- talloc_free(mem_ctx);
++ TALLOC_FREE(rpcclient_netlogon_creds);
++ TALLOC_FREE(mem_ctx);
+ return ntresult;
+ }
++ cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
+ }
+ }
+
+--
+1.9.3
+
+
+From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Fri, 29 Nov 2013 14:45:20 +1300
+Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
+ after failing to obtain secret
+
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
+---
+ source3/rpcclient/rpcclient.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 490f8df..fd3ebdf 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+
+ account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
+ if (account_name == NULL) {
++ DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
++ cmd_entry->table->name));
++ TALLOC_FREE(cmd_entry->rpc_pipe);
+ SAFE_FREE(previous_nt_hash);
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ talloc_autofree_context(),
+ &rpcclient_netlogon_creds);
+ if (!NT_STATUS_IS_OK(ntresult)) {
++ DEBUG(0, ("Could not initialise credentials for %s.\n",
++ cmd_entry->table->name));
++ TALLOC_FREE(cmd_entry->rpc_pipe);
+ SAFE_FREE(previous_nt_hash);
+ TALLOC_FREE(mem_ctx);
+ return ntresult;
+--
+1.9.3
+
+
+From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2013 00:46:09 +0200
+Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
+ the 'samlogon' cmd
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
+---
+ source3/rpcclient/cmd_netlogon.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 000d65c..97b79cb 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+
+ /* Check arguments */
+
+- if (argc < 3 || argc > 7) {
++ if (argc < 3 || argc > 6) {
+ fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
+- "[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
++ "[logon_type (1 or 2)] [logon_parameter]\n");
+ return NT_STATUS_OK;
+ }
+
+@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ if (argc >= 5)
+ sscanf(argv[4], "%i", &logon_type);
+
+- if (argc >= 6)
+- validation_level = atoi(argv[5]);
+-
+- if (argc == 7)
+- sscanf(argv[6], "%x", &logon_param);
++ if (argc == 6)
++ sscanf(argv[5], "%x", &logon_param);
+
+ /* Perform the sam logon */
+
+--
+1.9.3
+
+
+From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2013 00:48:31 +0200
+Subject: [PATCH 205/249] s3:rpcclient: make use of
+ rpccli_netlogon_password_logon() in the 'samlogon' cmd
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
+---
+ source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index 97b79cb..b637b3e 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ int logon_type = NetlogonNetworkInformation;
+ const char *username, *password;
+- uint16_t validation_level = 3;
+ uint32 logon_param = 0;
+ const char *workstation = NULL;
+
+@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+
+ /* Perform the sam logon */
+
+- result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
+-
++ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
++ cli->binding_handle,
++ logon_param,
++ lp_workgroup(),
++ username,
++ password,
++ workstation,
++ logon_type);
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+--
+1.9.3
+
+
+From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 17 Sep 2013 00:56:15 +0200
+Subject: [PATCH 206/249] s3:winbindd: make use of
+ rpccli_netlogon_network_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
+---
+ source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 39483a5..3f3ec70 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+
+ do {
+ struct rpc_pipe_client *netlogon_pipe;
++ uint8_t authoritative = 0;
++ uint32_t flags = 0;
+
+ ZERO_STRUCTP(info3);
+ retry = false;
+@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ }
+ netr_attempts = 0;
+
+- result = rpccli_netlogon_sam_network_logon(
+- netlogon_pipe,
+- mem_ctx,
+- logon_parameters,
+- server, /* server name */
+- username, /* user name */
+- domainname, /* target domain */
+- workstation, /* workstation */
+- chal,
+- -1, /* ignored */
+- lm_response,
+- nt_response,
+- info3);
++ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
++ netlogon_pipe->binding_handle,
++ mem_ctx,
++ logon_parameters,
++ username,
++ domainname,
++ workstation,
++ chal,
++ lm_response,
++ nt_response,
++ &authoritative,
++ &flags,
++ info3);
+
+ /*
+ * we increment this after the "feature negotiation"
+--
+1.9.3
+
+
+From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 20:53:51 +0200
+Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
+ flexible
+
+It expects a messaging_context now
+and returns a netlogon_creds_cli_context.
+
+This way we can finally avoid having a rpc_pipe_client->netlogon_creds.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
+---
+ source3/rpc_client/cli_pipe.h | 5 ++++-
+ source3/rpc_client/cli_pipe_schannel.c | 9 +++++++--
+ source3/rpcclient/rpcclient.c | 13 +++++++------
+ source3/utils/net_rpc.c | 6 +++---
+ 4 files changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
+index 2a76130..b704d8a 100644
+--- a/source3/rpc_client/cli_pipe.h
++++ b/source3/rpc_client/cli_pipe.h
+@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ struct rpc_pipe_client **presult);
+
+ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
++ struct messaging_context *msg_ctx,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+- struct rpc_pipe_client **presult);
++ struct rpc_pipe_client **presult,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **pcreds);
+
+ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
+ struct rpc_pipe_client *cli,
+diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
+index 1fcf62e..a842333 100644
+--- a/source3/rpc_client/cli_pipe_schannel.c
++++ b/source3/rpc_client/cli_pipe_schannel.c
+@@ -38,14 +38,16 @@
+ ****************************************************************************/
+
+ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
++ struct messaging_context *msg_ctx,
+ const struct ndr_interface_table *table,
+ enum dcerpc_transport_t transport,
+ enum dcerpc_AuthLevel auth_level,
+ const char *domain,
+- struct rpc_pipe_client **presult)
++ struct rpc_pipe_client **presult,
++ TALLOC_CTX *mem_ctx,
++ struct netlogon_creds_cli_context **pcreds)
+ {
+ TALLOC_CTX *frame = talloc_stackframe();
+- struct messaging_context *msg_ctx = NULL;
+ const char *dc_name = smbXcli_conn_remote_name(cli->conn);
+ struct rpc_pipe_client *result = NULL;
+ NTSTATUS status;
+@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+
+ if (NT_STATUS_IS_OK(status)) {
+ *presult = result;
++ if (pcreds != NULL) {
++ *pcreds = talloc_move(mem_ctx, &netlogon_creds);
++ }
+ }
+
+ TALLOC_FREE(frame);
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index fd3ebdf..43343e8 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ &cmd_entry->rpc_pipe);
+ break;
+ case DCERPC_AUTH_TYPE_SCHANNEL:
++ TALLOC_FREE(rpcclient_netlogon_creds);
+ ntresult = cli_rpc_pipe_open_schannel(
+- cli, cmd_entry->table,
++ cli, rpcclient_msg_ctx,
++ cmd_entry->table,
+ default_transport,
+ pipe_default_auth_level,
+ get_cmdline_auth_info_domain(auth_info),
+- &cmd_entry->rpc_pipe);
++ &cmd_entry->rpc_pipe,
++ talloc_autofree_context(),
++ &rpcclient_netlogon_creds);
+ break;
+ default:
+ DEBUG(0, ("Could not initialise %s. Invalid "
+@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+
+ ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
+ &ndr_table_netlogon.syntax_id);
+- if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
++ if (rpcclient_netlogon_creds == NULL && ok) {
+ const char *dc_name = cmd_entry->rpc_pipe->desthost;
+ const char *domain = get_cmdline_auth_info_domain(auth_info);
+ enum netr_SchannelType sec_chan_type = 0;
+@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
+ TALLOC_FREE(mem_ctx);
+ return ntresult;
+ }
+- cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
+ }
+ }
+
+- rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
+-
+ /* Run command */
+
+ if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
+diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
+index ba49f3e..d0f699a 100644
+--- a/source3/utils/net_rpc.c
++++ b/source3/utils/net_rpc.c
+@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
+ && (ndr_syntax_id_equal(&table->syntax_id,
+ &ndr_table_netlogon.syntax_id))) {
+ /* Always try and create an schannel netlogon pipe. */
++ TALLOC_FREE(c->netlogon_creds);
+ nt_status = cli_rpc_pipe_open_schannel(
+- cli, table, NCACN_NP,
++ cli, c->msg_ctx, table, NCACN_NP,
+ DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
+- &pipe_hnd);
++ &pipe_hnd, c, &c->netlogon_creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
+ nt_errstr(nt_status) ));
+ goto fail;
+ }
+- c->netlogon_creds = pipe_hnd->netlogon_creds;
+ } else {
+ if (conn_flags & NET_FLAGS_SEAL) {
+ nt_status = cli_rpc_pipe_open_generic_auth(
+--
+1.9.3
+
+
+From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 6 Sep 2013 13:54:30 +0200
+Subject: [PATCH 208/249] s3:rpc_client: remove unused
+ rpccli_netlogon_set_trust_password()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
+---
+ source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
+ source3/rpc_client/cli_netlogon.h | 7 ------
+ 2 files changed, 58 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index a9f8604..2f23d1b 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+
+ return NT_STATUS_OK;
+ }
+-
+-/*********************************************************
+- Change the domain password on the PDC.
+-
+- Just changes the password betwen the two values specified.
+-
+- Caller must have the cli connected to the netlogon pipe
+- already.
+-**********************************************************/
+-
+-NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- const char *account_name,
+- const unsigned char orig_trust_passwd_hash[16],
+- const char *new_trust_pwd_cleartext,
+- const unsigned char new_trust_passwd_hash[16],
+- enum netr_SchannelType sec_channel_type)
+-{
+- NTSTATUS result;
+-
+- if (cli->netlogon_creds == NULL) {
+- uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+- NETLOGON_NEG_SUPPORTS_AES;
+- result = rpccli_netlogon_setup_creds(cli,
+- cli->desthost, /* server name */
+- lp_workgroup(), /* domain */
+- lp_netbios_name(), /* client name */
+- account_name, /* machine account name */
+- orig_trust_passwd_hash,
+- sec_channel_type,
+- &neg_flags);
+- if (!NT_STATUS_IS_OK(result)) {
+- DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
+- nt_errstr(result)));
+- return result;
+- }
+- }
+-
+- result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
+- cli->binding_handle,
+- new_trust_pwd_cleartext,
+- NULL); /* new_version */
+- if (!NT_STATUS_IS_OK(result)) {
+- DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
+- nt_errstr(result)));
+- return result;
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index d4c6670..8547db6 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+ uint8_t *authoritative,
+ uint32_t *flags,
+ struct netr_SamInfo3 **info3);
+-NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- const char *account_name,
+- const unsigned char orig_trust_passwd_hash[16],
+- const char *new_trust_pwd_cleartext,
+- const unsigned char new_trust_passwd_hash[16],
+- enum netr_SchannelType sec_channel_type);
+
+ #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
+--
+1.9.3
+
+
+From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 6 Sep 2013 13:06:53 +0200
+Subject: [PATCH 209/249] s3:rpc_client: remove unused
+ rpccli_netlogon_setup_creds()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
+---
+ source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
+ source3/rpc_client/cli_netlogon.h | 8 ----
+ 2 files changed, 100 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 2f23d1b..687d0c2 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -35,98 +35,6 @@
+ #include "lib/param/param.h"
+ #include "libcli/smb/smbXcli_base.h"
+
+-/****************************************************************************
+- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
+- credentials chain. Stores the credentials in the struct dcinfo in the
+- netlogon pipe struct.
+-****************************************************************************/
+-
+-NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+- const char *server_name,
+- const char *domain,
+- const char *clnt_name,
+- const char *machine_account,
+- const unsigned char machine_pwd[16],
+- enum netr_SchannelType sec_chan_type,
+- uint32_t *neg_flags_inout)
+-{
+- TALLOC_CTX *frame = talloc_stackframe();
+- struct loadparm_context *lp_ctx;
+- NTSTATUS status;
+- struct samr_Password password;
+- fstring mach_acct;
+- struct dcerpc_binding_handle *b = cli->binding_handle;
+- struct netlogon_creds_CredentialState *creds = NULL;
+-
+- if (!ndr_syntax_id_equal(&cli->abstract_syntax,
+- &ndr_table_netlogon.syntax_id)) {
+- TALLOC_FREE(frame);
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- if (!strequal(lp_netbios_name(), clnt_name)) {
+- TALLOC_FREE(frame);
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- TALLOC_FREE(cli->netlogon_creds);
+-
+- fstr_sprintf( mach_acct, "%s$", machine_account);
+-
+- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+- if (lp_ctx == NULL) {
+- TALLOC_FREE(frame);
+- return NT_STATUS_NO_MEMORY;
+- }
+- status = netlogon_creds_cli_context_global(lp_ctx,
+- NULL, /* msg_ctx */
+- mach_acct,
+- sec_chan_type,
+- server_name,
+- domain,
+- cli, &cli->netlogon_creds);
+- talloc_unlink(frame, lp_ctx);
+- if (!NT_STATUS_IS_OK(status)) {
+- TALLOC_FREE(frame);
+- return status;
+- }
+-
+- status = netlogon_creds_cli_get(cli->netlogon_creds,
+- frame, &creds);
+- if (NT_STATUS_IS_OK(status)) {
+- DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
+- "cached credential\n",
+- cli->desthost));
+- *neg_flags_inout = creds->negotiate_flags;
+- TALLOC_FREE(frame);
+- return NT_STATUS_OK;
+- }
+-
+- /* Store the machine account password we're going to use. */
+- memcpy(password.hash, machine_pwd, 16);
+-
+- DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
+- "chain established.\n",
+- cli->desthost ));
+-
+- status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
+- password, NULL);
+- if (!NT_STATUS_IS_OK(status)) {
+- TALLOC_FREE(frame);
+- return status;
+- }
+-
+- status = netlogon_creds_cli_get(cli->netlogon_creds,
+- frame, &creds);
+- if (!NT_STATUS_IS_OK(status)) {
+- TALLOC_FREE(frame);
+- return NT_STATUS_INTERNAL_ERROR;
+- }
+-
+- *neg_flags_inout = creds->negotiate_flags;
+- TALLOC_FREE(frame);
+- return NT_STATUS_OK;
+-}
+
+ NTSTATUS rpccli_pre_open_netlogon_creds(void)
+ {
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index 8547db6..0de836a 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
+
+ /* The following definitions come from rpc_client/cli_netlogon.c */
+
+-NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
+- const char *server_name,
+- const char *domain,
+- const char *clnt_name,
+- const char *machine_account,
+- const unsigned char machine_pwd[16],
+- enum netr_SchannelType sec_chan_type,
+- uint32_t *neg_flags_inout);
+ NTSTATUS rpccli_pre_open_netlogon_creds(void);
+ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
+ const char *server_netbios_domain,
+--
+1.9.3
+
+
+From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 19:23:18 +0200
+Subject: [PATCH 210/249] s3:rpc_client: remove unused
+ rpccli_netlogon_sam_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
+---
+ source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
+ source3/rpc_client/cli_netlogon.h | 9 ---
+ 2 files changed, 133 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 687d0c2..171337a 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+
+ /* Logon domain user */
+
+-NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- uint32 logon_parameters,
+- const char *domain,
+- const char *username,
+- const char *password,
+- const char *workstation,
+- uint16_t _ignored_validation_level,
+- int logon_type)
+-{
+- NTSTATUS status;
+- union netr_LogonLevel *logon;
+- uint16_t validation_level = 0;
+- union netr_Validation *validation = NULL;
+- uint8_t authoritative = 0;
+- uint32_t flags = 0;
+- fstring clnt_name_slash;
+-
+- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+- if (!logon) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- if (workstation) {
+- fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
+- } else {
+- fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
+- }
+-
+- /* Initialise input parameters */
+-
+- switch (logon_type) {
+- case NetlogonInteractiveInformation: {
+-
+- struct netr_PasswordInfo *password_info;
+-
+- struct samr_Password lmpassword;
+- struct samr_Password ntpassword;
+-
+- password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
+- if (!password_info) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
+-
+- password_info->identity_info.domain_name.string = domain;
+- password_info->identity_info.parameter_control = logon_parameters;
+- password_info->identity_info.logon_id_low = 0xdead;
+- password_info->identity_info.logon_id_high = 0xbeef;
+- password_info->identity_info.account_name.string = username;
+- password_info->identity_info.workstation.string = clnt_name_slash;
+-
+- password_info->lmpassword = lmpassword;
+- password_info->ntpassword = ntpassword;
+-
+- logon->password = password_info;
+-
+- break;
+- }
+- case NetlogonNetworkInformation: {
+- struct netr_NetworkInfo *network_info;
+- uint8 chal[8];
+- unsigned char local_lm_response[24];
+- unsigned char local_nt_response[24];
+- struct netr_ChallengeResponse lm;
+- struct netr_ChallengeResponse nt;
+-
+- ZERO_STRUCT(lm);
+- ZERO_STRUCT(nt);
+-
+- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
+- if (!network_info) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- generate_random_buffer(chal, 8);
+-
+- SMBencrypt(password, chal, local_lm_response);
+- SMBNTencrypt(password, chal, local_nt_response);
+-
+- lm.length = 24;
+- lm.data = local_lm_response;
+-
+- nt.length = 24;
+- nt.data = local_nt_response;
+-
+- network_info->identity_info.domain_name.string = domain;
+- network_info->identity_info.parameter_control = logon_parameters;
+- network_info->identity_info.logon_id_low = 0xdead;
+- network_info->identity_info.logon_id_high = 0xbeef;
+- network_info->identity_info.account_name.string = username;
+- network_info->identity_info.workstation.string = clnt_name_slash;
+-
+- memcpy(network_info->challenge, chal, 8);
+- network_info->nt = nt;
+- network_info->lm = lm;
+-
+- logon->network = network_info;
+-
+- break;
+- }
+- default:
+- DEBUG(0, ("switch value %d not supported\n",
+- logon_type));
+- return NT_STATUS_INVALID_INFO_CLASS;
+- }
+-
+- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
+- cli->binding_handle,
+- logon_type,
+- logon,
+- mem_ctx,
+- &validation_level,
+- &validation,
+- &authoritative,
+- &flags);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- return NT_STATUS_OK;
+-}
+-
+ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+ uint32_t logon_parameters,
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index 0de836a..eaa5b0c 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ bool force_reauth,
