path: root/meta-networking/recipes-connectivity/samba/samba-4.1.12/05-fix-gecos-field-with-samlogon.patch

From 538f62edb2cc4c17204620d8a9b3075c7453422b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 4 Sep 2014 12:55:53 +0200
Subject: [PATCH 002/249] selftest: Fix selftest where pid is used
 uninitialized.

On my system this gets evaluated to 0 so in the end we detect samba to
be running cause $childpid is set to 0.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10793

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Sep  4 17:09:17 CEST 2014 on sn-devel-104

(cherry picked from commit 6d2f56dbaf84203b351f33179cc3feaf557e0683)
Signed-off-by: Andreas Schneider <asn@samba.org>

Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-1-test): Mon Sep  8 23:19:29 CEST 2014 on sn-devel-104
---
 selftest/target/Samba.pm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index ab3851f..b0817fd 100644
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -188,7 +188,12 @@ sub get_interface($)
 sub cleanup_child($$)
 {
     my ($pid, $name) = @_;
-    my $childpid = waitpid($pid, WNOHANG);
+    my $childpid = -1;
+
+    if (defined($pid)) {
+        $childpid = waitpid($pid, WNOHANG);
+    }
+
     if ($childpid == 0) {
     } elsif ($childpid < 0) {
 	printf STDERR "%s child process %d isn't here any more\n",
-- 
1.9.3


From a14c0878c232dcf674008444f80dc0e5d8aada09 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 12:33:25 +0200
Subject: [PATCH 003/249] auth/credentials: remove pointless talloc_reference()
 from cli_credentials_get_unparsed_name()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 953502925863377b5e566edff4ac68c63e8d151f)
---
 auth/credentials/credentials.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index e636123..e597809 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -669,7 +669,7 @@ _PUBLIC_ const char *cli_credentials_get_unparsed_name(struct cli_credentials *c
 	const char *name;
 
 	if (bind_dn) {
-		name = talloc_reference(mem_ctx, bind_dn);
+		name = talloc_strdup(mem_ctx, bind_dn);
 	} else {
 		cli_credentials_get_ntlm_username_domain(credentials, mem_ctx, &username, &domain);
 		if (domain && domain[0]) {
-- 
1.9.3


From a9bbf2e55d56b9d2cec944ee32a127fc72e6ce6a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 12:33:25 +0200
Subject: [PATCH 004/249] auth/credentials: remove pointless talloc_reference()
 from cli_credentials_get_principal_and_obtained()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b8f09226458dc13cf901f481ede89d8a6bb94ba7)
---
 auth/credentials/credentials.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index e597809..7a4b081 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -267,7 +267,7 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
 		}
 	}
 	*obtained = cred->principal_obtained;
-	return talloc_reference(mem_ctx, cred->principal);
+	return talloc_strdup(mem_ctx, cred->principal);
 }
 
 /**
-- 
1.9.3


From 5df785eba8389be9129984c6c5a1e59487685938 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 12:52:17 +0200
Subject: [PATCH 005/249] auth/credentials: add
 cli_credentials_[set_]callback_data*

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6ff6778bdc60f1cd4d52cba83bd47d3398fe5a20)
---
 auth/credentials/credentials.c | 11 +++++++++++
 auth/credentials/credentials.h |  8 ++++++++
 2 files changed, 19 insertions(+)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 7a4b081..e6a4710 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -114,6 +114,17 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 	return cred;
 }
 
+_PUBLIC_ void cli_credentials_set_callback_data(struct cli_credentials *cred,
+						void *callback_data)
+{
+	cred->priv_data = callback_data;
+}
+
+_PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
+{
+	return cred->priv_data;
+}
+
 /**
  * Create a new anonymous credential
  * @param mem_ctx TALLOC_CTX parent for credentials structure 
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index dbc014f..0f498ad 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -332,6 +332,14 @@ bool cli_credentials_set_realm_callback(struct cli_credentials *cred,
 bool cli_credentials_set_workstation_callback(struct cli_credentials *cred,
 					      const char *(*workstation_cb) (struct cli_credentials *));
 
+void cli_credentials_set_callback_data(struct cli_credentials *cred,
+				       void *callback_data);
+void *_cli_credentials_callback_data(struct cli_credentials *cred);
+#define cli_credentials_callback_data(_cred, _type) \
+	talloc_get_type_abort(_cli_credentials_callback_data(_cred), _type)
+#define cli_credentials_callback_data_void(_cred) \
+	_cli_credentials_callback_data(_cred)
+
 /**
  * Return attached NETLOGON credentials 
  */
-- 
1.9.3


From 8fd0244ac8fe4998a0931bc9d51b9dfbb182a2e1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:21:14 +0200
Subject: [PATCH 006/249] auth/credentials: add cli_credentials_shallow_copy()

This is useful for testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b3cd44d50cff99fa77611679d68d2d57434fefa4)
---
 auth/credentials/credentials.c | 15 +++++++++++++++
 auth/credentials/credentials.h |  3 +++
 2 files changed, 18 insertions(+)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index e6a4710..c1c6993 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -125,6 +125,21 @@ _PUBLIC_ void *_cli_credentials_callback_data(struct cli_credentials *cred)
 	return cred->priv_data;
 }
 
+_PUBLIC_ struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
+						struct cli_credentials *src)
+{
+	struct cli_credentials *dst;
+
+	dst = talloc(mem_ctx, struct cli_credentials);
+	if (dst == NULL) {
+		return NULL;
+	}
+
+	*dst = *src;
+
+	return dst;
+}
+
 /**
  * Create a new anonymous credential
  * @param mem_ctx TALLOC_CTX parent for credentials structure 
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 0f498ad..1377bfa 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -340,6 +340,9 @@ void *_cli_credentials_callback_data(struct cli_credentials *cred);
 #define cli_credentials_callback_data_void(_cred) \
 	_cli_credentials_callback_data(_cred)
 
+struct cli_credentials *cli_credentials_shallow_copy(TALLOC_CTX *mem_ctx,
+						struct cli_credentials *src);
+
 /**
  * Return attached NETLOGON credentials 
  */
-- 
1.9.3


From 52e4028da5db90ce3ee410997ea3464374fec46b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:20:13 +0200
Subject: [PATCH 007/249] s3:ntlm_auth: remove pointless credentials->priv_data
 = NULL;

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cfeeb3ce3de5d1df07299fb83327ae258da0bf8d)
---
 source3/utils/ntlm_auth.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index b3bbaa4..a5e0cd2 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -228,7 +228,6 @@ static const char *get_password(struct cli_credentials *credentials)
 
 	/* Ask for a password */
 	x_fprintf(x_stdout, "PW\n");
-	credentials->priv_data = NULL;
 
 	manage_squid_request(NUM_HELPER_MODES /* bogus */, NULL, NULL, manage_gensec_get_pw_request, (void **)&password);
 	talloc_steal(credentials, password);
-- 
1.9.3


From bdfb13b91ce8961caeb98b01a75893895e8d484a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:22:10 +0200
Subject: [PATCH 008/249] s4:torture/shell: simplify
 cli_credentials_set_password() call

All we want is to avoid a possible callback...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 36b3c9506c1ac5549a38140e7ffd57644290069f)
---
 source4/torture/shell.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/source4/torture/shell.c b/source4/torture/shell.c
index d6cc94c..aa85da3 100644
--- a/source4/torture/shell.c
+++ b/source4/torture/shell.c
@@ -110,10 +110,7 @@ void torture_shell(struct torture_context *tctx)
 	 * stops the credentials system prompting when we use the "auth"
 	 * command to display the current auth parameters.
 	 */
-	if (cmdline_credentials->password_obtained != CRED_SPECIFIED) {
-	    cli_credentials_set_password(cmdline_credentials, "",
-		    CRED_SPECIFIED);
-	}
+	cli_credentials_set_password(cmdline_credentials, "", CRED_GUESS_ENV);
 
 	while (1) {
 		cline = smb_readline("torture> ", NULL, NULL);
-- 
1.9.3


From 91c0d6a26823f3057357c6b31bf1f686e5ed0f5e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:23:08 +0200
Subject: [PATCH 009/249] s4:torture/gentest: make use of
 cli_credentials_get_username()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d36fcaa5f3c4d1ad54d767f4a7c5fa6c8d69c00e)
---
 source4/torture/gentest.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source4/torture/gentest.c b/source4/torture/gentest.c
index 91b60e2..586a25b 100644
--- a/source4/torture/gentest.c
+++ b/source4/torture/gentest.c
@@ -221,7 +221,8 @@ static bool connect_servers(struct tevent_context *ev,
 
 			printf("Connecting to \\\\%s\\%s as %s - instance %d\n",
 			       servers[i].server_name, servers[i].share_name, 
-			       servers[i].credentials->username, j);
+			       cli_credentials_get_username(servers[i].credentials),
+			       j);
 
 			cli_credentials_set_workstation(servers[i].credentials, 
 							"gentest", CRED_SPECIFIED);
-- 
1.9.3


From 9687534ac54b732f73c3f4758055a278eaa0cbb2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:23:41 +0200
Subject: [PATCH 010/249] s4:torture/rpc: make use of
 cli_credentials_set_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d47bf469b8a9064f4f7033918b1fe519adfa0c26)
---
 source4/torture/rpc/schannel.c | 36 ++++++++++++++++--------------------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index e0862d2..8203749 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -604,9 +604,9 @@ bool torture_rpc_schannel2(struct torture_context *torture)
 	torture_assert(torture, join_ctx != NULL,
 		       "Failed to join domain with acct_flags=ACB_WSTRUST");
 
-	credentials2 = (struct cli_credentials *)talloc_memdup(torture, credentials1, sizeof(*credentials1));
-	credentials1->netlogon_creds = NULL;
-	credentials2->netlogon_creds = NULL;
+	credentials2 = cli_credentials_shallow_copy(torture, credentials1);
+	cli_credentials_set_netlogon_creds(credentials1, NULL);
+	cli_credentials_set_netlogon_creds(credentials2, NULL);
 
 	status = dcerpc_parse_binding(torture, binding, &b);
 	torture_assert_ntstatus_ok(torture, status, "Bad binding string");
@@ -624,8 +624,8 @@ bool torture_rpc_schannel2(struct torture_context *torture)
 				       credentials2, torture->ev, torture->lp_ctx);
 	torture_assert_ntstatus_ok(torture, status, "Failed to connect with schannel");
 
-	credentials1->netlogon_creds = NULL;
-	credentials2->netlogon_creds = NULL;
+	cli_credentials_set_netlogon_creds(credentials1, NULL);
+	cli_credentials_set_netlogon_creds(credentials2, NULL);
 
 	torture_comment(torture, "Testing logon on pipe1\n");
 	if (!test_netlogon_ex_ops(p1, torture, credentials1, NULL))
@@ -827,16 +827,12 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
 	s->nprocs = torture_setting_int(torture, "nprocs", 4);
 	s->conns = talloc_zero_array(s, struct torture_schannel_bench_conn, s->nprocs);
 