+ struct samr_Password current_nt_hash,
+ const struct samr_Password *previous_nt_hash);
+-NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- uint32 logon_parameters,
+- const char *domain,
+- const char *username,
+- const char *password,
+- const char *workstation,
+- uint16_t validation_level,
+- int logon_type);
+ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+ uint32_t logon_parameters,
+--
+1.9.3
+
+
+From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 19:23:54 +0200
+Subject: [PATCH 211/249] s3:rpc_client: remove unused
+ rpccli_netlogon_sam_network_logon()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
+---
+ source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
+ source3/rpc_client/cli_netlogon.h | 12 -----
+ 2 files changed, 106 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 171337a..ca2d9bf 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+ * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
+ **/
+
+-NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- uint32 logon_parameters,
+- const char *server,
+- const char *username,
+- const char *domain,
+- const char *workstation,
+- const uint8 chal[8],
+- uint16_t _ignored_validation_level,
+- DATA_BLOB lm_response,
+- DATA_BLOB nt_response,
+- struct netr_SamInfo3 **info3)
+-{
+- NTSTATUS status;
+- const char *workstation_name_slash;
+- union netr_LogonLevel *logon = NULL;
+- struct netr_NetworkInfo *network_info;
+- uint16_t validation_level = 0;
+- union netr_Validation *validation = NULL;
+- uint8_t authoritative = 0;
+- uint32_t flags = 0;
+- struct netr_ChallengeResponse lm;
+- struct netr_ChallengeResponse nt;
+-
+- *info3 = NULL;
+-
+- ZERO_STRUCT(lm);
+- ZERO_STRUCT(nt);
+-
+- logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+- if (!logon) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
+- if (!network_info) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- if (workstation[0] != '\\' && workstation[1] != '\\') {
+- workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
+- } else {
+- workstation_name_slash = workstation;
+- }
+-
+- if (!workstation_name_slash) {
+- DEBUG(0, ("talloc_asprintf failed!\n"));
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- /* Initialise input parameters */
+-
+- lm.data = lm_response.data;
+- lm.length = lm_response.length;
+- nt.data = nt_response.data;
+- nt.length = nt_response.length;
+-
+- network_info->identity_info.domain_name.string = domain;
+- network_info->identity_info.parameter_control = logon_parameters;
+- network_info->identity_info.logon_id_low = 0xdead;
+- network_info->identity_info.logon_id_high = 0xbeef;
+- network_info->identity_info.account_name.string = username;
+- network_info->identity_info.workstation.string = workstation_name_slash;
+-
+- memcpy(network_info->challenge, chal, 8);
+- network_info->nt = nt;
+- network_info->lm = lm;
+-
+- logon->network = network_info;
+-
+- /* Marshall data and send request */
+-
+- status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
+- cli->binding_handle,
+- NetlogonNetworkInformation,
+- logon,
+- mem_ctx,
+- &validation_level,
+- &validation,
+- &authoritative,
+- &flags);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- status = map_validation_to_info3(mem_ctx,
+- validation_level, validation,
+- info3);
+- if (!NT_STATUS_IS_OK(status)) {
+- return status;
+- }
+-
+- return NT_STATUS_OK;
+-}
+
+ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index eaa5b0c..61fed4a 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
+ const char *password,
+ const char *workstation,
+ enum netr_LogonInfoClass logon_type);
+-NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
+- TALLOC_CTX *mem_ctx,
+- uint32 logon_parameters,
+- const char *server,
+- const char *username,
+- const char *domain,
+- const char *workstation,
+- const uint8 chal[8],
+- uint16_t validation_level,
+- DATA_BLOB lm_response,
+- DATA_BLOB nt_response,
+- struct netr_SamInfo3 **info3);
+ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+--
+1.9.3
+
+
+From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 16 Sep 2013 19:25:27 +0200
+Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
+ rpc_pipe_client->netlogon_creds
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
+---
+ source3/rpc_client/cli_pipe.c | 9 ---------
+ source3/rpc_client/rpc_client.h | 3 ---
+ 2 files changed, 12 deletions(-)
+
+diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
+index 31cd7f5..8613a21 100644
+--- a/source3/rpc_client/cli_pipe.c
++++ b/source3/rpc_client/cli_pipe.c
+@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
+ return status;
+ }
+
+- status = netlogon_creds_cli_context_copy(netlogon_creds,
+- rpccli,
+- &rpccli->netlogon_creds);
+- if (!NT_STATUS_IS_OK(status)) {
+- DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
+- nt_errstr(status)));
+- TALLOC_FREE(rpccli);
+- return status;
+- }
+
+ done:
+ DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
+diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
+index 7c4cceb..7c5ff0e 100644
+--- a/source3/rpc_client/rpc_client.h
++++ b/source3/rpc_client/rpc_client.h
+@@ -48,9 +48,6 @@ struct rpc_pipe_client {
+ uint16 max_recv_frag;
+
+ struct pipe_auth_data *auth;
+-
+- /* The following is only non-null on a netlogon client pipe. */
+- struct netlogon_creds_cli_context *netlogon_creds;
+ };
+
+ #endif /* _RPC_CLIENT_H */
+--
+1.9.3
+
+
+From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 17 Oct 2013 19:17:12 +0200
+Subject: [PATCH 213/249] libcli/auth: remove unused
+ netlogon_creds_cli_context_copy()
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
+---
+ libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
+ libcli/auth/netlogon_creds_cli.h | 4 ----
+ 2 files changed, 51 deletions(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 6590b21..1724064 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
+ return NT_STATUS_OK;
+ }
+
+-NTSTATUS netlogon_creds_cli_context_copy(
+- const struct netlogon_creds_cli_context *src,
+- TALLOC_CTX *mem_ctx,
+- struct netlogon_creds_cli_context **_dst)
+-{
+- struct netlogon_creds_cli_context *dst;
+-
+- dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
+- if (dst == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- *dst = *src;
+-
+- dst->client.computer = talloc_strdup(dst, src->client.computer);
+- if (dst->client.computer == NULL) {
+- TALLOC_FREE(dst);
+- return NT_STATUS_NO_MEMORY;
+- }
+- dst->client.account = talloc_strdup(dst, src->client.account);
+- if (dst->client.account == NULL) {
+- TALLOC_FREE(dst);
+- return NT_STATUS_NO_MEMORY;
+- }
+- dst->server.computer = talloc_strdup(dst, src->server.computer);
+- if (dst->server.computer == NULL) {
+- TALLOC_FREE(dst);
+- return NT_STATUS_NO_MEMORY;
+- }
+- dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
+- if (dst->server.netbios_domain == NULL) {
+- TALLOC_FREE(dst);
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- dst->db.key_name = talloc_strdup(dst, src->db.key_name);
+- if (dst->db.key_name == NULL) {
+- TALLOC_FREE(dst);
+- return NT_STATUS_NO_MEMORY;
+- }
+-
+- dst->db.key_data = string_term_tdb_data(dst->db.key_name);
+-
+- *_dst = dst;
+- return NT_STATUS_OK;
+-}
+-
+ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
+ struct netlogon_creds_cli_context *context)
+ {
+diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
+index f8f2bef..5bd8bd3 100644
+--- a/libcli/auth/netlogon_creds_cli.h
++++ b/libcli/auth/netlogon_creds_cli.h
+@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
+ const char *server_netbios_domain,
+ TALLOC_CTX *mem_ctx,
+ struct netlogon_creds_cli_context **_context);
+-NTSTATUS netlogon_creds_cli_context_copy(
+- const struct netlogon_creds_cli_context *src,
+- TALLOC_CTX *mem_ctx,
+- struct netlogon_creds_cli_context **_dst);
+
+ enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
+ struct netlogon_creds_cli_context *context);
+--
+1.9.3
+
+
+From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 6 Dec 2013 11:38:21 +0100
+Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
+ to false
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
+---
+ docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
+ lib/param/param_functions.c | 1 +
+ lib/param/param_table.c | 9 +++++++++
+ 3 files changed, 36 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml
+
+diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
+new file mode 100644
+index 0000000..4d417c7
+--- /dev/null
++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
+@@ -0,0 +1,26 @@
++<samba:parameter name="allow nt4 crypto"
++ context="G"
++ type="boolean"
++ advanced="1"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>This option controls whether the netlogon server (currently
++ only in 'active directory domain controller' mode), will
++ reject clients which does not support NETLOGON_NEG_STRONG_KEYS
++ nor NETLOGON_NEG_SUPPORTS_AES.</para>
++
++ <para>This option was added with Samba 4.2.0. It may lock out clients
++ which worked fine with Samba versions up to 4.1.x. as the effective default
++ was "yes" there, while it is "no" now.</para>
++
++ <para>If you have clients without RequireStrongKey = 1 in the registry,
++ you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
++ </para>
++
++ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
++
++ <para>This option yields precedence to the 'reject md5 clients' option.</para>
++</description>
++
++<value type="default">no</value>
++</samba:parameter>
+diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
+index 41b137f..bf931c6 100644
+--- a/lib/param/param_functions.c
++++ b/lib/param/param_functions.c
+@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
+ FN_LOCAL_BOOL(durable_handles, bDurableHandles)
+
+ FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
++FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
+ FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
+ FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
+ FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index 36e8554..5ef78de 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
+ .special = NULL,
+ .enum_list = NULL
+ },
++ {
++ .label = "allow nt4 crypto",
++ .type = P_BOOL,
++ .p_class = P_GLOBAL,
++ .offset = GLOBAL_VAR(bAllowNT4Crypto),
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
+
+ {N_("TLS options"), P_SEP, P_SEPARATOR},
+
+--
+1.9.3
+
+
+From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 6 Dec 2013 11:39:15 +0100
+Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
+ to false
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
+---
+ docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
+ lib/param/param_functions.c | 1 +
+ lib/param/param_table.c | 9 +++++++++
+ 3 files changed, 28 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml
+
+diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+new file mode 100644
+index 0000000..04a5b4d
+--- /dev/null
++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+@@ -0,0 +1,18 @@
++<samba:parameter name="reject md5 clients"
++ context="G"
++ type="boolean"
++ advanced="1"
++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++ <para>This option controls whether the netlogon server (currently
++ only in 'active directory domain controller' mode), will
++ reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
++
++ <para>You can set this to yes if all domain members support aes.
++ This will prevent downgrade attacks.</para>
++
++ <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
++</description>
++
++<value type="default">no</value>
++</samba:parameter>
+diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
+index bf931c6..99f0b7f 100644
+--- a/lib/param/param_functions.c
++++ b/lib/param/param_functions.c
+@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
+ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
+ FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
+ FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
++FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
+ FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
+ FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
+ FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
+diff --git a/lib/param/param_table.c b/lib/param/param_table.c
+index 5ef78de..4850324 100644
+--- a/lib/param/param_table.c
++++ b/lib/param/param_table.c
+@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
+ .enum_list = NULL,
+ .flags = FLAG_ADVANCED,
+ },
++ {
++ .label = "reject md5 clients",
++ .type = P_BOOL,
++ .p_class = P_GLOBAL,
++ .offset = GLOBAL_VAR(bRejectMD5Clients),
++ .special = NULL,
++ .enum_list = NULL,
++ .flags = FLAG_ADVANCED,
++ },
+
+ {N_("TLS options"), P_SEP, P_SEPARATOR},
+
+--
+1.9.3
+
+
+From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 6 Dec 2013 13:41:43 +0100
+Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
+ testing
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
+---
+ selftest/target/Samba4.pm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index ac2fdd9..ee6a365 100644
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
+ server max protocol = SMB2
+ host msdfs = $msdfs
+ lanman auth = yes
++ allow nt4 crypto = yes
+
+ $extra_smbconf_options
+
+--
+1.9.3
+
+
+From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 23 Dec 2013 10:12:24 +0100
+Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags
+
+We need to bit-wise AND the client and server flags.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
+ 1 file changed, 28 insertions(+), 31 deletions(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index c41cd02..b001cb5 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+
+ const char *trust_dom_attrs[] = {"flatname", NULL};
+ const char *account_name;
++ uint32_t server_flags = 0;
+ uint32_t negotiate_flags = 0;
+
+ ZERO_STRUCTP(r->out.return_credentials);
+@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+ memcache_delete(global_challenge_table,
+ SINGLETON_CACHE, challenge_key);
+
+- negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
+- NETLOGON_NEG_PERSISTENT_SAMREPL |
+- NETLOGON_NEG_ARCFOUR |
+- NETLOGON_NEG_PROMOTION_COUNT |
+- NETLOGON_NEG_CHANGELOG_BDC |
+- NETLOGON_NEG_FULL_SYNC_REPL |
+- NETLOGON_NEG_MULTIPLE_SIDS |
+- NETLOGON_NEG_REDO |
+- NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+- NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
+- NETLOGON_NEG_GENERIC_PASSTHROUGH |
+- NETLOGON_NEG_CONCURRENT_RPC |
+- NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
+- NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
+- NETLOGON_NEG_TRANSITIVE_TRUSTS |
+- NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+- NETLOGON_NEG_PASSWORD_SET2 |
+- NETLOGON_NEG_GETDOMAININFO |
+- NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+- NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
+- NETLOGON_NEG_RODC_PASSTHROUGH |
+- NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
+- NETLOGON_NEG_AUTHENTICATED_RPC;
+-
+- if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+- negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
+- }
+-
+- if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+- negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
+- }
++ server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
++ NETLOGON_NEG_PERSISTENT_SAMREPL |
++ NETLOGON_NEG_ARCFOUR |
++ NETLOGON_NEG_PROMOTION_COUNT |
++ NETLOGON_NEG_CHANGELOG_BDC |
++ NETLOGON_NEG_FULL_SYNC_REPL |
++ NETLOGON_NEG_MULTIPLE_SIDS |
++ NETLOGON_NEG_REDO |
++ NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
++ NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
++ NETLOGON_NEG_GENERIC_PASSTHROUGH |
++ NETLOGON_NEG_CONCURRENT_RPC |
++ NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
++ NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
++ NETLOGON_NEG_STRONG_KEYS |
++ NETLOGON_NEG_TRANSITIVE_TRUSTS |
++ NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
++ NETLOGON_NEG_PASSWORD_SET2 |
++ NETLOGON_NEG_GETDOMAININFO |
++ NETLOGON_NEG_CROSS_FOREST_TRUSTS |
++ NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
++ NETLOGON_NEG_RODC_PASSTHROUGH |
++ NETLOGON_NEG_SUPPORTS_AES |
++ NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
++ NETLOGON_NEG_AUTHENTICATED_RPC;
++
++ negotiate_flags = *r->in.negotiate_flags & server_flags;
+
+ /*
+ * According to Microsoft (see bugid #6099)
+--
+1.9.3
+
+
+From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 23 Dec 2013 10:10:17 +0100
+Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
+ SEC_CHAN_NULL.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index b001cb5..45a7262 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+ case SEC_CHAN_BDC:
+ case SEC_CHAN_RODC:
+ break;
++ case SEC_CHAN_NULL:
++ return NT_STATUS_INVALID_PARAMETER;
+ default:
+ DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
+ r->in.secure_channel_type));
+--
+1.9.3
+
+
+From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 6 Dec 2013 12:08:50 +0100
+Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
+ md5 clients" features.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Tue Jan 7 16:53:31 CET 2014 on sn-devel-104
+(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 45a7262..6b57cda 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+ const char *account_name;
+ uint32_t server_flags = 0;
+ uint32_t negotiate_flags = 0;
++ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
++ bool reject_des_client = !allow_nt4_crypto;
++ bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
+
+ ZERO_STRUCTP(r->out.return_credentials);
+ *r->out.rid = 0;
+@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+
+ negotiate_flags = *r->in.negotiate_flags & server_flags;
+
++ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
++ reject_des_client = false;
++ }
++
++ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
++ reject_des_client = false;
++ reject_md5_client = false;
++ }
++
++ if (reject_des_client || reject_md5_client) {
++ /*
++ * Here we match Windows 2012 and return no flags.
++ */
++ *r->out.negotiate_flags = 0;
++ return NT_STATUS_DOWNGRADE_DETECTED;
++ }
++
+ /*
+ * According to Microsoft (see bugid #6099)
+ * Windows 7 looks at the negotiate_flags
+--
+1.9.3
+
+
+From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 8 Jan 2014 12:04:22 +0100
+Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
+ in netlogon_creds_cli_check_caps()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Günther Deschner <gd@samba.org>
+(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
+---
+ libcli/auth/netlogon_creds_cli.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 1724064..51b30a1 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
+ };
+
+ static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
+- NTSTATUS status);
++ NTSTATUS status);
+ static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
+
+ struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
+@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
+ * with the next request as the sequence number processing
+ * gets out of sync.