-	s->user1_creds = (struct cli_credentials *)talloc_memdup(s,
-								 cmdline_credentials,
-								 sizeof(*s->user1_creds));
+	s->user1_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
 	tmp = torture_setting_string(s->tctx, "extra_user1", NULL);
 	if (tmp) {
 		cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
 	}
-	s->user2_creds = (struct cli_credentials *)talloc_memdup(s,
-								 cmdline_credentials,
-								 sizeof(*s->user1_creds));
+	s->user2_creds = cli_credentials_shallow_copy(s, cmdline_credentials);
 	tmp = torture_setting_string(s->tctx, "extra_user2", NULL);
 	if (tmp) {
 		cli_credentials_parse_string(s->user1_creds, tmp, CRED_SPECIFIED);
@@ -855,15 +851,16 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
 	cli_credentials_set_kerberos_state(s->wks_creds2, CRED_DONT_USE_KERBEROS);
 
 	for (i=0; i < s->nprocs; i++) {
-		s->conns[i].s = s;
-		s->conns[i].index = i;
-		s->conns[i].wks_creds = (struct cli_credentials *)talloc_memdup(
-			s->conns, s->wks_creds1,sizeof(*s->wks_creds1));
+		struct cli_credentials *wks = s->wks_creds1;
+
 		if ((i % 2) && (torture_setting_bool(torture, "multijoin", false))) {
-			memcpy(s->conns[i].wks_creds, s->wks_creds2,
-			       talloc_get_size(s->conns[i].wks_creds));
+			wks = s->wks_creds2;
 		}
-		s->conns[i].wks_creds->netlogon_creds = NULL;
+
+		s->conns[i].s = s;
+		s->conns[i].index = i;
+		s->conns[i].wks_creds = cli_credentials_shallow_copy(s->conns, wks);
+		cli_credentials_set_netlogon_creds(s->conns[i].wks_creds, NULL);
 	}
 
 	status = dcerpc_parse_binding(s, binding, &s->b);
@@ -962,8 +959,7 @@ bool torture_rpc_schannel_bench1(struct torture_context *torture)
 
 		/* Just as a test, connect with the new creds */
 
-		talloc_free(s->wks_creds1->netlogon_creds);
-		s->wks_creds1->netlogon_creds = NULL;
+		cli_credentials_set_netlogon_creds(s->wks_creds1, NULL);
 
 		status = dcerpc_pipe_connect_b(s, &net_pipe, s->b,
 					       &ndr_table_netlogon,
-- 
1.9.3


From de6c67e98d94d003f36fef5472b8133c578b3c01 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:24:21 +0200
Subject: [PATCH 011/249] s4:ntlm_auth: make use of
 cli_credentials_[set_]callback_data*

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bbd63dd8a17468d3e332969a30c06e2b2f1540fc)
---
 source4/utils/ntlm_auth.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index c363c9d..136e238 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -299,10 +299,11 @@ static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mod
 static const char *get_password(struct cli_credentials *credentials) 
 {
 	char *password = NULL;
-	
+	void *cb = cli_credentials_callback_data_void(credentials);
+
 	/* Ask for a password */
-	mux_printf((unsigned int)(uintptr_t)credentials->priv_data, "PW\n");
-	credentials->priv_data = NULL;
+	mux_printf((unsigned int)(uintptr_t)cb, "PW\n");
+	cli_credentials_set_callback_data(credentials, NULL);
 
 	manage_squid_request(cmdline_lp_ctx, NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
 	return password;
@@ -505,8 +506,9 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
 		if (state->set_password) {
 			cli_credentials_set_password(creds, state->set_password, CRED_SPECIFIED);
 		} else {
+			void *cb = (void*)(uintptr_t)mux_id;
+			cli_credentials_set_callback_data(creds, cb);
 			cli_credentials_set_password_callback(creds, get_password);
-			creds->priv_data = (void*)(uintptr_t)mux_id;
 		}
 		if (opt_workstation) {
 			cli_credentials_set_workstation(creds, opt_workstation, CRED_SPECIFIED);
-- 
1.9.3


From 80c611a2b424e4e4a7e6de7ed6b9368bff0d9afb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 12:41:40 +0200
Subject: [PATCH 012/249] auth/credentials: keep cli_credentials private

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9325bd9cb6bb942ea989f4e32799c76ea8af3d3e)
---
 auth/credentials/credentials.c          |   1 +
 auth/credentials/credentials.h          | 101 +++-------------------------
 auth/credentials/credentials_internal.h | 114 ++++++++++++++++++++++++++++++++
 auth/credentials/credentials_krb5.c     |   1 +
 auth/credentials/credentials_ntlm.c     |   1 +
 auth/credentials/credentials_secrets.c  |   1 +
 6 files changed, 126 insertions(+), 93 deletions(-)
 create mode 100644 auth/credentials/credentials_internal.h

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index c1c6993..f334465 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -24,6 +24,7 @@
 #include "includes.h"
 #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
 #include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_internal.h"
 #include "libcli/auth/libcli_auth.h"
 #include "tevent.h"
 #include "param/param.h"
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 1377bfa..cb09dc3 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -25,9 +25,17 @@
 #include "../lib/util/data_blob.h"
 #include "librpc/gen_ndr/misc.h"
 
+struct cli_credentials;
 struct ccache_container;
 struct tevent_context;
 struct netlogon_creds_CredentialState;
+struct ldb_context;
+struct ldb_message;
+struct loadparm_context;
+struct ccache_container;
+struct gssapi_creds_container;
+struct smb_krb5_context;
+struct keytab_container;
 
 /* In order of priority */
 enum credentials_obtained { 
@@ -57,99 +65,6 @@ enum credentials_krb_forwardable {
 #define CLI_CRED_NTLM_AUTH   0x08
 #define CLI_CRED_CLEAR_AUTH  0x10   /* TODO:  Push cleartext auth with this flag */
 
-struct cli_credentials {
-	enum credentials_obtained workstation_obtained;
-	enum credentials_obtained username_obtained;
-	enum credentials_obtained password_obtained;
-	enum credentials_obtained domain_obtained;
-	enum credentials_obtained realm_obtained;
-	enum credentials_obtained ccache_obtained;
-	enum credentials_obtained client_gss_creds_obtained;
-	enum credentials_obtained principal_obtained;
-	enum credentials_obtained keytab_obtained;
-	enum credentials_obtained server_gss_creds_obtained;
-
-	/* Threshold values (essentially a MAX() over a number of the
-	 * above) for the ccache and GSS credentials, to ensure we
-	 * regenerate/pick correctly */
-
-	enum credentials_obtained ccache_threshold;
-	enum credentials_obtained client_gss_creds_threshold;
-
-	const char *workstation;
-	const char *username;
-	const char *password;
-	const char *old_password;
-	const char *domain;
-	const char *realm;
-	const char *principal;
-	char *salt_principal;
-	char *impersonate_principal;
-	char *self_service;
-	char *target_service;
-
-	const char *bind_dn;
-
-	/* Allows authentication from a keytab or similar */
-	struct samr_Password *nt_hash;
-
-	/* Allows NTLM pass-though authentication */
-	DATA_BLOB lm_response;
-	DATA_BLOB nt_response;
-
-	struct ccache_container *ccache;
-	struct gssapi_creds_container *client_gss_creds;
-	struct keytab_container *keytab;
-	struct gssapi_creds_container *server_gss_creds;
-
-	const char *(*workstation_cb) (struct cli_credentials *);
-	const char *(*password_cb) (struct cli_credentials *);
-	const char *(*username_cb) (struct cli_credentials *);
-	const char *(*domain_cb) (struct cli_credentials *);
-	const char *(*realm_cb) (struct cli_credentials *);
-	const char *(*principal_cb) (struct cli_credentials *);
-
-	/* Private handle for the callback routines to use */
-	void *priv_data;
-
-	struct netlogon_creds_CredentialState *netlogon_creds;
-	enum netr_SchannelType secure_channel_type;
-	int kvno;
-	time_t password_last_changed_time;
-
-	struct smb_krb5_context *smb_krb5_context;
-
-	/* We are flagged to get machine account details from the
-	 * secrets.ldb when we are asked for a username or password */
-	bool machine_account_pending;
-	struct loadparm_context *machine_account_pending_lp_ctx;
-	
-	/* Is this a machine account? */
-	bool machine_account;
-
-	/* Should we be trying to use kerberos? */
-	enum credentials_use_kerberos use_kerberos;
-
-	/* Should we get a forwardable ticket? */
-	enum credentials_krb_forwardable krb_forwardable;
-
-	/* gensec features which should be used for connections */
-	uint32_t gensec_features;
-
-	/* Number of retries left before bailing out */
-	int tries;
-
-	/* Whether any callback is currently running */
-	bool callback_running;
-};
-
-struct ldb_context;
-struct ldb_message;
-struct loadparm_context;
-struct ccache_container;
-
-struct gssapi_creds_container;
-
 const char *cli_credentials_get_workstation(struct cli_credentials *cred);
 bool cli_credentials_set_workstation(struct cli_credentials *cred, 
 				     const char *val, 
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
new file mode 100644
index 0000000..5a3655b
--- /dev/null
+++ b/auth/credentials/credentials_internal.h
@@ -0,0 +1,114 @@
+/*
+   samba -- Unix SMB/CIFS implementation.
+
+   Client credentials structure
+
+   Copyright (C) Jelmer Vernooij 2004-2006
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+#ifndef __CREDENTIALS_INTERNAL_H__
+#define __CREDENTIALS_INTERNAL_H__
+
+#include "../lib/util/data_blob.h"
+#include "librpc/gen_ndr/misc.h"
+
+struct cli_credentials {
+	enum credentials_obtained workstation_obtained;
+	enum credentials_obtained username_obtained;
+	enum credentials_obtained password_obtained;
+	enum credentials_obtained domain_obtained;
+	enum credentials_obtained realm_obtained;
+	enum credentials_obtained ccache_obtained;
+	enum credentials_obtained client_gss_creds_obtained;
+	enum credentials_obtained principal_obtained;
+	enum credentials_obtained keytab_obtained;
+	enum credentials_obtained server_gss_creds_obtained;
+
+	/* Threshold values (essentially a MAX() over a number of the
+	 * above) for the ccache and GSS credentials, to ensure we
+	 * regenerate/pick correctly */
+
+	enum credentials_obtained ccache_threshold;
+	enum credentials_obtained client_gss_creds_threshold;
+
+	const char *workstation;
+	const char *username;
+	const char *password;
+	const char *old_password;
+	const char *domain;
+	const char *realm;
+	const char *principal;
+	char *salt_principal;
+	char *impersonate_principal;
+	char *self_service;
+	char *target_service;
+
+	const char *bind_dn;
+
+	/* Allows authentication from a keytab or similar */
+	struct samr_Password *nt_hash;
+
+	/* Allows NTLM pass-though authentication */
+	DATA_BLOB lm_response;
+	DATA_BLOB nt_response;
+
+	struct ccache_container *ccache;
+	struct gssapi_creds_container *client_gss_creds;
+	struct keytab_container *keytab;
+	struct gssapi_creds_container *server_gss_creds;
+
+	const char *(*workstation_cb) (struct cli_credentials *);
+	const char *(*password_cb) (struct cli_credentials *);
+	const char *(*username_cb) (struct cli_credentials *);
+	const char *(*domain_cb) (struct cli_credentials *);
+	const char *(*realm_cb) (struct cli_credentials *);
+	const char *(*principal_cb) (struct cli_credentials *);
+
+	/* Private handle for the callback routines to use */
+	void *priv_data;
+
+	struct netlogon_creds_CredentialState *netlogon_creds;
+	enum netr_SchannelType secure_channel_type;
+	int kvno;
+	time_t password_last_changed_time;
+
+	struct smb_krb5_context *smb_krb5_context;
+
+	/* We are flagged to get machine account details from the
+	 * secrets.ldb when we are asked for a username or password */
+	bool machine_account_pending;
+	struct loadparm_context *machine_account_pending_lp_ctx;
+
+	/* Is this a machine account? */
+	bool machine_account;
+
+	/* Should we be trying to use kerberos? */
+	enum credentials_use_kerberos use_kerberos;
+
+	/* Should we get a forwardable ticket? */
+	enum credentials_krb_forwardable krb_forwardable;
+
+	/* gensec features which should be used for connections */
+	uint32_t gensec_features;
+
+	/* Number of retries left before bailing out */
+	int tries;
+
+	/* Whether any callback is currently running */
+	bool callback_running;
+};
+
+#endif /* __CREDENTIALS_INTERNAL_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index ec6a695..489a959 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -26,6 +26,7 @@
 #include "system/gssapi.h"
 #include "auth/kerberos/kerberos.h"
 #include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_internal.h"
 #include "auth/credentials/credentials_proto.h"
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/kerberos/kerberos_credentials.h"
diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c
index 8f143bf..8c6be39 100644
--- a/auth/credentials/credentials_ntlm.c
+++ b/auth/credentials/credentials_ntlm.c
@@ -26,6 +26,7 @@
 #include "../lib/crypto/crypto.h"
 #include "libcli/auth/libcli_auth.h"
 #include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_internal.h"
 