+ */
+- netlogon_creds_cli_check_cleanup(req, result);
++ netlogon_creds_cli_check_cleanup(req, status);
+ tevent_req_done(req);
+ return;
+ }
+--
+1.9.3
+
+
+From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 17 Jan 2014 14:00:27 +0100
+Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()
+
+This can be used to inject a db_context from dbwrap_ctdb.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
+---
+ libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
+ libcli/auth/netlogon_creds_cli.h | 2 ++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 51b30a1..37bdf74 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
+
+ static struct db_context *netlogon_creds_cli_global_db;
+
++NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
++{
++ if (netlogon_creds_cli_global_db != NULL) {
++ return NT_STATUS_INVALID_PARAMETER_MIX;
++ }
++
++ netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
++ return NT_STATUS_OK;
++}
++
+ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
+ {
+ char *fname;
+diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
+index 5bd8bd3..90d0182 100644
+--- a/libcli/auth/netlogon_creds_cli.h
++++ b/libcli/auth/netlogon_creds_cli.h
+@@ -28,7 +28,9 @@
+ struct netlogon_creds_cli_context;
+ struct messaging_context;
+ struct dcerpc_binding_handle;
++struct db_context;
+
++NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
+ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
+
+ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+--
+1.9.3
+
+
+From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 17 Jan 2014 14:07:37 +0100
+Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
+ "netlogon_creds_cli.tdb"
+
+This uses dbwrap_ctdb if running in a cluster.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
+---
+ source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index ca2d9bf..b7b490f 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -21,6 +21,7 @@
+ */
+
+ #include "includes.h"
++#include "system/filesys.h"
+ #include "libsmb/libsmb.h"
+ #include "rpc_client/rpc_client.h"
+ #include "rpc_client/cli_pipe.h"
+@@ -34,26 +35,53 @@
+ #include "../libcli/security/security.h"
+ #include "lib/param/param.h"
+ #include "libcli/smb/smbXcli_base.h"
++#include "dbwrap/dbwrap.h"
++#include "dbwrap/dbwrap_open.h"
++#include "util_tdb.h"
+
+
+ NTSTATUS rpccli_pre_open_netlogon_creds(void)
+ {
+- TALLOC_CTX *frame = talloc_stackframe();
++ static bool already_open = false;
++ TALLOC_CTX *frame;
+ struct loadparm_context *lp_ctx;
++ char *fname;
++ struct db_context *global_db;
+ NTSTATUS status;
+
++ if (already_open) {
++ return NT_STATUS_OK;
++ }
++
++ frame = talloc_stackframe();
++
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+- status = netlogon_creds_cli_open_global_db(lp_ctx);
++ fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
++ if (fname == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ global_db = db_open(talloc_autofree_context(), fname,
++ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
++ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
++ if (global_db == NULL) {
++ TALLOC_FREE(frame);
++ return NT_STATUS_NO_MEMORY;
++ }
++
++ status = netlogon_creds_cli_set_global_db(&global_db);
+ TALLOC_FREE(frame);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
++ already_open = true;
+ return NT_STATUS_OK;
+ }
+
+@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
+ struct loadparm_context *lp_ctx;
+ NTSTATUS status;
+
++ status = rpccli_pre_open_netlogon_creds();
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
++ return status;
++ }
++
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx == NULL) {
+ TALLOC_FREE(frame);
+--
+1.9.3
+
+
+From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 17 Jan 2014 14:08:59 +0100
+Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
+ mode.
+
+This breaks NTLMv2 authentication.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
+---
+ libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
+ 1 file changed, 3 insertions(+), 19 deletions(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 37bdf74..88893ad 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+ bool seal_secure_channel = true;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+ bool neutralize_nt4_emulation = false;
+- struct server_id self = {
+- .vnn = NONCLUSTER_VNN,
+- .unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
+- };
+-
+- if (msg_ctx != NULL) {
+- self = messaging_server_id(msg_ctx);
+- }
+
+ *_context = NULL;
+
+- if (self.vnn != NONCLUSTER_VNN) {
+- client_computer = talloc_asprintf(frame,
+- "%s_cluster_vnn_%u",
+- lpcfg_netbios_name(lp_ctx),
+- (unsigned)self.vnn);
+- if (client_computer == NULL) {
+- TALLOC_FREE(frame);
+- return NT_STATUS_NO_MEMORY;
+- }
+- } else {
+- client_computer = lpcfg_netbios_name(lp_ctx);
++ client_computer = lpcfg_netbios_name(lp_ctx);
++ if (strlen(client_computer) > 15) {
++ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ /*
+--
+1.9.3
+
+
+From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 10 Jan 2014 13:13:40 +0100
+Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
+ chars
+
+This matches Windows, it seems they use a fixed size field to store
+netlogon_creds_CredentialState.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
+---
+ libcli/auth/schannel_state_tdb.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
+index 8f9c1f0..b91e242 100644
+--- a/libcli/auth/schannel_state_tdb.c
++++ b/libcli/auth/schannel_state_tdb.c
+@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
+ char *name_upper;
+ NTSTATUS status;
+
++ if (strlen(creds->computer_name) > 15) {
++ /*
++ * We may want to check for a completely
++ * valid netbios name.
++ */
++ return STATUS_BUFFER_OVERFLOW;
++ }
++
+ name_upper = strupper_talloc(mem_ctx, creds->computer_name);
+ if (!name_upper) {
+ return NT_STATUS_NO_MEMORY;
+--
+1.9.3
+
+
+From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 11 Jan 2014 17:13:04 +0100
+Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
+ return_authenticator on error
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 09857b6..7bb9dd6 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
+ talloc_unlink(p->mem_ctx, lp_ctx);
+
+ if (!NT_STATUS_IS_OK(status)) {
++ ZERO_STRUCTP(r->out.return_credentials);
+ goto out;
+ }
+
+--
+1.9.3
+
+
+From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 11 Jan 2014 17:13:04 +0100
+Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
+ return_authenticator and rid on error
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
+---
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+index 6b57cda..afa15d8 100644
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+- *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
+- "objectSid", 0);
+-
+ mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
+ if (mach_pwd == NULL) {
+ return NT_STATUS_ACCESS_DENIED;
+@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
+ nt_status = schannel_save_creds_state(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ creds);
++ if (!NT_STATUS_IS_OK(nt_status)) {
++ ZERO_STRUCTP(r->out.return_credentials);
++ return nt_status;
++ }
+
+- return nt_status;
++ *r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
++ "objectSid", 0);
++
++ return NT_STATUS_OK;
+ }
+
+ static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+--
+1.9.3
+
+
+From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Wed, 29 Jan 2014 16:58:37 +0100
+Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
+ "--persistent"
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
+---
+ source3/utils/dbwrap_tool.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
+index 79b40d2..406e89e 100644
+--- a/source3/utils/dbwrap_tool.c
++++ b/source3/utils/dbwrap_tool.c
+@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
+ struct poptOption popt_options[] = {
+ POPT_AUTOHELP
+ POPT_COMMON_SAMBA
+- { "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
++ { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
+ POPT_TABLEEND
+ };
+ int opt;
+--
+1.9.3
+
+
+From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 30 Jan 2014 10:33:00 +0100
+Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
+ dbwrap_tool manpage
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
+---
+ docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
+index 074d819..94ae281 100644
+--- a/docs-xml/manpages/dbwrap_tool.1.xml
++++ b/docs-xml/manpages/dbwrap_tool.1.xml
+@@ -19,7 +19,7 @@
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dbwrap_tool</command>
+- <arg choice="opt">-p|--persistent</arg>
++ <arg choice="opt">--persistent</arg>
+ <arg choice="opt">-d <debug level></arg>
+ <arg choice="opt">-s <config file></arg>
+ <arg choice="opt">-l <log file base></arg>
+@@ -70,7 +70,7 @@
+
+ <variablelist>
+ <varlistentry>
+- <term>-p|--persistent</term>
++ <term>--persistent</term>
+ <listitem><para>Open the database as a persistent database.
+ If this option is not specified, the database is opened as
+ non-persistent.
+--
+1.9.3
+
+
+From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 30 Jan 2014 10:29:49 +0100
+Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
+ excatly one of "--[non-]persistent"
+
+We want to force users of dbwrap_tool to explicitly specify
+persistent or non-persistent. Otherwise, one could easily
+by accident wipe a whole database that is actually persistent
+but not currently opened by a samba process, just by openeing
+the DB with the default non-persistent mode...
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
+---
+ source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
+index 406e89e..ffca6b6 100644
+--- a/source3/utils/dbwrap_tool.c
++++ b/source3/utils/dbwrap_tool.c
+@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
+ enum dbwrap_type type;
+ const char *valuestr = "0";
+ int persistent = 0;
++ int non_persistent = 0;
+ int tdb_flags = TDB_DEFAULT;
+
+ TALLOC_CTX *mem_ctx = talloc_stackframe();
+@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
+ struct poptOption popt_options[] = {
+ POPT_AUTOHELP
+ POPT_COMMON_SAMBA
+- { "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
++ { "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
++ "treat the database as non-persistent "
++ "(CAVEAT: This mode might wipe your database!)",
++ NULL },
++ { "persistent", 0, POPT_ARG_NONE, &persistent, 0,
++ "treat the database as persistent",
++ NULL },
+ POPT_TABLEEND
+ };
+ int opt;
+@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
+ goto done;
+ }
+
++ if ((persistent == 0 && non_persistent == 0) ||
++ (persistent == 1 && non_persistent == 1))
++ {
++ d_fprintf(stderr, "ERROR: you must specify exactly one "
++ "of --persistent and --non-persistent\n");
++ goto done;
++ } else if (non_persistent == 1) {
++ tdb_flags |= TDB_CLEAR_IF_FIRST;
++ }
++
+ dbname = extra_argv[0];
+ opname = extra_argv[1];
+
+@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
+ goto done;
+ }
+
+- if (persistent == 0) {
+- tdb_flags |= TDB_CLEAR_IF_FIRST;
+- }
+-
+ switch (op) {
+ case OP_FETCH:
+ case OP_STORE:
+--
+1.9.3
+
+
+From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 30 Jan 2014 10:36:46 +0100
+Subject: [PATCH 230/249] docs: document new --non-persistent option to
+ dbwrap_tool
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
+---
+ docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
+index 94ae281..ff0e478 100644
+--- a/docs-xml/manpages/dbwrap_tool.1.xml
++++ b/docs-xml/manpages/dbwrap_tool.1.xml
+@@ -20,6 +20,7 @@
+ <cmdsynopsis>
+ <command>dbwrap_tool</command>
+ <arg choice="opt">--persistent</arg>
++ <arg choice="opt">--non-persistent</arg>
+ <arg choice="opt">-d <debug level></arg>
+ <arg choice="opt">-s <config file></arg>
+ <arg choice="opt">-l <log file base></arg>
+@@ -72,8 +73,23 @@
+ <varlistentry>
+ <term>--persistent</term>
+ <listitem><para>Open the database as a persistent database.
+- If this option is not specified, the database is opened as
+- non-persistent.
++ </para>
++ <para>
++ Exactly one of --persistent and --non-persistent must be
++ specified.
++ </para></listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>--non-persistent</term>
++ <listitem><para>Open the database as a non-persistent database.
++ </para>
++ <para>
++ Caveat: opening a database as non-persistent when there
++ is currently no other opener will wipe the database.
++ </para>
++ <para>
++ Exactly one of --persistent and --non-persistent must be
++ specified.
+ </para></listitem>
+ </varlistentry>
+ &popt.common.samba.client;
+--
+1.9.3
+
+
+From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Thu, 30 Jan 2014 10:47:15 +0100
+Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
+---
+ docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
+index ff0e478..68a88df 100644
+--- a/docs-xml/manpages/dbwrap_tool.1.xml
++++ b/docs-xml/manpages/dbwrap_tool.1.xml
+@@ -30,9 +30,7 @@
+ <arg choice="req"><operation></arg>
+ <arg choice="opt"><key>
+ <arg choice="opt"><type>
+- <arg choice="opt"><value></arg>
+- </arg>
+- </arg>
++ <arg choice="opt"><value></arg></arg></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+--
+1.9.3
+
+
+From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Fri, 24 Jan 2014 00:09:50 +0100
+Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
+ the smbXsrv_open->local_id
+
+Originally, fsp->fnum was left at the INVALID fnum value.
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
+---
+ source3/smbd/durable.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
+index c3d0a6f..471c5b9 100644
+--- a/source3/smbd/durable.c
++++ b/source3/smbd/durable.c
+@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
+ fsp->share_access = e->share_access;
+ fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
+ fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
++ fsp->fnum = op->local_id;
+
+ /*
+ * TODO:
+--
+1.9.3
+
+
+From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 24 Dec 2013 09:00:01 +0100
+Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()
+
+This should avoid scary ndr_pull errors, if there's
+a cleanup race.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
+(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
+---
+ source3/smbd/smbXsrv_open.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
+index 27dd50c..29c172c 100644
+--- a/source3/smbd/smbXsrv_open.c
++++ b/source3/smbd/smbXsrv_open.c
+@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
+ struct smbXsrv_open_global0 *op = NULL;
+ uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
+ TDB_DATA key;
++ TDB_DATA val;
+ struct db_record *rec;
+ bool delete_open = false;
+ uint32_t global_id = persistent_id & UINT32_MAX;
+@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
+ goto done;
+ }
+
++ val = dbwrap_record_get_value(rec);
++ if (val.dsize == 0) {
++ DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
++ "empty record in %s, skipping...\n",
++ global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
++ goto done;
++ }
++
+ status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
+--
+1.9.3
+
+
+From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Mon, 27 Jan 2014 13:38:51 +0100
+Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE
+
+This is in preparation of adding a dbwrap_flags argument to db_open
+and firends.
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
+---
+ lib/dbwrap/dbwrap.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
+index 8bf3286..4064ba2 100644
+--- a/lib/dbwrap/dbwrap.h
++++ b/lib/dbwrap/dbwrap.h
+@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
+ };
+ #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
+
++#define DBWRAP_FLAG_NONE 0x0000000000000000ULL
++
+ /* The following definitions come from lib/dbwrap.c */
+
+ TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
+--
+1.9.3
+
+
+From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Mon, 27 Jan 2014 14:49:12 +0100
+Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()
+
+This is in preparation to support handing flags to backends,
+in particular activating read only record support for ctdb
+databases. For a start, this does nothing but adding the
+parameter, and all databases use DBWRAP_FLAG_NONE.