 _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
 					   int *flags,
diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 27ee607..678d167 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -28,6 +28,7 @@
 #include "param/secrets.h"
 #include "system/filesys.h"
 #include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_internal.h"
 #include "auth/credentials/credentials_proto.h"
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/kerberos/kerberos_util.h"
-- 
1.9.3


From 96ea01159cfee1e384dbd5966c7eb512d495e322 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 13:39:17 +0200
Subject: [PATCH 013/249] auth/credentials: get the old password from
 secrets.tdb

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 26a7420c1c4307023b22676cd85d95010ecbf603)
---
 auth/credentials/credentials_secrets.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/auth/credentials/credentials_secrets.c b/auth/credentials/credentials_secrets.c
index 678d167..6c1cded 100644
--- a/auth/credentials/credentials_secrets.c
+++ b/auth/credentials/credentials_secrets.c
@@ -238,6 +238,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 	bool secrets_tdb_password_more_recent;
 	time_t secrets_tdb_lct = 0;
 	char *secrets_tdb_password = NULL;
+	char *secrets_tdb_old_password = NULL;
 	char *keystr;
 	char *keystr_upper = NULL;
 	char *secrets_tdb;
@@ -285,6 +286,15 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 		if (NT_STATUS_IS_OK(status)) {
 			secrets_tdb_password = (char *)dbuf.dptr;
 		}
+		keystr = talloc_asprintf(tmp_ctx, "%s/%s",
+					 SECRETS_MACHINE_PASSWORD_PREV,
+					 domain);
+		keystr_upper = strupper_talloc(tmp_ctx, keystr);
+		status = dbwrap_fetch(db_ctx, tmp_ctx, string_tdb_data(keystr_upper),
+				      &dbuf);
+		if (NT_STATUS_IS_OK(status)) {
+			secrets_tdb_old_password = (char *)dbuf.dptr;
+		}
 	}
 
 	filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, 
@@ -308,6 +318,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr
 	if (secrets_tdb_password_more_recent) {
 		char *machine_account = talloc_asprintf(tmp_ctx, "%s$", lpcfg_netbios_name(lp_ctx));
 		cli_credentials_set_password(cred, secrets_tdb_password, CRED_SPECIFIED);
+		cli_credentials_set_old_password(cred, secrets_tdb_old_password, CRED_SPECIFIED);
 		cli_credentials_set_domain(cred, domain, CRED_SPECIFIED);
 		cli_credentials_set_username(cred, machine_account, CRED_SPECIFIED);
 	} else if (!NT_STATUS_IS_OK(status)) {
-- 
1.9.3


From 74f5c14921f53b95b64dbcbf0352a89d50b20af1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 14:25:54 +0200
Subject: [PATCH 014/249] auth/credentials: simplify password_tries state

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8ea36a8e58d499aa7bf342b365ca00cb39f295b6)
---
 auth/credentials/credentials.c          | 19 ++++++++++++++-----
 auth/credentials/credentials_internal.h |  2 +-
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index f334465..4ac5356 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -104,7 +104,7 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 
 	cred->machine_account = false;
 
-	cred->tries = 3;
+	cred->password_tries = 0;
 
 	cred->callback_running = false;
 
@@ -397,6 +397,7 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred,
 				  enum credentials_obtained obtained)
 {
 	if (obtained >= cred->password_obtained) {
+		cred->password_tries = 0;
 		cred->password = talloc_strdup(cred, val);
 		if (cred->password) {
 			/* Don't print the actual password in talloc memory dumps */
@@ -418,6 +419,7 @@ _PUBLIC_ bool cli_credentials_set_password_callback(struct cli_credentials *cred
 					   const char *(*password_cb) (struct cli_credentials *))
 {
 	if (cred->password_obtained < CRED_CALLBACK) {
+		cred->password_tries = 3;
 		cred->password_cb = password_cb;
 		cred->password_obtained = CRED_CALLBACK;
 		cli_credentials_invalidate_ccache(cred, cred->password_obtained);
@@ -897,12 +899,19 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred)
 	if (cred->password_obtained != CRED_CALLBACK_RESULT) {
 		return false;
 	}
-	
-	cred->password_obtained = CRED_CALLBACK;
 