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
+---
+ source3/groupdb/mapping_tdb.c | 2 +-
+ source3/lib/dbwrap/dbwrap_open.c | 3 ++-
+ source3/lib/dbwrap/dbwrap_open.h | 3 ++-
+ source3/lib/dbwrap/dbwrap_watch.c | 3 ++-
+ source3/lib/g_lock.c | 3 ++-
+ source3/lib/serverid.c | 3 ++-
+ source3/lib/sharesec.c | 2 +-
+ source3/locking/brlock.c | 2 +-
+ source3/locking/share_mode_lock.c | 2 +-
+ source3/modules/vfs_acl_tdb.c | 2 +-
+ source3/modules/vfs_xattr_tdb.c | 2 +-
+ source3/passdb/account_pol.c | 4 ++--
+ source3/passdb/pdb_tdb.c | 6 +++---
+ source3/passdb/secrets.c | 2 +-
+ source3/printing/printer_list.c | 3 ++-
+ source3/registry/reg_backend_db.c | 6 +++---
+ source3/rpc_client/cli_netlogon.c | 3 ++-
+ source3/smbd/notify_internal.c | 2 +-
+ source3/smbd/smbXsrv_open.c | 3 ++-
+ source3/smbd/smbXsrv_session.c | 3 ++-
+ source3/smbd/smbXsrv_tcon.c | 3 ++-
+ source3/smbd/smbXsrv_version.c | 3 ++-
+ source3/torture/test_dbwrap_watch.c | 3 ++-
+ source3/torture/test_idmap_tdb_common.c | 2 +-
+ source3/torture/torture.c | 3 ++-
+ source3/utils/dbwrap_tool.c | 2 +-
+ source3/utils/dbwrap_torture.c | 2 +-
+ source3/utils/net_idmap.c | 6 +++---
+ source3/utils/net_idmap_check.c | 2 +-
+ source3/utils/net_registry_check.c | 4 ++--
+ source3/utils/status.c | 2 +-
+ source3/winbindd/idmap_autorid.c | 2 +-
+ source3/winbindd/idmap_tdb.c | 2 +-
+ source3/winbindd/idmap_tdb2.c | 2 +-
+ 34 files changed, 55 insertions(+), 42 deletions(-)
+
+diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
+index 088874f..0863187 100644
+--- a/source3/groupdb/mapping_tdb.c
++++ b/source3/groupdb/mapping_tdb.c
+@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
+
+ db = db_open(NULL, state_path("group_mapping.tdb"), 0,
+ TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ DEBUG(0, ("Failed to open group mapping database: %s\n",
+ strerror(errno)));
+diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
+index 515b4bf..6c9280c 100644
+--- a/source3/lib/dbwrap/dbwrap_open.c
++++ b/source3/lib/dbwrap/dbwrap_open.c
+@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
+ const char *name,
+ int hash_size, int tdb_flags,
+ int open_flags, mode_t mode,
+- enum dbwrap_lock_order lock_order)
++ enum dbwrap_lock_order lock_order,
++ uint64_t dbwrap_flags)
+ {
+ struct db_context *result = NULL;
+ #ifdef CLUSTER_SUPPORT
+diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
+index 51c7dfd..d14794e 100644
+--- a/source3/lib/dbwrap/dbwrap_open.h
++++ b/source3/lib/dbwrap/dbwrap_open.h
+@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
+ const char *name,
+ int hash_size, int tdb_flags,
+ int open_flags, mode_t mode,
+- enum dbwrap_lock_order lock_order);
++ enum dbwrap_lock_order lock_order,
++ uint64_t dbwrap_flags);
+
+ #endif /* __DBWRAP_OPEN_H__ */
+diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
+index 7bdcd99..5f3d17d 100644
+--- a/source3/lib/dbwrap/dbwrap_watch.c
++++ b/source3/lib/dbwrap/dbwrap_watch.c
+@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
+ watchers_db = db_open(
+ NULL, lock_path("dbwrap_watchers.tdb"), 0,
+ TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
+- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
++ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
++ DBWRAP_FLAG_NONE);
+ }
+ return watchers_db;
+ }
+diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
+index 8c7a6c2..6813f06 100644
+--- a/source3/lib/g_lock.c
++++ b/source3/lib/g_lock.c
+@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
+ result->db = db_open(result, lock_path("g_lock.tdb"), 0,
+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+ O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_2);
++ DBWRAP_LOCK_ORDER_2,
++ DBWRAP_FLAG_NONE);
+ if (result->db == NULL) {
+ DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
+ TALLOC_FREE(result);
+diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
+index cb49520..4259887 100644
+--- a/source3/lib/serverid.c
++++ b/source3/lib/serverid.c
+@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
+ }
+ db = db_open(NULL, lock_path("serverid.tdb"), 0,
+ TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
++ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
++ DBWRAP_FLAG_NONE);
+ return db;
+ }
+
+diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
+index c7a8e51..095c851 100644
+--- a/source3/lib/sharesec.c
++++ b/source3/lib/sharesec.c
+@@ -149,7 +149,7 @@ bool share_info_db_init(void)
+
+ share_db = db_open(NULL, state_path("share_info.tdb"), 0,
+ TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (share_db == NULL) {
+ DEBUG(0,("Failed to open share info database %s (%s)\n",
+ state_path("share_info.tdb"), strerror(errno) ));
+diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
+index 5d683dd..d88aa2d 100644
+--- a/source3/locking/brlock.c
++++ b/source3/locking/brlock.c
+@@ -292,7 +292,7 @@ void brl_init(bool read_only)
+ brlock_db = db_open(NULL, lock_path("brlock.tdb"),
+ lp_open_files_db_hash_size(), tdb_flags,
+ read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
+- DBWRAP_LOCK_ORDER_2);
++ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
+ if (!brlock_db) {
+ DEBUG(0,("Failed to open byte range locking database %s\n",
+ lock_path("brlock.tdb")));
+diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
+index 4f049bd..22f8d9a 100644
+--- a/source3/locking/share_mode_lock.c
++++ b/source3/locking/share_mode_lock.c
+@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
+ lp_open_files_db_hash_size(),
+ TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+ read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (!lock_db) {
+ DEBUG(0,("ERROR: Failed to initialise locking database\n"));
+diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
+index 80839e3..8ee4bd5 100644
+--- a/source3/modules/vfs_acl_tdb.c
++++ b/source3/modules/vfs_acl_tdb.c
+@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
+
+ become_root();
+ acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ unbecome_root();
+
+ if (acl_db == NULL) {
+diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
+index 43456cf..63a12fd 100644
+--- a/source3/modules/vfs_xattr_tdb.c
++++ b/source3/modules/vfs_xattr_tdb.c
+@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
+
+ become_root();
+ db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_2);
++ DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
+ unbecome_root();
+
+ if (db == NULL) {
+diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
+index c94df29..09a2d20 100644
+--- a/source3/passdb/account_pol.c
++++ b/source3/passdb/account_pol.c
+@@ -220,13 +220,13 @@ bool init_account_policy(void)
+ }
+
+ db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
+- O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
++ O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (db == NULL) { /* the account policies files does not exist or open
+ * failed, try to create a new one */
+ db = db_open(NULL, state_path("account_policy.tdb"), 0,
+ TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ DEBUG(0,("Failed to open account policy database\n"));
+ return False;
+diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
+index f256e6c..162083f 100644
+--- a/source3/passdb/pdb_tdb.c
++++ b/source3/passdb/pdb_tdb.c
+@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
+
+ tmp_db = db_open(NULL, tmp_fname, 0,
+ TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (tmp_db == NULL) {
+ DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
+ "[%s]\n", tmp_fname));
+@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
+
+ orig_db = db_open(NULL, dbname, 0,
+ TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (orig_db == NULL) {
+ DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
+ "converted passdb TDB [%s]\n", dbname));
+@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
+ /* Try to open tdb passwd. Create a new one if necessary */
+
+ db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db_sam == NULL) {
+ DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
+ "[%s]\n", name));
+diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
+index 548b030..bff9a0d 100644
+--- a/source3/passdb/secrets.c
++++ b/source3/passdb/secrets.c
+@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
+
+ db_ctx = db_open(NULL, fname, 0,
+ TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (db_ctx == NULL) {
+ DEBUG(0,("Failed to open %s\n", fname));
+diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
+index 815f89f..9a9fa0b 100644
+--- a/source3/printing/printer_list.c
++++ b/source3/printing/printer_list.c
+@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
+ }
+ db = db_open(NULL, PL_DB_NAME(), 0,
+ TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
++ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ return db;
+ }
+
+diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
+index 3e561eb..fdaf576 100644
+--- a/source3/registry/reg_backend_db.c
++++ b/source3/registry/reg_backend_db.c
+@@ -732,11 +732,11 @@ WERROR regdb_init(void)
+
+ regdb = db_open(NULL, state_path("registry.tdb"), 0,
+ REG_TDB_FLAGS, O_RDWR, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (!regdb) {
+ regdb = db_open(NULL, state_path("registry.tdb"), 0,
+ REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (!regdb) {
+ werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
+ DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
+@@ -852,7 +852,7 @@ WERROR regdb_open( void )
+
+ regdb = db_open(NULL, state_path("registry.tdb"), 0,
+ REG_TDB_FLAGS, O_RDWR, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if ( !regdb ) {
+ result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
+ DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index b7b490f..9e3c1bd 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
+
+ global_db = db_open(talloc_autofree_context(), fname,
+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
++ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
++ DBWRAP_FLAG_NONE);
+ if (global_db == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
+index 2dc8674..67d8774 100644
+--- a/source3/smbd/notify_internal.c
++++ b/source3/smbd/notify_internal.c
+@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
+ notify->db_index = db_open(
+ notify, lock_path("notify_index.tdb"),
+ 0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+- O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
++ O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
+ if (notify->db_index == NULL) {
+ goto fail;
+ }
+diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
+index 29c172c..830c7aa 100644
+--- a/source3/smbd/smbXsrv_open.c
++++ b/source3/smbd/smbXsrv_open.c
+@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
+ TDB_CLEAR_IF_FIRST |
+ TDB_INCOMPATIBLE_HASH,
+ O_RDWR | O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ if (db_ctx == NULL) {
+ NTSTATUS status;
+
+diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
+index 017880c..a1ba52d 100644
+--- a/source3/smbd/smbXsrv_session.c
++++ b/source3/smbd/smbXsrv_session.c
+@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
+ TDB_CLEAR_IF_FIRST |
+ TDB_INCOMPATIBLE_HASH,
+ O_RDWR | O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ if (db_ctx == NULL) {
+ NTSTATUS status;
+
+diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
+index b6e2058..2cbd761 100644
+--- a/source3/smbd/smbXsrv_tcon.c
++++ b/source3/smbd/smbXsrv_tcon.c
+@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
+ TDB_CLEAR_IF_FIRST |
+ TDB_INCOMPATIBLE_HASH,
+ O_RDWR | O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ if (db_ctx == NULL) {
+ NTSTATUS status;
+
+diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
+index 8ba5e1f..b24dae9 100644
+--- a/source3/smbd/smbXsrv_version.c
++++ b/source3/smbd/smbXsrv_version.c
+@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
+ TDB_CLEAR_IF_FIRST |
+ TDB_INCOMPATIBLE_HASH,
+ O_RDWR | O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ if (db_ctx == NULL) {
+ status = map_nt_error_from_unix_common(errno);
+ DEBUG(0,("smbXsrv_version_global_init: "
+diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
+index 9c2a679..4e699fe 100644
+--- a/source3/torture/test_dbwrap_watch.c
++++ b/source3/torture/test_dbwrap_watch.c
+@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
+ goto fail;
+ }
+ db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
+- O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
++ O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ fprintf(stderr, "db_open failed: %s\n", strerror(errno));
+ goto fail;
+diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
+index 6f5f3c5..f7262a2 100644
+--- a/source3/torture/test_idmap_tdb_common.c
++++ b/source3/torture/test_idmap_tdb_common.c
+@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
+
+ ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
+ O_RDWR | O_CREAT, 0600,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if(!ctx->db) {
+ DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
+diff --git a/source3/torture/torture.c b/source3/torture/torture.c
+index 2e66912..1dc3eaf 100644
+--- a/source3/torture/torture.c
++++ b/source3/torture/torture.c
+@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
+ TDB_DATA value;
+
+ db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
+- O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
++ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
++ DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ printf("Could not open transtest.db\n");
+ return false;
+diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
+index ffca6b6..b56e07a 100644
+--- a/source3/utils/dbwrap_tool.c
++++ b/source3/utils/dbwrap_tool.c
+@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
+ case OP_LISTKEYS:
+ case OP_EXISTS:
+ db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
+- 0644, DBWRAP_LOCK_ORDER_1);
++ 0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ d_fprintf(stderr, "ERROR: could not open dbname\n");
+ goto done;
+diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
+index 2741820..f748ac2 100644
+--- a/source3/utils/dbwrap_torture.c
++++ b/source3/utils/dbwrap_torture.c
+@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
+ }
+
+ db = db_open(mem_ctx, db_name, 0, tdb_flags, O_RDWR | O_CREAT, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (db == NULL) {
+ d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
+diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
+index fbeca3e..6fc07e7 100644
+--- a/source3/utils/net_idmap.c
++++ b/source3/utils/net_idmap.c
+@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
+ d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
+
+ db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
+ dbfile, strerror(errno));
+@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
+ }
+
+ db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
+ dbfile, strerror(errno));
+@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
+ d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
+
+ db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
+ dbfile, strerror(errno));
+diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
+index e75c890..4b82871 100644
+--- a/source3/utils/net_idmap_check.c
++++ b/source3/utils/net_idmap_check.c
+@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
+ }
+
+ ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (ctx->db == NULL) {
+ d_fprintf(stderr,
+ _("Could not open idmap db (%s) for writing: %s\n"),
+diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
+index 8cdb8fa..d57c2aa 100644
+--- a/source3/utils/net_registry_check.c
++++ b/source3/utils/net_registry_check.c
+@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
+ }
+
+ ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (ctx->odb == NULL) {
+ d_fprintf(stderr,
+ _("Could not open db (%s) for writing: %s\n"),
+@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
+
+ static bool check_ctx_open_input(struct check_ctx *ctx) {
+ ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (ctx->idb == NULL) {
+ d_fprintf(stderr,
+ _("Could not open db (%s) for reading: %s\n"),
+diff --git a/source3/utils/status.c b/source3/utils/status.c
+index be7c52f..1ff0e36 100644
+--- a/source3/utils/status.c
++++ b/source3/utils/status.c
+@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
+ struct db_context *db;
+ db = db_open(NULL, lock_path("locking.tdb"), 0,
+ TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (!db) {
+ d_printf("%s not initialised\n",
+diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
+index 57d952e..0bd2938 100644
+--- a/source3/winbindd/idmap_autorid.c
++++ b/source3/winbindd/idmap_autorid.c
+@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
+ /* Open idmap repository */
+ autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
+ TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+
+ if (!autorid_db) {
+ DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
+diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
+index cc930ff..ebff347 100644
+--- a/source3/winbindd/idmap_tdb.c
++++ b/source3/winbindd/idmap_tdb.c
+@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
+
+ /* Open idmap repository */
+ db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (!db) {
+ DEBUG(0, ("Unable to open idmap database\n"));
+ ret = NT_STATUS_UNSUCCESSFUL;
+diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
+index 4a9c2fe..942490d 100644
+--- a/source3/winbindd/idmap_tdb2.c
++++ b/source3/winbindd/idmap_tdb2.c
+@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
+
+ /* Open idmap repository */
+ ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
+- DBWRAP_LOCK_ORDER_1);
++ DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ TALLOC_FREE(db_path);
+
+ if (ctx->db == NULL) {
+--
+1.9.3
+
+
+From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Tue, 28 Jan 2014 12:53:24 +0100
+Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()
+
+This is in preparation of directly supporting ctdb read only
+record copies when opening a ctdb database from samba.
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
+---
+ source3/lib/dbwrap/dbwrap_ctdb.c | 6 ++++--
+ source3/lib/dbwrap/dbwrap_ctdb.h | 3 ++-
+ source3/lib/dbwrap/dbwrap_open.c | 2 +-
+ source3/torture/test_dbwrap_ctdb.c | 2 +-
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
+index 5a473f9..af7a72f 100644
+--- a/source3/lib/dbwrap/dbwrap_ctdb.c
++++ b/source3/lib/dbwrap/dbwrap_ctdb.c
+@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
+ const char *name,
+ int hash_size, int tdb_flags,
+ int open_flags, mode_t mode,
+- enum dbwrap_lock_order lock_order)
++ enum dbwrap_lock_order lock_order,
++ uint64_t dbwrap_flags)
+ {
+ struct db_context *result;
+ struct db_ctdb_ctx *db_ctdb;
+@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
+ const char *name,
+ int hash_size, int tdb_flags,
+ int open_flags, mode_t mode,
+- enum dbwrap_lock_order lock_order)
++ enum dbwrap_lock_order lock_order,
++ uint64_t dbwrap_flags)
+ {
+ DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
+ errno = ENOSYS;
+diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
+index bfbe3bd..3196b91 100644
+--- a/source3/lib/dbwrap/dbwrap_ctdb.h
++++ b/source3/lib/dbwrap/dbwrap_ctdb.h
+@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
+ const char *name,
+ int hash_size, int tdb_flags,
+ int open_flags, mode_t mode,
+- enum dbwrap_lock_order lock_order);
++ enum dbwrap_lock_order lock_order,
++ uint64_t dbwrap_flags);
+
+ #endif /* __DBWRAP_CTDB_H__ */
+diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
+index 6c9280c..61324f7 100644
+--- a/source3/lib/dbwrap/dbwrap_open.c
++++ b/source3/lib/dbwrap/dbwrap_open.c
+@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
+ if (lp_parm_bool(-1, "ctdb", partname, True)) {
+ result = db_open_ctdb(mem_ctx, partname, hash_size,
+ tdb_flags, open_flags, mode,
+- lock_order);
++ lock_order, dbwrap_flags);
+ if (result == NULL) {
+ DEBUG(0,("failed to attach to ctdb %s\n",
+ partname));
+diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
+index f7672ba..d7380b1 100644
+--- a/source3/torture/test_dbwrap_ctdb.c
++++ b/source3/torture/test_dbwrap_ctdb.c
+@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
+ uint32_t val;
+
+ db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
+- O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
++ O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
+ if (db == NULL) {
+ perror("db_open_ctdb failed");
+ goto fail;
+--
+1.9.3
+
+
+From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Tue, 28 Jan 2014 11:31:44 +0100
+Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
+---
+ lib/dbwrap/dbwrap.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
+index 4064ba2..02b4405 100644
+--- a/lib/dbwrap/dbwrap.h
++++ b/lib/dbwrap/dbwrap.h
+@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
+ #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
+
+ #define DBWRAP_FLAG_NONE 0x0000000000000000ULL
++#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
+
+ /* The following definitions come from lib/dbwrap.c */
+
+--
+1.9.3
+
+
+From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 28 Jan 2014 21:24:22 +0100
+Subject: [PATCH 238/249] dbwrap_ctdb: implement
+ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS
+
+For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
+in order to make use of readonly records.
+
+Pair-Programmed-With: Michael Adam <obnox@samba.org>
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Michael Adam <obnox@samba.org>
+(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
+---
+ source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
+index af7a72f..3dc86d1 100644
+--- a/source3/lib/dbwrap/dbwrap_ctdb.c
++++ b/source3/lib/dbwrap/dbwrap_ctdb.c
+@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++#ifdef HAVE_CTDB_WANT_READONLY_DECL
++ if (!result->persistent &&
++ (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
++ {
++ TDB_DATA indata;
++
++ indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
++ sizeof(db_ctdb->db_id));
++
++ status = ctdbd_control_local(
++ conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
++ NULL, NULL, &cstatus);
++ if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
++ DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
++ "%s, %d\n", nt_errstr(status), cstatus));
++ TALLOC_FREE(result);
++ return NULL;
++ }
++ }
++#endif
++
+ lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
+
+ db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
+--
+1.9.3
+
+
+From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 28 Jan 2014 21:31:17 +0100
+Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
+ option
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Michael Adam <obnox@samba.org>
+(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
+---
+ source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
+index 61324f7..7f3cddf 100644
+--- a/source3/lib/dbwrap/dbwrap_open.c
++++ b/source3/lib/dbwrap/dbwrap_open.c
+@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++ if (tdb_flags & TDB_CLEAR_IF_FIRST) {
++ const char *base;
++ bool try_readonly = false;
++
++ base = strrchr_m(name, '/');
++ if (base != NULL) {
++ base += 1;
++ } else {
++ base = name;
++ }
++
++ if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
++ try_readonly = true;
++ }
++
++ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
++ try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
++
++ if (try_readonly) {
++ dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
++ } else {
++ dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
++ }
++ }
++
+ #ifdef CLUSTER_SUPPORT
+ sockname = lp_ctdbd_socket();
+
+--
+1.9.3
+
+
+From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Mon, 27 Jan 2014 16:21:14 +0100
+Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
+ for read-only access
+
+Usually a record in this DB will be written once and then read
+many times by winbindd processes on multiple nodes (when run in
+a cluster). In order not to introduce a big performance penalty
+with the increased correctness achieved by storing the netlogon
+creds, in a cluster setup, we should activate ctdb's read only
+record copies on this db.
+
+Signed-off-by: Michael Adam <obnox@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
+---
+ source3/rpc_client/cli_netlogon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 9e3c1bd..746c7b6 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
+ global_db = db_open(talloc_autofree_context(), fname,
+ 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+ O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
+- DBWRAP_FLAG_NONE);
++ DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
+ if (global_db == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+--
+1.9.3
+
+
+From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
+From: Ira Cooper <ira@samba.org>
+Date: Thu, 13 Feb 2014 14:45:23 -0500
+Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
+ code.
+
+Changed the if condtion to detect when we'd improperly overflow.
+
+Coverity-Id: 1167990
+Signed-off-by: Ira Cooper <ira@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Autobuild-User(master): Ira Cooper <ira@samba.org>
+Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104
+
+(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
+---
+ libcli/auth/netlogon_creds_cli.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
+index 88893ad..e3cf91c 100644
+--- a/libcli/auth/netlogon_creds_cli.c
++++ b/libcli/auth/netlogon_creds_cli.c
+@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
+ uint32_t ofs = 512 - len;
+ uint8_t *p;
+
+- if (ofs < 12) {
++ if (len > 500) {
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+ return tevent_req_post(req, ev);
+ }
+--
+1.9.3
+
+
+From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 15 Jul 2014 08:28:42 +0200
+Subject: [PATCH 242/249] s3-rpc_client: return info3 in
+ rpccli_netlogon_password_logon().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
+ source3/rpc_client/cli_netlogon.h | 4 +-
+ source3/rpcclient/cmd_netlogon.c | 5 +-
+ 3 files changed, 64 insertions(+), 48 deletions(-)
+
+diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
+index 746c7b6..7063351 100644
+--- a/source3/rpc_client/cli_netlogon.c
++++ b/source3/rpc_client/cli_netlogon.c
+@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ return NT_STATUS_OK;
+ }
+
++static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
++ uint16_t validation_level,
++ union netr_Validation *validation,
++ struct netr_SamInfo3 **info3_p)
++{
++ struct netr_SamInfo3 *info3;
++ NTSTATUS status;
++
++ if (validation == NULL) {
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ switch (validation_level) {
++ case 3:
++ if (validation->sam3 == NULL) {
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ info3 = talloc_move(mem_ctx, &validation->sam3);
++ break;
++ case 6:
++ if (validation->sam6 == NULL) {
++ return NT_STATUS_INVALID_PARAMETER;
++ }
++
++ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
++ if (info3 == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(info3);
++ return status;
++ }
++
++ info3->sidcount = validation->sam6->sidcount;
++ info3->sids = talloc_move(info3, &validation->sam6->sids);
++ break;
++ default:
++ return NT_STATUS_BAD_VALIDATION_CLASS;
++ }
++
++ *info3_p = info3;
++
++ return NT_STATUS_OK;
++}
++
+ /* Logon domain user */
+
+ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
++ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *domain,
+ const char *username,
+ const char *password,
+ const char *workstation,
+- enum netr_LogonInfoClass logon_type)
++ enum netr_LogonInfoClass logon_type,
++ struct netr_SamInfo3 **info3)
+ {
+ TALLOC_CTX *frame = talloc_stackframe();
+ NTSTATUS status;
+@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
+ &validation,
+ &authoritative,
+ &flags);
+- TALLOC_FREE(frame);
+ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(frame);
+ return status;
+ }
+
+- return NT_STATUS_OK;
+-}
+-
+-static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+- uint16_t validation_level,
+- union netr_Validation *validation,
+- struct netr_SamInfo3 **info3_p)
+-{
+- struct netr_SamInfo3 *info3;
+- NTSTATUS status;
+-
+- if (validation == NULL) {
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- switch (validation_level) {
+- case 3:
+- if (validation->sam3 == NULL) {
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- info3 = talloc_move(mem_ctx, &validation->sam3);
+- break;
+- case 6:
+- if (validation->sam6 == NULL) {
+- return NT_STATUS_INVALID_PARAMETER;
+- }
+-
+- info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+- if (info3 == NULL) {
+- return NT_STATUS_NO_MEMORY;
+- }
+- status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
+- if (!NT_STATUS_IS_OK(status)) {
+- TALLOC_FREE(info3);
+- return status;
+- }
+-
+- info3->sidcount = validation->sam6->sidcount;
+- info3->sids = talloc_move(info3, &validation->sam6->sids);
+- break;
+- default:
+- return NT_STATUS_BAD_VALIDATION_CLASS;
++ status = map_validation_to_info3(mem_ctx,
++ validation_level, validation,
++ info3);
++ TALLOC_FREE(frame);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
+ }
+
+- *info3_p = info3;
+
+ return NT_STATUS_OK;
+ }
+diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
+index 61fed4a..fee0801 100644
+--- a/source3/rpc_client/cli_netlogon.h
++++ b/source3/rpc_client/cli_netlogon.h
+@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+ const struct samr_Password *previous_nt_hash);
+ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
++ TALLOC_CTX *mem_ctx,
+ uint32_t logon_parameters,
+ const char *domain,
+ const char *username,
+ const char *password,
+ const char *workstation,
+- enum netr_LogonInfoClass logon_type);
++ enum netr_LogonInfoClass logon_type,
++ struct netr_SamInfo3 **info3);
+ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+ struct dcerpc_binding_handle *binding_handle,
+ TALLOC_CTX *mem_ctx,
+diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
+index b637b3e..2d1c351 100644
+--- a/source3/rpcclient/cmd_netlogon.c
++++ b/source3/rpcclient/cmd_netlogon.c
+@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+ const char *username, *password;
+ uint32 logon_param = 0;
+ const char *workstation = NULL;
++ struct netr_SamInfo3 *info3 = NULL;
+
+ /* Check arguments */
+
+@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
+
+ result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
+ cli->binding_handle,
++ mem_ctx,
+ logon_param,
+ lp_workgroup(),
+ username,
+ password,
+ workstation,
+- logon_type);
++ logon_type,
++ &info3);
+ if (!NT_STATUS_IS_OK(result))
+ goto done;
+
+--
+1.9.3
+
+
+From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Tue, 15 Jul 2014 08:29:55 +0200
+Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
+ rpccli_netlogon_password_logon.
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Conflicts:
+ source3/winbindd/winbindd_pam.c
+---
+ source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 3f3ec70..2a1b74a 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ uint32_t logon_parameters,
+ const char *server,
+ const char *username,
++ const char *password,
+ const char *domainname,
+ const char *workstation,
+ const uint8_t chal[8],
+ DATA_BLOB lm_response,
+ DATA_BLOB nt_response,
++ bool interactive,
+ struct netr_SamInfo3 **info3)
+ {
+ int attempts = 0;
+@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
+ }
+ netr_attempts = 0;
+
+- result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
+- netlogon_pipe->binding_handle,
+- mem_ctx,
+- logon_parameters,
+- username,
+- domainname,
+- workstation,
+- chal,
+- lm_response,
+- nt_response,
+- &authoritative,
+- &flags,
+- info3);
++ if (interactive && username != NULL && password != NULL) {
++ result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
++ netlogon_pipe->binding_handle,
++ mem_ctx,
++ logon_parameters,
++ domainname,
++ username,
++ password,
++ workstation,
++ NetlogonInteractiveInformation,
++ info3);
++ } else {
++ result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
++ netlogon_pipe->binding_handle,
++ mem_ctx,
++ logon_parameters,
++ username,
++ domainname,
++ workstation,
++ chal,
++ lm_response,
++ nt_response,
++ &authoritative,
++ &flags,
++ info3);
++ }
+
+ /*
+ * we increment this after the "feature negotiation"
+@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
+ 0,
+ domain->dcname,
+ name_user,
++ pass,
+ name_domain,
+ lp_netbios_name(),
+ chal,
+ lm_resp,
+ nt_resp,
++ true, /* interactive */
+ &my_info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
+ state->request->data.auth_crap.logon_parameters,
+ domain->dcname,
+ name_user,
++ NULL, /* password */
+ name_domain,
+ /* Bug #3248 - found by Stefan Burkei. */
+ workstation, /* We carefully set this above so use it... */
+ state->request->data.auth_crap.chal,
+ lm_resp,
+ nt_resp,
++ false, /* interactive */
+ &info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+--
+1.9.3
+
+
+From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Mon, 7 Jul 2014 17:14:37 +0200
+Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This helper function is used to query the full name of a cached user object (for
+further gecos processing).
+
+Thanks to Matt Rogers <mrogers@redhat.com>.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
+
+Guenther
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
+ source3/winbindd/winbindd_proto.h | 4 ++++
+ 2 files changed, 38 insertions(+)
+
+diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
+index 59ce515..d1e10e6c 100644
+--- a/source3/winbindd/winbindd_cache.c
++++ b/source3/winbindd/winbindd_cache.c
+@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
+ return status;
+ }
+
++
++/**
++* @brief Query a fullname from the username cache (for further gecos processing)
++*
++* @param domain A pointer to the winbindd_domain struct.
++* @param mem_ctx The talloc context.
++* @param user_sid The user sid.
++* @param full_name A pointer to the full_name string.
++*
++* @return NTSTATUS code
++*/
++NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
++ TALLOC_CTX *mem_ctx,
++ const struct dom_sid *user_sid,
++ const char **full_name)
++{
++ NTSTATUS status;
++ struct wbint_userinfo info;
++
++ status = wcache_query_user(domain, mem_ctx, user_sid, &info);
++ if (!NT_STATUS_IS_OK(status)) {
++ return status;
++ }
++
++ if (info.full_name != NULL) {
++ *full_name = talloc_strdup(mem_ctx, info.full_name);
++ if (*full_name == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ }
++
++ return NT_STATUS_OK;
++}
++
+ /* Lookup user information from a rid */
+ static NTSTATUS query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
+index cfc19d0..cfb7812 100644
+--- a/source3/winbindd/winbindd_proto.h
++++ b/source3/winbindd/winbindd_proto.h
+@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ const struct dom_sid *user_sid,
+ struct wbint_userinfo *info);
++NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
++ TALLOC_CTX *mem_ctx,
++ const struct dom_sid *user_sid,
++ const char **full_name);
+ NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
+ TALLOC_CTX *mem_ctx,
+ uint32 num_sids, const struct dom_sid *sids,
+--
+1.9.3
+
+
+From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Mon, 7 Jul 2014 17:16:32 +0200
+Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
+ inspecting samlogon cache.
+
+The reason for this followup query is that very often the samlogon cache only
+contains a info3 netlogon user structure that has been retrieved during a
+netlogon samlogon authentication using "network" logon level. With that logon
+level only a few info3 fields are filled in; the user's fullname is never filled
+in that case. This is problematic when the cache is used to fill in the user's
+gecos field (for NSS queries). When we have retrieved the user's fullname during
+other queries, reuse it from the other caches.
+
+Thanks to Matt Rogers <mrogers@redhat.com>.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
+
+Guenther
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/winbindd/winbindd_ads.c | 8 ++++++++
+ source3/winbindd/winbindd_msrpc.c | 8 ++++++++
+ source3/winbindd/winbindd_pam.c | 20 ++++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index 4c26389..a20fba5 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
+
+ TALLOC_FREE(user);
+
++ if (info->full_name == NULL) {
++ /* this might fail so we dont check the return code */
++ wcache_query_user_fullname(domain,
++ mem_ctx,
++ sid,
++ &info->full_name);
++ }
++
+ return NT_STATUS_OK;
+ }
+
+diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
+index 426d64c..c097bf3 100644
+--- a/source3/winbindd/winbindd_msrpc.c
++++ b/source3/winbindd/winbindd_msrpc.c
+@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
+ user_info->full_name = talloc_strdup(user_info,
+ user->base.full_name.string);
+
++ if (user_info->full_name == NULL) {
++ /* this might fail so we dont check the return code */
++ wcache_query_user_fullname(domain,
++ mem_ctx,
++ user_sid,
++ &user_info->full_name);
++ }
++
+ status = NT_STATUS_OK;
+ goto done;
+ }
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 2a1b74a..bf71d97 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -1720,6 +1720,26 @@ process_result:
+ sid_compose(&user_sid, info3->base.domain_sid,
+ info3->base.rid);
+
++ if (info3->base.full_name.string == NULL) {
++ struct netr_SamInfo3 *cached_info3;
++
++ cached_info3 = netsamlogon_cache_get(state->mem_ctx,
++ &user_sid);
++ if (cached_info3 != NULL &&
++ cached_info3->base.full_name.string != NULL) {
++ info3->base.full_name.string =
++ talloc_strdup(info3,
++ cached_info3->base.full_name.string);
++ } else {
++
++ /* this might fail so we dont check the return code */
++ wcache_query_user_fullname(domain,
++ info3,
++ &user_sid,
++ &info3->base.full_name.string);
++ }
++ }
++
+ wcache_invalidate_samlogon(find_domain_from_name(name_domain),
+ &user_sid);
+ netsamlogon_cache_store(name_user, info3);
+--
+1.9.3
+
+
+From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Wed, 9 Jul 2014 13:36:06 +0200
+Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
+ netsamlogon_cache_store.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Guenther
+
+Signed-off-by: Günther Deschner <gd@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/libsmb/samlogon_cache.c | 13 ++++---------
+ 1 file changed, 4 insertions(+), 9 deletions(-)
+
+diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
+index b04cf0a..f7457ae 100644
+--- a/source3/libsmb/samlogon_cache.c
++++ b/source3/libsmb/samlogon_cache.c
+@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
+ bool result = false;
+ struct dom_sid user_sid;
+ time_t t = time(NULL);
+- TALLOC_CTX *mem_ctx;
++ TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ DATA_BLOB blob;
+ enum ndr_err_code ndr_err;
+ struct netsamlogoncache_entry r;
+@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
+
+ /* Prepare data */
+
+- if (!(mem_ctx = talloc( NULL, int))) {
+- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
+- return false;
+- }
+-
+ /* only Samba fills in the username, not sure why NT doesn't */
+ /* so we fill it in since winbindd_getpwnam() makes use of it */
+
+@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
+ NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
+ }
+
+- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
++ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
+ (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
+- TALLOC_FREE(mem_ctx);
++ TALLOC_FREE(tmp_ctx);
+ return false;
+ }
+
+@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
+ result = true;
+ }
+
+- TALLOC_FREE(mem_ctx);
++ TALLOC_FREE(tmp_ctx);
+
+ return result;
+ }
+--
+1.9.3
+
+
+From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 3 Jul 2014 16:17:46 +0200
+Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
+ info3->base.full_name.string.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This field servers as a source for the gecos field. We should not overwrite it
+when a info3 struct from a samlogon network level gets saved in which case this
+field is always NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+
+Autobuild-User(master): Günther Deschner <gd@samba.org>
+Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
+---
+ source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
+index f7457ae..0a157d4 100644
+--- a/source3/libsmb/samlogon_cache.c
++++ b/source3/libsmb/samlogon_cache.c
+@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
+
+ /* Prepare data */
+
++ if (info3->base.full_name.string == NULL) {
++ struct netr_SamInfo3 *cached_info3;
++ const char *full_name = NULL;
++
++ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
++ if (cached_info3 != NULL) {
++ full_name = cached_info3->base.full_name.string;
++ }
++
++ if (full_name != NULL) {
++ info3->base.full_name.string = talloc_strdup(info3, full_name);
++ }
++ }
++
+ /* only Samba fills in the username, not sure why NT doesn't */
+ /* so we fill it in since winbindd_getpwnam() makes use of it */
+
+--
+1.9.3
+
+
+From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 3 Jul 2014 16:19:42 +0200
+Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.
+
+The value is loaded from the cache anyway. So it will be set to NULL if
+it is not available.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+---
+ source3/winbindd/nss_info_template.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
+index 5fdfd9b..de93803 100644
+--- a/source3/winbindd/nss_info_template.c
++++ b/source3/winbindd/nss_info_template.c
+@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
+ username */
+ *homedir = talloc_strdup( ctx, lp_template_homedir() );
+ *shell = talloc_strdup( ctx, lp_template_shell() );
+- *gecos = NULL;
+
+ if ( !*homedir || !*shell ) {
+ return NT_STATUS_NO_MEMORY;
+--
+1.9.3
+
+
+From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
+Date: Mon, 14 Jul 2014 18:22:26 +0200
+Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
+ user queries for the fullname.
+
+This makes use more consistent with security=domain as well where the gecos
+field is also filled using the displayName field.
+
+Guenther
+
+Signed-off-by: Guenther Deschner <gd@samba.org>
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+---
+ source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
+index a20fba5..4b5b2fa 100644
+--- a/source3/winbindd/winbindd_ads.c
++++ b/source3/winbindd/winbindd_ads.c
+@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
+ }
+
+ info->acct_name = ads_pull_username(ads, mem_ctx, msg);
+- info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
++ info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
++ if (info->full_name == NULL) {
++ info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
++ }
+ info->homedir = NULL;
+ info->shell = NULL;
+ info->primary_gid = (gid_t)-1;
+@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
+ struct netr_SamInfo3 *user = NULL;
+ gid_t gid = -1;
+ int ret;
+- char *ads_name;
++ char *full_name;
+
+ DEBUG(3,("ads: query_user\n"));
+
+@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
+ * nss_get_info_cached call. nss_get_info_cached might destroy
+ * the ads struct, potentially invalidating the ldap message.
+ */
+- ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
++ full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
++ if (full_name == NULL) {
++ full_name = ads_pull_string(ads, mem_ctx, msg, "name");
++ }
+
+ ads_msgfree(ads, msg);
+ msg = NULL;
+@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
+ }
+
+ if (info->full_name == NULL) {
+- info->full_name = ads_name;
++ info->full_name = full_name;
+ } else {
+- TALLOC_FREE(ads_name);
++ TALLOC_FREE(full_name);
+ }
+
+ status = NT_STATUS_OK;
+--
+1.9.3
+
diff --git a/SOURCES/samba-4.2.x-fix_net_rpc_join_schannel.patch b/SOURCES/samba-4.2.x-fix_net_rpc_join_schannel.patch
new file mode 100644
index 0000000..8ce710f
--- /dev/null
+++ b/SOURCES/samba-4.2.x-fix_net_rpc_join_schannel.patch
@@ -0,0 +1,272 @@
+From 83fe679fb8058f9a15ff1b2e6260be01a1ebe990 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Wed, 11 Dec 2013 14:59:20 +1300
+Subject: [PATCH 1/5] netapi: Move DC check to NetJoinDomain() where it is
+ needed.