-	cred->tries--;
+	if (cred->password_tries == 0) {
+		return false;
+	}
+
+	cred->password_tries--;
 
-	return (cred->tries > 0);
+	if (cred->password_tries == 0) {
+		return false;
+	}
+
+	cred->password_obtained = CRED_CALLBACK;
+	return true;
 }
 
 _PUBLIC_ void cli_credentials_get_ntlm_username_domain(struct cli_credentials *cred, TALLOC_CTX *mem_ctx, 
diff --git a/auth/credentials/credentials_internal.h b/auth/credentials/credentials_internal.h
index 5a3655b..f2f79b9 100644
--- a/auth/credentials/credentials_internal.h
+++ b/auth/credentials/credentials_internal.h
@@ -105,7 +105,7 @@ struct cli_credentials {
 	uint32_t gensec_features;
 
 	/* Number of retries left before bailing out */
-	int tries;
+	uint32_t password_tries;
 
 	/* Whether any callback is currently running */
 	bool callback_running;
-- 
1.9.3


From 8d2c51caeecebc0b7d16fb7cf7b7fe2f2b5d8edd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 31 Jul 2013 14:32:36 +0200
Subject: [PATCH 015/249] auth/credentials: use CRED_CALLBACK_RESULT after a
 callback

We only do this if it's still CRED_CALLBACK after the callback,
this allowes the callback to overwrite it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Aug  5 09:36:05 CEST 2013 on sn-devel-104
(cherry picked from commit b699d404bb5d4385a757b5aa5d0e792cf9d5de59)
---
 auth/credentials/credentials.c | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 4ac5356..be497bc 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -206,8 +206,10 @@ _PUBLIC_ const char *cli_credentials_get_username(struct cli_credentials *cred)
 	    	cred->callback_running = true;
 		cred->username = cred->username_cb(cred);
 	    	cred->callback_running = false;
-		cred->username_obtained = CRED_SPECIFIED;
-		cli_credentials_invalidate_ccache(cred, cred->username_obtained);
+		if (cred->username_obtained == CRED_CALLBACK) {
+			cred->username_obtained = CRED_CALLBACK_RESULT;
+			cli_credentials_invalidate_ccache(cred, cred->username_obtained);
+		}
 	}
 
 	return cred->username;
@@ -275,8 +277,10 @@ _PUBLIC_ const char *cli_credentials_get_principal_and_obtained(struct cli_crede
 	    	cred->callback_running = true;
 		cred->principal = cred->principal_cb(cred);
 	    	cred->callback_running = false;
-		cred->principal_obtained = CRED_SPECIFIED;
-		cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
+		if (cred->principal_obtained == CRED_CALLBACK) {
+			cred->principal_obtained = CRED_CALLBACK_RESULT;
+			cli_credentials_invalidate_ccache(cred, cred->principal_obtained);
+		}
 	}
 
 	if (cred->principal_obtained < cred->username_obtained
@@ -382,8 +386,10 @@ _PUBLIC_ const char *cli_credentials_get_password(struct cli_credentials *cred)
 	    	cred->callback_running = true;
 		cred->password = cred->password_cb(cred);
 	    	cred->callback_running = false;
-		cred->password_obtained = CRED_CALLBACK_RESULT;
-		cli_credentials_invalidate_ccache(cred, cred->password_obtained);
+		if (cred->password_obtained == CRED_CALLBACK) {
+			cred->password_obtained = CRED_CALLBACK_RESULT;
+			cli_credentials_invalidate_ccache(cred, cred->password_obtained);
+		}
 	}
 
 	return cred->password;
@@ -502,8 +508,10 @@ _PUBLIC_ const char *cli_credentials_get_domain(struct cli_credentials *cred)
 	    	cred->callback_running = true;
 		cred->domain = cred->domain_cb(cred);
 	    	cred->callback_running = false;
-		cred->domain_obtained = CRED_SPECIFIED;
-		cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+		if (cred->domain_obtained == CRED_CALLBACK) {
+			cred->domain_obtained = CRED_CALLBACK_RESULT;
+			cli_credentials_invalidate_ccache(cred, cred->domain_obtained);
+		}
 	}
 
 	return cred->domain;
@@ -561,8 +569,10 @@ _PUBLIC_ const char *cli_credentials_get_realm(struct cli_credentials *cred)
 	    	cred->callback_running = true;
 		cred->realm = cred->realm_cb(cred);
 	    	cred->callback_running = false;
-		cred->realm_obtained = CRED_SPECIFIED;
-		cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
+		if (cred->realm_obtained == CRED_CALLBACK) {
+			cred->realm_obtained = CRED_CALLBACK_RESULT;
+			cli_credentials_invalidate_ccache(cred, cred->realm_obtained);
+		}
 	}
 
 	return cred->realm;
@@ -612,7 +622,9 @@ _PUBLIC_ const char *cli_credentials_get_workstation(struct cli_credentials *cre
 	    	cred->callback_running = true;
 		cred->workstation = cred->workstation_cb(cred);
 	    	cred->callback_running = false;
-		cred->workstation_obtained = CRED_SPECIFIED;
+		if (cred->workstation_obtained == CRED_CALLBACK) {
+			cred->workstation_obtained = CRED_CALLBACK_RESULT;
+		}
 	}
 
 	return cred->workstation;
-- 
1.9.3


From a498324b38326a874616b0bab1e5a9cd29b664ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:02:59 +0200
Subject: [PATCH 016/249] s3-net: pass down ndr_interface_table to
 connect_dst_pipe().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 93e92faca9c99cd91878c2f48fb244233b16aa0f)
---
 source3/utils/net_proto.h       |  2 +-
 source3/utils/net_rpc.c         |  4 ++--
 source3/utils/net_rpc_printer.c | 10 +++++-----
 source3/utils/net_util.c        |  4 ++--
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index 3f99e14..03fb312 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -416,7 +416,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
 				const char *server_name);
 NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
 			  struct rpc_pipe_client **pp_pipe_hnd,
-			  const struct ndr_syntax_id *interface);
+			  const struct ndr_interface_table *table);
 int net_use_krb_machine_account(struct net_context *c);
 int net_use_machine_account(struct net_context *c);
 bool net_find_server(struct net_context *c,
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index c5c4d6c..4503f59 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -3654,7 +3654,7 @@ static NTSTATUS rpc_share_migrate_shares_internals(struct net_context *c,
 