+
+This partially reverts 15f6e27bd5a9065c8b781fa21f5989ce2c355776.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit b299409410751ff3c8c775bd073e34d914a54efc)
+---
+ source3/lib/netapi/joindomain.c | 4 ++++
+ source3/libnet/libnet_join.c | 4 ----
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
+index 9da1bdc..632c8c6 100644
+--- a/source3/lib/netapi/joindomain.c
++++ b/source3/lib/netapi/joindomain.c
+@@ -115,6 +115,10 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
+ struct dcerpc_binding_handle *b;
+ DATA_BLOB session_key;
+
++ if (IS_DC) {
++ return WERR_SETUP_DOMAIN_CONTROLLER;
++ }
++
+ werr = libnetapi_open_pipe(ctx, r->in.server,
+ &ndr_table_wkssvc,
+ &pipe_cli);
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 187e524..962fc1f 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -1957,10 +1957,6 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
+ return WERR_INVALID_PARAM;
+ }
+
+- if (IS_DC) {
+- return WERR_SETUP_DOMAIN_CONTROLLER;
+- }
+-
+ if (!r->in.admin_domain) {
+ char *admin_domain = NULL;
+ char *admin_account = NULL;
+--
+2.2.0
+
+
+From e71a1cf9dcd56432f17b62c99a720bd3568a83f8 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Thu, 11 Dec 2014 16:41:55 +0100
+Subject: [PATCH 2/5] selftest: Add 'net dom join' test which fails cause we
+ are a DC
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+(cherry picked from commit 6d6c673c6d33ceb1379c66d6b4d78a52077b928a)
+---
+ source3/script/tests/test_net_dom_join_fail_dc.sh | 22 ++++++++++++++++++++++
+ source3/selftest/tests.py | 5 +++++
+ 2 files changed, 27 insertions(+)
+ create mode 100755 source3/script/tests/test_net_dom_join_fail_dc.sh
+
+diff --git a/source3/script/tests/test_net_dom_join_fail_dc.sh b/source3/script/tests/test_net_dom_join_fail_dc.sh
+new file mode 100755
+index 0000000..135e1da
+--- /dev/null
++++ b/source3/script/tests/test_net_dom_join_fail_dc.sh
+@@ -0,0 +1,22 @@
++#!/bin/sh
++
++if [ $# -lt 4 ]; then
++cat <<EOF
++Usage: test_net_dom_join_fail_dc.sh USERNAME PASSWORD DOMAIN PREFIX
++EOF
++exit 1;
++fi
++
++DC_USERNAME="$1"
++DC_PASSWORD="$2"
++DOMAIN="$3"
++PREFIX="$4"
++shift 4
++ADDARGS="$*"
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++mkdir -p $PREFIX/private
++testit_expect_failure "net_dom_join_fail_dc" $VALGRIND $BINDIR/net dom join domain=$DOMAIN account=$USERNAME password=$PASSWORD --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 40599c3..092d9cc 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -411,6 +411,11 @@ for s in signseal_options:
+ plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
+ "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
+
++plantestsuite("samba3.blackbox.net_dom_join_fail_dc", "s3dc",
++ [os.path.join(samba3srcdir, "script/tests/test_net_dom_join_fail_dc.sh"),
++ "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_dom_join_fail_dc",
++ configuration])
++
+ options_list = ["", "-e"]
+ for options in options_list:
+ plantestsuite("samba3.blackbox.smbclient_krb5 old ccache %s" % options, "ktest:local",
+--
+2.2.0
+
+
+From 9342bd31aad4fa8574b3fa28cf95fa072de793b9 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Wed, 11 Dec 2013 15:39:38 +1300
+Subject: [PATCH 3/5] auth: Allow domain join to itself when we are a PDC
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit c3b5f9cff56defedb0fc1e99fbbb528b1ce22f6d)
+---
+ source3/libnet/libnet_join.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
+index 962fc1f..942455c 100644
+--- a/source3/libnet/libnet_join.c
++++ b/source3/libnet/libnet_join.c
+@@ -2139,7 +2139,9 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
+
+ switch (r->out.domain_is_ad) {
+ case false:
+- valid_security = (lp_security() == SEC_DOMAIN);
++ valid_security = (lp_security() == SEC_DOMAIN)
++ || (lp_server_role() == ROLE_DOMAIN_PDC)
++ || (lp_server_role() == ROLE_DOMAIN_BDC);
+ if (valid_workgroup && valid_security) {
+ /* nothing to be done */
+ return WERR_OK;
+--
+2.2.0
+
+
+From b68628341ee7939b704cb09fa4fba284614d9228 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Thu, 23 Oct 2014 12:28:48 +1300
+Subject: [PATCH 4/5] libsmb: Allow change of BDC trust account password
+
+This account is otherwise just like the workstation trust acocunt, so use that code.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=10891
+
+Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit e6ec265a405e76e5d4ea59b8025da0f57b3d3ad1)
+---
+ source3/libsmb/trusts_util.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
+index bb2e977..7503ef0 100644
+--- a/source3/libsmb/trusts_util.c
++++ b/source3/libsmb/trusts_util.c
+@@ -111,6 +111,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
+
+ switch (sec_channel_type) {
+ case SEC_CHAN_WKSTA:
++ case SEC_CHAN_BDC:
+ pwd = secrets_fetch_machine_password(domain,
+ &pass_last_set_time,
+ NULL);
+@@ -188,6 +189,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
+ switch (sec_channel_type) {
+
+ case SEC_CHAN_WKSTA:
++ case SEC_CHAN_BDC:
+ if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+@@ -206,6 +208,7 @@ NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
+ break;
+
+ default:
++ smb_panic("Unsupported secure channel type");
+ break;
+ }
+
+--
+2.2.0
+
+
+From 6bb9fabdec93cd620f23973a04eaf1f1a59d8b81 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Thu, 23 Oct 2014 12:38:15 +1300
+Subject: [PATCH 5/5] selftest: Add test for joining a Samba classic DC as a
+ BDC
+
+This does not join the DC itself, so as not to pertrub the test
+environment mid-run, but does confirm that the join works and the
+password can be changed.
+
+Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Andreas Schneider <asn@samba.org>
+
+Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
+Autobuild-Date(master): Thu Dec 11 21:40:27 CET 2014 on sn-devel-104
+
+(cherry picked from commit 0da3ab96739df436b54fcf6c7e138229271b0866)
+---
+ source3/script/tests/test_net_rpc_join.sh | 25 +++++++++++++++++++++++++
+ source3/selftest/tests.py | 4 ++++
+ 2 files changed, 29 insertions(+)
+ create mode 100755 source3/script/tests/test_net_rpc_join.sh
+
+diff --git a/source3/script/tests/test_net_rpc_join.sh b/source3/script/tests/test_net_rpc_join.sh
+new file mode 100755
+index 0000000..a7810a9
+--- /dev/null
++++ b/source3/script/tests/test_net_rpc_join.sh
+@@ -0,0 +1,25 @@
++#!/bin/sh
++
++if [ $# -lt 4 ]; then
++cat <<EOF
++Usage: test_net_rpc_join.sh USERNAME PASSWORD SERVER PREFIX
++EOF
++exit 1;
++fi
++
++USERNAME="$1"
++PASSWORD="$2"
++SERVER="$3"
++PREFIX="$4"
++shift 4
++ADDARGS="$*"
++
++incdir=`dirname $0`/../../../testprogs/blackbox
++. $incdir/subunit.sh
++mkdir -p $PREFIX/private
++testit "net_rpc_join" $VALGRIND $BINDIR/net rpc join -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private -U$USERNAME%$PASSWORD $ADDARGS || failed=`expr $failed + 1`
++testit "net_rpc_testjoin" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
++testit "net_rpc_changetrustpw" $VALGRIND $BINDIR/net rpc changetrustpw -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
++testit "net_rpc_testjoin2" $VALGRIND $BINDIR/net rpc testjoin -S $SERVER --option=netbiosname=netrpcjointest --option=domainlogons=yes --option=privatedir=$PREFIX/private $ADDARGS || failed=`expr $failed + 1`
++
++testok $0 $failed
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 092d9cc..c60f531 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -415,6 +415,10 @@ plantestsuite("samba3.blackbox.net_dom_join_fail_dc", "s3dc",
+ [os.path.join(samba3srcdir, "script/tests/test_net_dom_join_fail_dc.sh"),
+ "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_dom_join_fail_dc",
+ configuration])
++plantestsuite("samba3.blackbox.net_rpc_join", "s3dc",
++ [os.path.join(samba3srcdir, "script/tests/test_net_rpc_join.sh"),
++ "$USERNAME", "$PASSWORD", "$SERVER", "$PREFIX/net_rpc_join",
++ configuration])
+
+ options_list = ["", "-e"]
+ for options in options_list:
+--
+2.2.0
+
diff --git a/SOURCES/samba-4.2.x-fix_sid_handling_passwd_to_saminfo3.patch b/SOURCES/samba-4.2.x-fix_sid_handling_passwd_to_saminfo3.patch
new file mode 100644
index 0000000..bfe0da2
--- /dev/null
+++ b/SOURCES/samba-4.2.x-fix_sid_handling_passwd_to_saminfo3.patch
@@ -0,0 +1,268 @@
+From 051a27256323da350eb8a64007231e72cbc53d0b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 13 Jan 2015 13:35:56 -0800
+Subject: [PATCH 1/5] s3: auth: Add a utility function - SamInfo3_handle_sids()
+ that factors out the code to handle "Unix Users" and "Unix Groups".
+
+Based on code from Michael Zeis <mzeis.quantum@gmail.com>
+
+https://bugzilla.samba.org/show_bug.cgi?id=11044
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+(cherry picked from commit 9395243890aff5bb2166e18e33492afb28850097)
+---
+ source3/auth/server_info.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+Index: samba-4.1.12/source3/auth/server_info.c
+===================================================================
+--- samba-4.1.12.orig/source3/auth/server_info.c
++++ samba-4.1.12/source3/auth/server_info.c
+@@ -330,6 +330,76 @@ NTSTATUS create_info3_from_pac_logon_inf
+ return NT_STATUS_OK;
+ }
+
++/*
++ * Check if this is a "Unix Users" domain user, or a
++ * "Unix Groups" domain group, we need to handle it
++ * in a special way if that's the case.
++ */
++
++static NTSTATUS SamInfo3_handle_sids(const char *username,
++ const struct dom_sid *user_sid,
++ const struct dom_sid *group_sid,
++ struct netr_SamInfo3 *info3,
++ struct dom_sid *domain_sid,
++ struct extra_auth_info *extra)
++{
++ if (sid_check_is_in_unix_users(user_sid)) {
++ /* in info3 you can only set rids for the user and the
++ * primary group, and the domain sid must be that of
++ * the sam domain.
++ *
++ * Store a completely bogus value here.
++ * The real SID is stored in the extra sids.
++ * Other code will know to look there if (-1) is found
++ */
++ info3->base.rid = (uint32_t)(-1);
++ sid_copy(&extra->user_sid, user_sid);
++
++ DEBUG(10, ("Unix User found. Rid marked as "
++ "special and sid (%s) saved as extra sid\n",
++ sid_string_dbg(user_sid)));
++ } else {
++ sid_copy(domain_sid, user_sid);
++ sid_split_rid(domain_sid, &info3->base.rid);
++ }
++
++ if (is_null_sid(domain_sid)) {
++ sid_copy(domain_sid, get_global_sam_sid());
++ }
++
++ /* check if this is a "Unix Groups" domain group,
++ * if so we need special handling */
++ if (sid_check_is_in_unix_groups(group_sid)) {
++ /* in info3 you can only set rids for the user and the
++ * primary group, and the domain sid must be that of
++ * the sam domain.
++ *
++ * Store a completely bogus value here.
++ * The real SID is stored in the extra sids.
++ * Other code will know to look there if (-1) is found
++ */
++ info3->base.primary_gid = (uint32_t)(-1);
++ sid_copy(&extra->pgid_sid, group_sid);
++
++ DEBUG(10, ("Unix Group found. Rid marked as "
++ "special and sid (%s) saved as extra sid\n",
++ sid_string_dbg(group_sid)));
++ } else {
++ bool ok = sid_peek_check_rid(domain_sid, group_sid,
++ &info3->base.primary_gid);
++ if (!ok) {
++ DEBUG(1, ("The primary group domain sid(%s) does not "
++ "match the domain sid(%s) for %s(%s)\n",
++ sid_string_dbg(group_sid),
++ sid_string_dbg(domain_sid),
++ username,
++ sid_string_dbg(user_sid)));
++ return NT_STATUS_INVALID_SID;
++ }
++ }
++ return NT_STATUS_OK;
++}
++
+ #define RET_NOMEM(ptr) do { \
+ if (!ptr) { \
+ TALLOC_FREE(info3); \
+@@ -351,7 +421,6 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *me
+ const char *tmp;
+ gid_t *gids;
+ NTSTATUS status;
+- bool ok;
+
+ user_sid = pdb_get_user_sid(samu);
+ group_sid = pdb_get_group_sid(samu);
+@@ -368,63 +437,16 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *me
+
+ ZERO_STRUCT(domain_sid);
+
+- /* check if this is a "Unix Users" domain user,
+- * we need to handle it in a special way if that's the case */
+- if (sid_check_is_in_unix_users(user_sid)) {
+- /* in info3 you can only set rids for the user and the
+- * primary group, and the domain sid must be that of
+- * the sam domain.
+- *
+- * Store a completely bogus value here.
+- * The real SID is stored in the extra sids.
+- * Other code will know to look there if (-1) is found
+- */
+- info3->base.rid = (uint32_t)(-1);
+- sid_copy(&extra->user_sid, user_sid);
+-
+- DEBUG(10, ("Unix User found in struct samu. Rid marked as "
+- "special and sid (%s) saved as extra sid\n",
+- sid_string_dbg(user_sid)));
+- } else {
+- sid_copy(&domain_sid, user_sid);
+- sid_split_rid(&domain_sid, &info3->base.rid);
+- }
++ status = SamInfo3_handle_sids(pdb_get_username(samu),
++ user_sid,
++ group_sid,
++ info3,
++ &domain_sid,
++ extra);
+
+- if (is_null_sid(&domain_sid)) {
+- sid_copy(&domain_sid, get_global_sam_sid());
+- }
+-
+- /* check if this is a "Unix Groups" domain group,
+- * if so we need special handling */
+- if (sid_check_is_in_unix_groups(group_sid)) {
+- /* in info3 you can only set rids for the user and the
+- * primary group, and the domain sid must be that of
+- * the sam domain.
+- *
+- * Store a completely bogus value here.
+- * The real SID is stored in the extra sids.
+- * Other code will know to look there if (-1) is found
+- */
+- info3->base.primary_gid = (uint32_t)(-1);
+- sid_copy(&extra->pgid_sid, group_sid);
+-
+- DEBUG(10, ("Unix Group found in struct samu. Rid marked as "
+- "special and sid (%s) saved as extra sid\n",
+- sid_string_dbg(group_sid)));
+-
+- } else {
+- ok = sid_peek_check_rid(&domain_sid, group_sid,
+- &info3->base.primary_gid);
+- if (!ok) {
+- DEBUG(1, ("The primary group domain sid(%s) does not "
+- "match the domain sid(%s) for %s(%s)\n",
+- sid_string_dbg(group_sid),
+- sid_string_dbg(&domain_sid),
+- pdb_get_username(samu),
+- sid_string_dbg(user_sid)));
+- TALLOC_FREE(info3);
+- return NT_STATUS_UNSUCCESSFUL;
+- }
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(info3);
++ return status;
+ }
+
+ unix_to_nt_time(&info3->base.logon_time, pdb_get_logon_time(samu));
+@@ -517,7 +539,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *me
+ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ const char *unix_username,
+ const struct passwd *pwd,
+- struct netr_SamInfo3 **pinfo3)
++ struct netr_SamInfo3 **pinfo3,
++ struct extra_auth_info *extra)
+ {
+ struct netr_SamInfo3 *info3;
+ NTSTATUS status;
+@@ -612,9 +635,22 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *
+
+ ZERO_STRUCT(domain_sid);
+
+- sid_copy(&domain_sid, &user_sid);
+- sid_split_rid(&domain_sid, &info3->base.rid);
++ status = SamInfo3_handle_sids(unix_username,
++ &user_sid,
++ &group_sid,
++ info3,
++ &domain_sid,
++ extra);
++
++ if (!NT_STATUS_IS_OK(status)) {
++ goto done;
++ }
++
+ info3->base.domain_sid = dom_sid_dup(info3, &domain_sid);
++ if (info3->base.domain_sid == NULL) {
++ status = NT_STATUS_NO_MEMORY;
++ goto done;
++ }
+
+ ok = sid_peek_check_rid(&domain_sid, &group_sid,
+ &info3->base.primary_gid);
+Index: samba-4.1.12/source3/auth/auth_util.c
+===================================================================
+--- samba-4.1.12.orig/source3/auth/auth_util.c
++++ samba-4.1.12/source3/auth/auth_util.c
+@@ -662,7 +662,8 @@ NTSTATUS make_server_info_pw(TALLOC_CTX
+ status = passwd_to_SamInfo3(result,
+ unix_username,
+ pwd,
+- &result->info3);
++ &result->info3,
++ &result->extra);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+Index: samba-4.1.12/source3/auth/proto.h
+===================================================================
+--- samba-4.1.12.orig/source3/auth/proto.h
++++ samba-4.1.12/source3/auth/proto.h
+@@ -298,7 +298,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *me
+ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ const char *unix_username,
+ const struct passwd *pwd,
+- struct netr_SamInfo3 **pinfo3);
++ struct netr_SamInfo3 **pinfo3,
++ struct extra_auth_info *extra);
+ struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct netr_SamInfo3 *orig);
+ struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+Index: samba-4.1.12/selftest/target/Samba3.pm
+===================================================================
+--- samba-4.1.12.orig/selftest/target/Samba3.pm
++++ samba-4.1.12/selftest/target/Samba3.pm
+@@ -1045,6 +1045,10 @@ sub provision($$$$$$)
+ path = $shrdir
+ force user = $unix_name
+ guest ok = yes
++[forceuser_unixonly]
++ path = $shrdir
++ force user = pdbtest
++ guest ok = yes
+ [forcegroup]
+ path = $shrdir
+ force group = nogroup
+Index: samba-4.1.12/source3/script/tests/test_smbclient_auth.sh
+===================================================================
+--- samba-4.1.12.orig/source3/script/tests/test_smbclient_auth.sh
++++ samba-4.1.12/source3/script/tests/test_smbclient_auth.sh
+@@ -27,5 +27,6 @@ testit "smbclient //$SERVER/tmpguest" $S
+ testit "smbclient //$SERVER/tmpguest as anon" $SMBCLIENT //$SERVER/tmpguest $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
+ testit "smbclient //$SERVER/forceuser" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+ testit "smbclient //$SERVER/forceuser as anon" $SMBCLIENT //$SERVER/forceuser $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
++testit "smbclient //$SERVER/forceuser_unixonly" $SMBCLIENT //$SERVER/forceuser_unixonly $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+ testit "smbclient //$SERVER/forcegroup" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U$USERNAME%$PASSWORD -I $SERVER_IP -p 139 -c quit $ADDARGS
+ testit "smbclient //$SERVER/forcegroup as anon" $SMBCLIENT //$SERVER/forcegroup $CONFIGURATION -U% -I $SERVER_IP -p 139 -c quit $ADDARGS
diff --git a/SOURCES/samba-CVE-2014-0178.patch b/SOURCES/samba-CVE-2014-0178.patch
deleted file mode 100644
index 143c130..0000000
--- a/SOURCES/samba-CVE-2014-0178.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From ab51cd90a077c2938620afedc61e2da21cb509be Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <christof.schmitt@us.ibm.com>
-Date: Mon, 5 Aug 2013 11:16:22 -0700
-Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to
- zero
-
-Otherwise num_volumes and the end marker can return uninitialized data
-to the client.
-
-Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Simo Sorce <idra@samba.org>
-(cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347)
----
- source3/modules/vfs_default.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
-index f6200ed..97cd292 100644
---- a/source3/modules/vfs_default.c
-+++ b/source3/modules/vfs_default.c
-@@ -1151,7 +1151,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
- return NT_STATUS_BUFFER_TOO_SMALL;
- }
-
-- cur_pdata = talloc_array(ctx, char, *out_len);
-+ cur_pdata = talloc_zero_array(ctx, char, *out_len);
- if (cur_pdata == NULL) {
- TALLOC_FREE(shadow_data);
- return NT_STATUS_NO_MEMORY;
---
-1.9.3
-
-
-From dbe2ef7f66c4c5cde1e1300675fcb78f4de3af70 Mon Sep 17 00:00:00 2001
-From: Christof Schmitt <christof.schmitt@us.ibm.com>
-Date: Mon, 5 Aug 2013 11:21:59 -0700
-Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at
- end
-
-labels_data_count already accounts for the unicode null character at the
-end of the array. There is no need in adding space for it again.
-
-Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Simo Sorce <idra@samba.org>
-
-Autobuild-User(master): Jeremy Allison <jra@samba.org>
-Autobuild-Date(master): Tue Aug 6 04:03:17 CEST 2013 on sn-devel-104
-
-(cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696)
-
-The last 2 patches address bug #10549 - CVE-2014-0178: Malformed
-FSCTL_SRV_ENUMERATE_SNAPSHOTS response.
-
-Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
-Autobuild-Date(v4-1-test): Mon May 19 14:52:47 CEST 2014 on sn-devel-104
----
- source3/modules/vfs_default.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
-index 97cd292..7fda4b8 100644
---- a/source3/modules/vfs_default.c
-+++ b/source3/modules/vfs_default.c
-@@ -1141,7 +1141,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
- if (!labels) {
- *out_len = 16;
- } else {
-- *out_len = 12 + labels_data_count + 4;
-+ *out_len = 12 + labels_data_count;
- }
-
- if (max_out_len < *out_len) {
-@@ -1168,7 +1168,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
- }
-
- /* needed_data_count 4 bytes */
-- SIVAL(cur_pdata, 8, labels_data_count + 4);
-+ SIVAL(cur_pdata, 8, labels_data_count);
-
- cur_pdata += 12;
-
---
-1.9.3
-
diff --git a/SOURCES/samba-CVE-2014-0244.patch b/SOURCES/samba-CVE-2014-0244.patch
deleted file mode 100644
index 7c94c85..0000000
--- a/SOURCES/samba-CVE-2014-0244.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 9bef27dec1a81b7ba46bc3126edd5ac1b225f6dc Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Wed, 28 May 2014 10:40:27 -0700
-Subject: [PATCH] s3: nmbd: Fix bug 10633 - nmbd denial of service
-
-The Linux kernel has a bug in that it can give spurious
-wakeups on a non-blocking UDP socket for a non-deliverable packet.
-
-When nmbd was changed to use non-blocking sockets it
-became vulnerable to a spurious wakeup from poll/epoll.
-
-Fix sys_recvfile() to return on EWOULDBLOCK/EAGAIN.
-
-CVE-2014-0244
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/lib/system.c | 7 ++-----
- 1 file changed, 2 insertions(+), 5 deletions(-)
-
-diff --git a/source3/lib/system.c b/source3/lib/system.c
-index af72b2a..698de12 100644
---- a/source3/lib/system.c
-+++ b/source3/lib/system.c
-@@ -169,6 +169,7 @@ ssize_t sys_send(int s, const void *msg, size_t len, int flags)
-
- /*******************************************************************
- A recvfrom wrapper that will deal with EINTR.
-+NB. As used with non-blocking sockets, return on EAGAIN/EWOULDBLOCK
- ********************************************************************/
-
- ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen)
-@@ -177,11 +178,7 @@ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *f
-
- do {
- ret = recvfrom(s, buf, len, flags, from, fromlen);
--#if defined(EWOULDBLOCK)
-- } while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK));
--#else
-- } while (ret == -1 && (errno == EINTR || errno == EAGAIN));
--#endif
-+ } while (ret == -1 && (errno == EINTR));
- return ret;
- }
-
---
-1.9.1.423.g4596e3a
-
diff --git a/SOURCES/samba-CVE-2014-3493.patch b/SOURCES/samba-CVE-2014-3493.patch
deleted file mode 100644
index a1bfb94..0000000
--- a/SOURCES/samba-CVE-2014-3493.patch
+++ /dev/null
@@ -1,120 +0,0 @@
-From d31b7e056d790115bb3a3a838a8435dad3be8118 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Sat, 7 Jun 2014 21:51:44 -0700
-Subject: [PATCH] s3: smbd - fix processing of packets with invalid DOS charset
- conversions.
-
-Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler
-
-https://bugzilla.samba.org/show_bug.cgi?id=10654
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
----
- source3/lib/charcnv.c | 26 +++++++++++++++++---------
- source3/libsmb/clirap.c | 4 ++--
- source3/smbd/lanman.c | 4 ++--
- 3 files changed, 21 insertions(+), 13 deletions(-)
-
-diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
-index 71d2c3a..2189812 100644
---- a/source3/lib/charcnv.c
-+++ b/source3/lib/charcnv.c
-@@ -46,9 +46,9 @@ void gfree_charcnv(void)
- **/
- size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
- {
-- size_t src_len = strlen(src);
-+ size_t src_len = 0;
- char *tmpbuf = NULL;
-- size_t size;
-+ size_t size = 0;
- bool ret;
-
- /* No longer allow a length of -1. */
-@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
- smb_panic("malloc fail");
- }
- if (!strupper_m(tmpbuf)) {
-+ if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
-+ dest &&
-+ dest_len > 0) {
-+ *(char *)dest = 0;
-+ }
- SAFE_FREE(tmpbuf);
-- return (size_t)-1;
-+ return 0;
- }
- src = tmpbuf;
- }
-
-+ src_len = strlen(src);
- if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
- src_len++;
- }
-
- ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
-- if (ret == false &&
-- (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
-- && dest_len > 0) {
-- ((char *)dest)[0] = '\0';
-- }
- SAFE_FREE(tmpbuf);
-- return ret ? size : (size_t)-1;
-+ if (ret == false) {
-+ if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
-+ dest_len > 0) {
-+ ((char *)dest)[0] = '\0';
-+ }
-+ return 0;
-+ }
-+ return size;
- }
-
- /********************************************************************
-diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
-index 036919f..64e3767 100644
---- a/source3/libsmb/clirap.c
-+++ b/source3/libsmb/clirap.c
-@@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
- sizeof(param) - PTR_DIFF(p,param) - 1,
- STR_TERMINATE|STR_UPPER);
-
-- if (len == (size_t)-1) {
-+ if (len == 0) {
- SAFE_FREE(last_entry);
- return false;
- }
-@@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
- sizeof(param) - PTR_DIFF(p,param) - 1,
- STR_TERMINATE);
-
-- if (len == (size_t)-1) {
-+ if (len == 0) {
- SAFE_FREE(last_entry);
- return false;
- }
-diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
-index 63c2ad7..66ab8a2 100644
---- a/source3/smbd/lanman.c
-+++ b/source3/smbd/lanman.c
-@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
- return 0;
- }
- l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
-- if (l == -1) {
-+ if (l == 0) {
- return 0;
- }
- (*dst) += l;
-@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
- return 0;
- }
- l = push_ascii(*dst,src,*n, STR_TERMINATE);
-- if (l == -1) {
-+ if (l == 0) {
- return 0;
- }
- (*dst) += l;
---
-2.0.0.526.g5318336
-
diff --git a/SOURCES/samba-CVE-2014-3560.patch b/SOURCES/samba-CVE-2014-3560.patch
deleted file mode 100644
index e510f01..0000000
--- a/SOURCES/samba-CVE-2014-3560.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From fb1d325d96dfe9bc2e9c4ec46ad4c55e8f18f4a2 Mon Sep 17 00:00:00 2001
-From: Volker Lendecke <vl@samba.org>
-Date: Tue, 22 Jul 2014 07:02:00 +0200
-Subject: [PATCH] fix unstrcpy
-
-Signed-off-by: Volker Lendecke <vl@samba.org>
-Reviewed-by: Jeremy Allison <jra@samba.org>
-
-Bug: https://bugzilla.samba.org/show_bug.cgi?id=10735
-CVE-2014-3560: unstrcpy macro length is invalid
----
- lib/util/string_wrappers.h | 2 +-
- 1 files changed, 1 insertions(+), 1 deletions(-)
-
-diff --git a/lib/util/string_wrappers.h b/lib/util/string_wrappers.h
-index 5f9d568..243fafc 100644
---- a/lib/util/string_wrappers.h
-+++ b/lib/util/string_wrappers.h
-@@ -51,7 +51,7 @@ do { \
- #define unstrcpy(d,s) \
- do { \
- const char *_unstrcpy_src = (const char *)(s); \
-- strlcpy((d),_unstrcpy_src ? _unstrcpy_src : "",sizeof(fstring)); \
-+ strlcpy((d),_unstrcpy_src ? _unstrcpy_src : "",sizeof(unstring)); \
- } while (0)
-
- #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS
---
-1.7.0.4
-
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index 9b072f6..e90ac5d 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -1,14 +1,19 @@
-# Set --with testsuite or %bcond_without to run the Samba torture testsuite.
+# rpmbuild --rebuild --with testsuite --without clustering samba.src.rpm
+#
+# The testsuite is disabled by default. Set --with testsuite or %bcond_without
+# to run the Samba torture testsuite.
%bcond_with testsuite
+# ctdb is enabled by default, you can disable it with: --without clustering
+%bcond_without clustering
-%define main_release 38
+%define main_release 21
-%define samba_version 4.1.1
-%define talloc_version 2.0.8
+%define samba_version 4.1.12
+%define talloc_version 2.1.1
%define ntdb_version 0.9
-%define tdb_version 1.2.12
-%define tevent_version 0.9.18
-%define ldb_version 1.1.16
+%define tdb_version 1.3.0
+%define tevent_version 0.9.21
+%define ldb_version 1.1.17
# This should be rc1 or nil
%define pre_release %nil
@@ -21,7 +26,7 @@
%global with_libsmbclient 1
%global with_libwbclient 1
-%global with_pam_smbpass 0
+%global with_pam_smbpass 1
%global with_internal_talloc 0
%global with_internal_tevent 0
%global with_internal_tdb 0
@@ -38,6 +43,11 @@
%endif
%endif
+%global libwbc_alternatives_suffix %nil
+%if %{__isa_bits} == 64
+%global libwbc_alternatives_suffix -64
+%endif
+
%global with_mitkrb5 1
%global with_dc 0
@@ -47,7 +57,11 @@
%global with_dc 1
%endif
+%global with_clustering_support 0
+
+%if %{with clustering}
%global with_clustering_support 1
+%endif
%{!?python_libdir: %define python_libdir %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1,1)")}
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
@@ -85,42 +99,34 @@ Source6: samba.pamd
Source200: README.dc
Source201: README.downgrade
-Patch0: samba-4.1.1-Fix-memset-in-ntdb.patch
-Patch1: samba-4.1.0-upn.patch
-Patch2: samba-4.1.2-fix_strict_aliasing.patch
-Patch3: samba-4.1.2-doc.patch
-Patch4: samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch
-Patch5: samba-4.1.3-CVE-2013-4408.patch
-Patch6: samba-4.1.3-fix_build_warnings.patch
-Patch7: samba-4.1.2-winbind_cache_keysize.patch
-Patch8: samba-4.1.3-CVE-2012-6150.patch
-Patch9: samba-4.1.3-winbind_debug.patch
-Patch10: samba-4.1.4-fix_dropbox_regression.patch
-Patch11: samba-4.1.4-fix_G_substitution_in_service_path.patch
-Patch12: samba-4.1.4-fix_winbind_100_percent_childs.patch
-Patch13: samba-4.1.4-Fix-segfault-in-smbd.patch
-Patch14: samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch
-Patch15: samba-4.1.5-fix_resource_leaks.patch
-Patch16: samba-4.1.5-fix_force_user_sec_ads.patch
-Patch17: samba-4.1.6-fix_one_way_trusts.patch
-Patch18: samba-4.1.6-fix_printer_list_memleadk.patch
-Patch19: samba-4.1.6-fix_pidl_install.patch
-Patch20: samba-4.1.6-fix_nbt_with_more_than_9_components.patch
-Patch21: samba-4.1.6-fix_ipv6_join.patch
-Patch22: samba-4.1.x-CVE-2013-4496.patch
-Patch23: samba-4.1.x-CVE-2013-6442.patch
-Patch24: samba-4.1.6-net_ads_kerberos_pac.patch
-Patch25: samba-4.1.6-fix_service_with_force_user.patch
-Patch26: samba-4.1.6-fix_fragmented_rpc_handling.patch
-Patch27: samba-4.1.7-make_pidl_lsa_struct_public.patch
-Patch28: samba-4.1.7-Make_daemons_systemd_aware.patch
-Patch29: samba-4.1.6-ipv6_workaround.patch
-Patch30: samba-CVE-2014-0244.patch
-Patch31: samba-CVE-2014-3493.patch
-Patch32: samba-CVE-2014-0178.patch
-Patch33: samba-4.1.9-file_open.patch
-Patch34: samba-CVE-2014-3560.patch
-Patch35: samba-4.1.x-CVE-2015-0240.patch
+Patch0: samba-4.1.2-doc.patch
+Patch1: samba-4.1.5-fix_force_user_sec_ads.patch
+Patch2: samba-4.1.6-fix_ipv6_join.patch
+Patch3: samba-4.1.6-net_ads_kerberos_pac.patch
+Patch4: samba-4.1.6-ipv6_workaround.patch
+Patch5: samba-4.1.13-fix_nmbd_systemd_status_update.patch
+Patch6: samba-4.1.13-fix_idmap_ad_getgroups_without_gid.patch
+Patch7: samba-4.1.13-fix_idmap_ad_sfu_with_trusted_domains.patch
+Patch8: samba-4.1.13-fix_smbclient_echo_cmd_segfault.patch
+Patch9: samba-4.1.13-improve_service_principal_guessing_in_net.patch
+Patch10: samba-4.1.13-Fix_overwriting_of_spns_during_net_ads_join.patch
+Patch11: samba-4.1.13-Add_precreated_spns_from_AD_during_keytab_generation.patch
+Patch12: samba-4.1.13-Fix_aes_enctypes.patch
+Patch13: samba-4.1.13-Fix_dnsupdate.patch
+Patch14: samba-4.1.14-fix_netbios_name_truncation.patch
+Patch15: samba-4.1.14-net_ads_join_segfault_on_bigendian.patch
+Patch16: samba-4.1.14-fix_net_ads_join_keytab_segfault.patch
+Patch17: samba-4.1.14-smbclinet_fix_return_of_tcb_browsing.patch
+Patch18: samba-4.1.14-smbstatus_fix_profiles_exit_code.patch
+Patch19: samba-4.1.14-smbstatus_print_root_only_message.patch
+Patch20: samba-4.1.15-fix_kerberos_fetch_pac_segfault.patch
+Patch21: samba-4.2.x-fix_sid_handling_passwd_to_saminfo3.patch
+Patch22: samba-4.1.15-fix_authentication_with_long_netbios_name_set.patch
+Patch23: samba-4.1.15-fix_net_time_segfault.patch
+Patch24: samba-4.1.x-CVE-2015-0240.patch
+
+Patch100: samba-4.2.x-fix_gecos_field_with_samlogon.patch
+Patch101: samba-4.2.x-fix_net_rpc_join_schannel.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -174,6 +180,7 @@ BuildRequires: readline-devel
BuildRequires: systemd-devel
BuildRequires: sed
BuildRequires: zlib-devel >= 1.2.3
+
%if %{with_vfs_glusterfs}
BuildRequires: glusterfs-api-devel >= 3.4.0.16
BuildRequires: glusterfs-devel >= 3.4.0.16
@@ -366,6 +373,7 @@ develop programs that link against the SMB client library in the Samba suite.
%package -n libwbclient
Summary: The winbind client library
Group: Applications/System
+Requires: %{name}-libs = %{samba_depver}
%description -n libwbclient
The libwbclient package contains the winbind client library from the Samba suite.
@@ -405,6 +413,7 @@ Summary: Perl IDL compiler
Group: Development/Tools
Requires: perl(Parse::Yapp)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
+BuildArch: noarch
Provides: samba4-pidl = %{samba_depver}
Obsoletes: samba4-pidl < %{samba_depver}
@@ -419,11 +428,14 @@ Summary: Testing tools for Samba servers and clients
Group: Applications/System
Requires: %{name} = %{samba_depver}
Requires: %{name}-common = %{samba_depver}
+Requires: %{name}-winbind = %{samba_depver}
+
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-test-libs = %{samba_depver}
%if %with_dc
Requires: %{name}-dc-libs = %{samba_depver}
%endif
Requires: %{name}-libs = %{samba_depver}
-Requires: %{name}-winbind = %{samba_depver}
%if %with_libsmbclient
Requires: libsmbclient = %{samba_depver}
%endif
@@ -435,14 +447,24 @@ Provides: samba4-test = %{samba_depver}
Obsoletes: samba4-test < %{samba_depver}
%description test
-samba4-test provides testing tools for both the server and client
+%{name}-test provides testing tools for both the server and client
packages of Samba.