 	/* connect destination PI_SRVSVC */
         nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
-				     &ndr_table_srvsvc.syntax_id);
+				     &ndr_table_srvsvc);
         if (!NT_STATUS_IS_OK(nt_status))
                 return nt_status;
 
@@ -4140,7 +4140,7 @@ static NTSTATUS rpc_share_migrate_security_internals(struct net_context *c,
 
 	/* connect destination PI_SRVSVC */
         nt_status = connect_dst_pipe(c, &cli_dst, &srvsvc_pipe,
-				     &ndr_table_srvsvc.syntax_id);
+				     &ndr_table_srvsvc);
         if (!NT_STATUS_IS_OK(nt_status))
                 return nt_status;
 
diff --git a/source3/utils/net_rpc_printer.c b/source3/utils/net_rpc_printer.c
index ba34de1..1e42e6f 100644
--- a/source3/utils/net_rpc_printer.c
+++ b/source3/utils/net_rpc_printer.c
@@ -1578,7 +1578,7 @@ NTSTATUS rpc_printer_migrate_security_internals(struct net_context *c,
 
 	/* connect destination PI_SPOOLSS */
 	nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-				     &ndr_table_spoolss.syntax_id);
+				     &ndr_table_spoolss);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
@@ -1730,7 +1730,7 @@ NTSTATUS rpc_printer_migrate_forms_internals(struct net_context *c,
 
 	/* connect destination PI_SPOOLSS */
 	nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-				     &ndr_table_spoolss.syntax_id);
+				     &ndr_table_spoolss);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
@@ -1907,7 +1907,7 @@ NTSTATUS rpc_printer_migrate_drivers_internals(struct net_context *c,
 	DEBUG(3,("copying printer-drivers\n"));
 
 	nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-				     &ndr_table_spoolss.syntax_id);
+				     &ndr_table_spoolss);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
@@ -2126,7 +2126,7 @@ NTSTATUS rpc_printer_migrate_printers_internals(struct net_context *c,
 
 	/* connect destination PI_SPOOLSS */
 	nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-				     &ndr_table_spoolss.syntax_id);
+				     &ndr_table_spoolss);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
@@ -2301,7 +2301,7 @@ NTSTATUS rpc_printer_migrate_settings_internals(struct net_context *c,
 
 	/* connect destination PI_SPOOLSS */
 	nt_status = connect_dst_pipe(c, &cli_dst, &pipe_hnd_dst,
-				     &ndr_table_spoolss.syntax_id);
+				     &ndr_table_spoolss);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index 9c4a77e..a4282ec 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -231,7 +231,7 @@ NTSTATUS connect_to_ipc_anonymous(struct net_context *c,
  **/
 NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
 			  struct rpc_pipe_client **pp_pipe_hnd,
-			  const struct ndr_syntax_id *interface)
+			  const struct ndr_interface_table *table)
 {
 	NTSTATUS nt_status;
 	char *server_name = SMB_STRDUP("127.0.0.1");
@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
 		return nt_status;
 	}
 
-	nt_status = cli_rpc_pipe_open_noauth(cli_tmp, interface,
+	nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
 					     &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("couldn't not initialize pipe\n"));
-- 
1.9.3


From d5273069a42d7234daaf3dd043d0a6e455348385 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:24:42 +0200
Subject: [PATCH 017/249] s3-rpc_cli: remove prototype of nonexisting
 cli_rpc_pipe_open_krb5().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a1368ca6ef8ab4f158c8b303ad058835f1bbf441)
---
 source3/rpc_client/cli_pipe.h | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index bf785fb..34ae542 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -131,15 +131,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 				    const char *domain,
 				    struct rpc_pipe_client **presult);
 
-NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
-				const struct ndr_syntax_id *interface,
-				enum dcerpc_transport_t transport,
-				enum dcerpc_AuthLevel auth_level,
-				const char *service_princ,
-				const char *username,
-				const char *password,
-				struct rpc_pipe_client **presult);
-
 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
 			     struct rpc_pipe_client *cli,
 			     DATA_BLOB *session_key);
-- 
1.9.3


From 1a6c1ddb44aac3f201bbe2cabab10e409ffd042b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:08:16 +0200
Subject: [PATCH 018/249] s3-libnetapi: pass down ndr_interface_table to
 libnetapi_get_binding_handle().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit fa37bbd9d06865d265bf554a3c49920f956f2185)
---
 source3/lib/netapi/cm.c             |  4 ++--
 source3/lib/netapi/file.c           |  6 +++---
 source3/lib/netapi/getdc.c          |  6 +++---
 source3/lib/netapi/netapi_private.h |  3 ++-
 source3/lib/netapi/netlogon.c       |  4 ++--
 source3/lib/netapi/serverinfo.c     |  6 +++---
 source3/lib/netapi/share.c          | 10 +++++-----
 source3/lib/netapi/shutdown.c       |  4 ++--
 8 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index da3d2e1..c3ae19f 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -269,7 +269,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 
 WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
 				    const char *server_name,
-				    const struct ndr_syntax_id *interface,
+				    const struct ndr_interface_table *table,
 				    struct dcerpc_binding_handle **binding_handle)
 {
 	struct rpc_pipe_client *pipe_cli;
@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
 