+### TEST-LIBS
+%package test-libs
+Summary: Libraries need by teh testing tools for Samba servers and clients
+Group: Applications/System
+Requires: %{name}-libs = %{samba_depver}
+
+%description test-libs
+%{name}-test-libs provides libraries required by the testing tools.
+
### TEST-DEVEL
%package test-devel
Summary: Testing devel files for Samba servers and clients
Group: Applications/System
-Requires: %{name}-test = %{samba_depver}
+Requires: %{name}-libs = %{samba_depver}
+Requires: %{name}-test-libs = %{samba_depver}
%description test-devel
samba-test-devel provides testing devel files for both the server and client
@@ -526,42 +548,35 @@ module necessary to communicate to the Winbind Daemon
%prep
%setup -q -n samba-%{version}%{pre_release}
-%patch0 -p1 -b .samba-4.1.1-Fix-memset-in-ntdb.patch
-%patch1 -p1 -b .samba-4.1.0-upn.patch
-%patch2 -p1 -b .samba-4.1.2-fix_strict_aliasing.patch
-%patch3 -p1 -b .samba-4.1.2-doc.patch
-%patch4 -p1 -b .samba-4.1.3-fix_grp_name_sub_in_template_homedir.patch
-%patch5 -p1 -b .samba-4.1.3-CVE-2013-4408.patch
-%patch6 -p1 -b .samba-4.1.3-fix_build_warnings.patch
-%patch7 -p1 -b .samba-4.1.2-winbind_cache_keysize.patch
-%patch8 -p1 -b .samba-4.1.3-CVE-2012-6150.patch
-%patch9 -p1 -b .samba-4.1.3-winbind_debug.patch
-%patch10 -p1 -b .samba-4.1.4-fix_dropbox_regression.patch
-%patch11 -p1 -b .samba-4.1.4-fix_G_substitution_in_service_path.patch
-%patch12 -p1 -b .samba-4.1.4-fix_winbind_100_percent_childs.patch
-%patch13 -p1 -b .samba-4.1.4-Fix-segfault-in-smbd.patch
-%patch14 -p1 -b .samba-4.1.4-fix_panic_when_smb2_brlock_times_out.patch
-%patch15 -p1 -b .samba-4.1.5-fix_resource_leaks.patch
-%patch16 -p1 -b .samba-4.1.5-fix_force_user_sec_ads.patch
-%patch17 -p1 -b .samba-4.1.6-fix_one_way_trusts.patch
-%patch18 -p1 -b .samba-4.1.6-fix_printer_list_memleadk.patch
-%patch19 -p1 -b .samba-4.1.6-fix_pidl_install.patch
-%patch20 -p1 -b .samba-4.1.6-fix_nbt_with_more_than_9_components.patch
-%patch21 -p1 -b .samba-4.1.6-fix_ipv6_join.patch
-%patch22 -p1 -b .samba-4.1.x-CVE-2013-4496.patch
-%patch23 -p1 -b .samba-4.1.x-CVE-2013-6442.patch
-%patch24 -p1 -b .samba-4.1.6-net_ads_kerberos_pac.patch
-%patch25 -p1 -b .samba-4.1.6-fix_service_with_force_user.patch
-%patch26 -p1 -b .samba-4.1.6-fix_fragmented_rpc_handling.patch
-%patch27 -p1 -b .samba-4.1.7-make_pidl_lsa_struct_public.patch
-%patch28 -p1 -b .samba-4.1.7-Make_daemons_systemd_aware.patch
-%patch29 -p1 -b .samba-4.1.6-ipv6_workaround.patch
-%patch30 -p1 -b .samba-CVE-2014-0244.patch
-%patch31 -p1 -b .samba-CVE-2014-3493.patch
-%patch32 -p1 -b .samba-CVE-2014-0178.patch
-%patch33 -p1 -b .samba-4.1.9-file_open.patch
-%patch34 -p1 -b .samba-CVE-2014-3560.patch
-%patch35 -p1 -b .samba-4.1.x-CVE-2015-0240.patch
+%patch0 -p1 -b .samba-4.1.2-doc.patch
+%patch1 -p1 -b .samba-4.1.5-fix_force_user_sec_ads.patch
+%patch2 -p1 -b .samba-4.1.6-fix_ipv6_join.patch
+%patch3 -p1 -b .samba-4.1.6-net_ads_kerberos_pac.patch
+%patch4 -p1 -b .samba-4.1.6-ipv6_workaround.patch
+%patch5 -p1 -b .samba-4.1.13-fix_nmbd_systemd_status_update.patch
+%patch6 -p1 -b .samba-4.1.13-fix_idmap_ad_getgroups_without_gid.patch
+%patch7 -p1 -b .samba-4.1.13-fix_idmap_ad_sfu_with_trusted_domains.patch
+%patch8 -p1 -b .samba-4.1.13-fix_smbclient_echo_cmd_segfault.patch
+%patch9 -p1 -b .samba-4.1.13-improve_service_principal_guessing_in_net.patch
+%patch10 -p1 -b .samba-4.1.13-Fix_overwriting_of_spns_during_net_ads_join.patch
+%patch11 -p1 -b .samba-4.1.13-Add_precreated_spns_from_AD_during_keytab_generation.patch
+%patch12 -p1 -b .samba-4.1.13-Fix_aes_enctypes.patch
+%patch13 -p1 -b .samba-4.1.13-Fix_dnsupdate.patch
+%patch14 -p1 -b .samba-4.1.14-fix_netbios_name_truncation.patch
+%patch15 -p1 -b .samba-4.1.14-net_ads_join_segfault_on_bigendian.patch
+%patch16 -p1 -b .samba-4.1.14-fix_net_ads_join_keytab_segfault.patch
+%patch17 -p1 -b .samba-4.1.14-smbclinet_fix_return_of_tcb_browsing.patch
+%patch18 -p1 -b .samba-4.1.14-smbstatus_fix_profiles_exit_code.patch
+%patch19 -p1 -b .samba-4.1.14-smbstatus_print_root_only_message.patch
+%patch20 -p1 -b .samba-4.1.15-fix_kerberos_fetch_pac_segfault.patch
+%patch21 -p1 -b .samba-4.2.x-fix_sid_handling_passwd_to_saminfo3.patch
+%patch22 -p1 -b .samba-4.1.15-fix_authentication_with_long_netbios_name_set.patch
+%patch23 -p1 -b .samba-4.1.15-fix_net_time_segfault.patch
+%patch24 -p1 -b .samba-4.1.x-CVE-2015-0240.patch
+
+# schannel support from 4.2.x
+%patch100 -p1 -b .samba-4.1.13-fix_gecos_field_with_samlogon.patch
+%patch101 -p1 -b .samba-4.2.x-fix_net_rpc_join_schannel.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -615,7 +630,7 @@ LDFLAGS="-Wl,-z,relro,-z,now" \
--with-pammodulesdir=%{_libdir}/security \
--with-lockdir=/var/lib/samba \
--with-cachedir=/var/lib/samba \
- --with-perl-vendordir=%{perl_vendorlib} \
+ --with-perl-lib-install-dir=%{perl_vendorlib} \
--disable-gnutls \
--disable-rpath-install \
--with-shared-modules=%{_samba4_modules} \
@@ -669,6 +684,11 @@ install -d -m 0755 %{buildroot}/var/run/winbindd
install -d -m 0755 %{buildroot}/%{_libdir}/samba
install -d -m 0755 %{buildroot}/%{_libdir}/pkgconfig
+# Move libwbclient.so* into private directory, it cannot be just libdir/samba
+# because samba uses rpath with this directory.
+install -d -m 0755 %{buildroot}/%{_libdir}/samba/wbclient
+mv %{buildroot}/%{_libdir}/libwbclient.so* %{buildroot}/%{_libdir}/samba/wbclient
+
# Install other stuff
install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d
install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/logrotate.d/samba
@@ -766,9 +786,33 @@ fi
%endif # with_libsmbclient
%if %with_libwbclient
-%post -n libwbclient -p /sbin/ldconfig
+%posttrans -n libwbclient
+# It has to be posttrans here to make sure all files of a previous version
+# without alternatives support are removed
+%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so.0.11 \
+ libwbclient.so.0.11%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.0.11 10
+/sbin/ldconfig
+
+%preun -n libwbclient
+%{_sbindir}/update-alternatives --remove libwbclient.so.0.11%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so.0.11
+/sbin/ldconfig
+
+%posttrans -n libwbclient-devel
+%{_sbindir}/update-alternatives --install %{_libdir}/libwbclient.so \
+ libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so 10
+
+%preun -n libwbclient-devel
+# alternatives checks if the file which should be removed is a link or not, but
+# not if it points to the /etc/alternatives directory or to some other place.
+# When downgrading to a version where alternatives is not used and
+# libwbclient.so is a link and not a file it will be removed. The following
+# check removes the alternatives files manually if that is the case.
+if [ "`readlink %{_libdir}/libwbclient.so`" == "libwbclient.so.0.11" ]; then
+ /bin/rm -f /etc/alternatives/libwbclient.so%{libwbc_alternatives_suffix} /var/lib/alternatives/libwbclient.so%{libwbc_alternatives_suffix} 2> /dev/null
+else
+ %{_sbindir}/update-alternatives --remove libwbclient.so%{libwbc_alternatives_suffix} %{_libdir}/samba/wbclient/libwbclient.so
+fi
-%postun -n libwbclient -p /sbin/ldconfig
%endif # with_libwbclient
%post test -p /sbin/ldconfig
@@ -939,7 +983,6 @@ rm -rf %{buildroot}
%{_bindir}/smbta-util
%{_bindir}/smbtar
%{_bindir}/smbtree
-%{_libdir}/samba/libldb-cmdline.so
%{_mandir}/man1/dbwrap_tool.1*
%{_mandir}/man1/nmblookup.1*
%{_mandir}/man1/oLschema2ldif.1*
@@ -1133,6 +1176,7 @@ rm -rf %{buildroot}
%{_libdir}/samba/service
%{_libdir}/libdcerpc-server.so.*
%{_libdir}/samba/libdfs_server_ad.so
+%{_libdir}/samba/libdnsserver_common.so
%{_libdir}/samba/libdsdb-module.so
%{_libdir}/samba/libntvfs.so
%{_libdir}/samba/libposix_eadb.so
@@ -1140,6 +1184,7 @@ rm -rf %{buildroot}
%else
%doc packaging/README.dc-libs
%exclude %{_libdir}/samba/libdfs_server_ad.so
+%exclude %{_libdir}/samba/libdnsserver_common.so
%endif # with_dc
### DEVEL
@@ -1496,14 +1541,14 @@ rm -rf %{buildroot}
%if %with_libwbclient
%files -n libwbclient
%defattr(-,root,root)
-%{_libdir}/libwbclient.so.*
+%{_libdir}/samba/wbclient/libwbclient.so.*
%{_libdir}/samba/libwinbind-client.so
### LIBWBCLIENT-DEVEL
%files -n libwbclient-devel
%defattr(-,root,root)
%{_includedir}/samba-4.0/wbclient.h
-%{_libdir}/libwbclient.so
+%{_libdir}/samba/wbclient/libwbclient.so
%{_libdir}/pkgconfig/wbclient.pc
%endif # with_libwbclient
@@ -1559,13 +1604,6 @@ rm -rf %{buildroot}
%{_bindir}/masktest
%{_bindir}/ndrdump
%{_bindir}/smbtorture
-%{_libdir}/libtorture.so.*
-%{_libdir}/samba/libsubunit.so
-%if %with_dc
-%{_libdir}/samba/libdlz_bind9_for_torture.so
-%else
-%{_libdir}/samba/libdsdb-module.so
-%endif
%{_mandir}/man1/gentest.1*
%{_mandir}/man1/locktest.1*
%{_mandir}/man1/masktest.1*
@@ -1580,6 +1618,17 @@ rm -rf %{buildroot}
%{_libdir}/samba/libuid_wrapper.so
%endif
+### TEST-LIBS
+%files test-libs
+%defattr(-,root,root)
+%{_libdir}/libtorture.so.*
+%{_libdir}/samba/libsubunit.so
+%if %with_dc
+%{_libdir}/samba/libdlz_bind9_for_torture.so
+%else
+%{_libdir}/samba/libdsdb-module.so
+%endif
+
### TEST-DEVEL
%files test-devel
%defattr(-,root,root)
@@ -1628,19 +1677,104 @@ rm -rf %{buildroot}
%{_mandir}/man8/pam_winbind.8*
%changelog
-* Thu Feb 19 2015 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-38
-- resolves: #1194132 - CVE-2015-0240: RCE in netlogon server.
+* Mon Feb 16 2015 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-21
+- related: #1191340 - Update patchset for CVE-2015-0240.
+
+* Thu Feb 12 2015 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-20
+- resolves: #1191340 - CVE-2015-0240: RCE in netlogon server.
+
+* Thu Jan 15 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-18
+- resolves: #1179787 - Fix authentication against Kerberos domains.
+- resolves: #1181319 - Package pam_smbpass again.
+- resolves: #1184023 - Fix authentication with long 'netbios_name' set.
+- resolves: #1183546 - Fix 'net time' segfault.
+
+* Fri Jan 09 2015 - Andreas Schneider <asn@redhat.com> - 4.1.12-17
+- related: #1177768 - Add missing requires to libwbclient.
+
+* Thu Jan 08 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-16
+- related: #1177768 - Add missing requires to libwbclient.
+
+* Thu Jan 08 2015 Andreas Schneider <asn@redhat.com> - 4.1.12-15
+- resolves: #1177768 - Fix possible segfault with 'net ads kerberos pac dump'.
+
+* Tue Dec 16 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-14
+- resolves: #1171689 - Fix smbstatus if executed as user to print error message.
+
+* Fri Dec 12 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-13
+- resolves: #1172089 - Fix 'net rpc join' with schannel changes.
+- resolves: #1170883 - Fix 'net time system' segfault.
+
+* Tue Nov 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-12
+- related: #1162526 - Fix multilib with using alternatives for libwbclient.
+
+* Tue Nov 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-11
+- resolves: #1163748 - Fix smbclient -L fails against new Windows versions
+ over TCP.
+- resolves: #1167849 - Fix smbstatus --profile always returning EXIT_FAILURE.
+
+* Thu Nov 20 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-10
+- related: #1162526 - Fix multilib with using alternatives for libwbclient.
+
+* Thu Nov 20 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-9
+- resolves: #1162552 - Fix net ads join segfault on big endian systems.
+- resolves: #1164203 - Fix net ads join segfault with existing keytab.
+
+* Thu Nov 13 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-8
+- related: #1162526 - Fix multilib issues when using alternatives for libwbclient.
+
+* Wed Nov 12 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-7
+- resolves: #1162526 - Use alternatives for libwbclient.
+
+* Mon Nov 03 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-6
+- related: #1156391 - Fix netbios name truncation during registration.
+
+* Wed Oct 29 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-5
+- resolves: #1156391 - Fix netbios name truncation during registration.
+
+* Thu Oct 09 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-4
+- related: #1117770 - Fix empty full_name field with samlogon.
+
+* Fri Sep 26 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.12-3
+- resolves: #878351 - Fix usage of AES keys by default.
+- resolves: #861366 - Fix KRB5 locator to use same KDC for joining and DNS update.
+
+* Tue Sep 16 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-2
+- resolves: #1138554 - Fix consuming a lot of CPU when re-reading printcap info.
+- resolves: #1134323 - Fix running Samba on little endian Power8 (ppc64le).
+- resolves: #1113064 - Fix case sensitivity options with SMB2 protocols.
+- resolves: #1088924 - Fix applying ACL masks when setting ACLs.
+- resolves: #1135723 - Fix 'force user' regression.
+- resolves: #1117770 - Fix empty full_name field with samlogon.
+- resolves: #1101210 - Fix telling systemd that nmbd is waiting for interfaces.
+- resolves: #1127931 - Fix getgroups() with idmap_ad returning non-mapped groups.
+- resolves: #1144963 - Fix idmap_ad with SFU against trusted domains.
+- resolves: #1140568 - Fix a segfault in the smbclient echo command.
+- resolves: #1089940 - Improve service principal guessing in 'net ads'.
+- resolves: #955561 - Fix overwriting of SPNs in AD during 'net ads join'.
+- resolves: #955562 - Add precreated SPNS from AD during keytab initialization.
+
+* Mon Sep 08 2014 - Andreas Schneider <asn@redhat.com> - 4.1.12-1
+- related: #1110820 - Rebase Samba to latest release.
+
+* Tue Aug 26 2014 - Andreas Schneider <asn@redhat.com> - 4.1.11-1
+- resolves: #1110820 - Rebase Samba to latest release.
+
+* Mon Aug 25 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-37
+- resolves: #1072352 - Make pidl a noarch subpackage.
+- resolves: #1133516 - Create a samba-test-libs package.
+- resolves: #1132873 - Add support to rebuild without clustering.
-* Fri Aug 01 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-37
-- resolves: #1126013 - CVE-2014-3560: remote code execution in nmbd.
+* Fri Aug 01 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-36
+- resolves: #1126014 - CVE-2014-3560: remote code execution in nmbd.
-* Wed Jul 02 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-36
-- resolves: #1115490 - Fix potential Samba file corruption.
+* Wed Jul 02 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-35
+- resolves: #1115060 - Fix potential Samba file corruption.
-* Wed Jun 11 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-35
-- resolves: #1105504 - CVE-2014-0244: DoS in nmbd.
-- resolves: #1108844 - CVE-2014-3493: DoS in smbd with unicode path names.
-- resolves: #1105573 - CVE-2014-0178: Uninitialized memory exposure.
+* Wed Jun 11 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-34
+- resolves: #1105505 - CVE-2014-0244: DoS in nmbd.
+- resolves: #1108845 - CVE-2014-3493: DoS in smbd with unicode path names.
+- resolves: #1105574 - CVE-2014-0178: Uninitialized memory exposure.
* Mon May 05 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-33
- related: #717484 - Add missing configure line to enable profiling data support.