 	*binding_handle = NULL;
 
-	result = libnetapi_open_pipe(ctx, server_name, interface, &pipe_cli);
+	result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
 	if (!W_ERROR_IS_OK(result)) {
 		return result;
 	}
diff --git a/source3/lib/netapi/file.c b/source3/lib/netapi/file.c
index 1e406d2..551f9ff 100644
--- a/source3/lib/netapi/file.c
+++ b/source3/lib/netapi/file.c
@@ -36,7 +36,7 @@ WERROR NetFileClose_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -130,7 +130,7 @@ WERROR NetFileGetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -201,7 +201,7 @@ WERROR NetFileEnum_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/getdc.c b/source3/lib/netapi/getdc.c
index 3b26d46..ae976f1 100644
--- a/source3/lib/netapi/getdc.c
+++ b/source3/lib/netapi/getdc.c
@@ -47,7 +47,7 @@ WERROR NetGetDCName_r(struct libnetapi_ctx *ctx,
 	void *buffer;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_netlogon.syntax_id,
+					    &ndr_table_netlogon,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -101,7 +101,7 @@ WERROR NetGetAnyDCName_r(struct libnetapi_ctx *ctx,
 	void *buffer;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_netlogon.syntax_id,
+					    &ndr_table_netlogon,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -173,7 +173,7 @@ WERROR DsGetDcName_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_netlogon.syntax_id,
+					    &ndr_table_netlogon,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
index 349287b..62aa7ef 100644
--- a/source3/lib/netapi/netapi_private.h
+++ b/source3/lib/netapi/netapi_private.h
@@ -30,6 +30,7 @@
 	return fn ## _r(ctx, r);
 
 struct dcerpc_binding_handle;
+struct ndr_interface_table;
 
 struct libnetapi_private_ctx {
 	struct {
@@ -64,7 +65,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 			   struct rpc_pipe_client **presult);
 WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
 				    const char *server_name,
-				    const struct ndr_syntax_id *interface,
+				    const struct ndr_interface_table *table,
 				    struct dcerpc_binding_handle **binding_handle);
 WERROR libnetapi_samr_open_domain(struct libnetapi_ctx *mem_ctx,
 				  struct rpc_pipe_client *pipe_cli,
diff --git a/source3/lib/netapi/netlogon.c b/source3/lib/netapi/netlogon.c
index a046fb7..136cb48 100644
--- a/source3/lib/netapi/netlogon.c
+++ b/source3/lib/netapi/netlogon.c
@@ -133,7 +133,7 @@ WERROR I_NetLogonControl_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_netlogon.syntax_id,
+					    &ndr_table_netlogon,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -190,7 +190,7 @@ WERROR I_NetLogonControl2_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_netlogon.syntax_id,
+					    &ndr_table_netlogon,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/serverinfo.c b/source3/lib/netapi/serverinfo.c
index 046b693..b2a84d1 100644
--- a/source3/lib/netapi/serverinfo.c
+++ b/source3/lib/netapi/serverinfo.c
@@ -503,7 +503,7 @@ WERROR NetServerGetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -616,7 +616,7 @@ WERROR NetServerSetInfo_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -658,7 +658,7 @@ WERROR NetRemoteTOD_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/share.c b/source3/lib/netapi/share.c
index d12fa1c..090e1a9 100644
--- a/source3/lib/netapi/share.c
+++ b/source3/lib/netapi/share.c
@@ -200,7 +200,7 @@ WERROR NetShareAdd_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -258,7 +258,7 @@ WERROR NetShareDel_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -321,7 +321,7 @@ WERROR NetShareEnum_r(struct libnetapi_ctx *ctx,
 	ZERO_STRUCT(info_ctr);
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -428,7 +428,7 @@ WERROR NetShareGetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -502,7 +502,7 @@ WERROR NetShareSetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_srvsvc.syntax_id,
+					    &ndr_table_srvsvc,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/shutdown.c b/source3/lib/netapi/shutdown.c
index 78bc2fc..9e1e8e1 100644
--- a/source3/lib/netapi/shutdown.c
+++ b/source3/lib/netapi/shutdown.c
@@ -38,7 +38,7 @@ WERROR NetShutdownInit_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_initshutdown.syntax_id,
+					    &ndr_table_initshutdown,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -82,7 +82,7 @@ WERROR NetShutdownAbort_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_get_binding_handle(ctx, r->in.server_name,
-					    &ndr_table_initshutdown.syntax_id,
+					    &ndr_table_initshutdown,
 					    &b);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
-- 
1.9.3


From e25e7bfe15bdb89a9680708c27b50e14a8a86ca3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:10:13 +0200
Subject: [PATCH 019/249] s3-libnetapi: pass down ndr_interface_table to
 libnetapi_open_pipe().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 77f7f2a976e5b95f3bd9f542b92926adee4f5fa6)
---
 source3/lib/netapi/cm.c             |  8 ++++----
 source3/lib/netapi/group.c          | 18 +++++++++---------
 source3/lib/netapi/joindomain.c     | 10 +++++-----
 source3/lib/netapi/localgroup.c     | 14 +++++++-------
 source3/lib/netapi/netapi_private.h |  2 +-
 source3/lib/netapi/user.c           | 22 +++++++++++-----------
 6 files changed, 37 insertions(+), 37 deletions(-)

diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index c3ae19f..dd1f1e3 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -234,7 +234,7 @@ static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
 
 WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 			   const char *server_name,
-			   const struct ndr_syntax_id *interface,
+			   const struct ndr_interface_table *table,
 			   struct rpc_pipe_client **presult)
 {
 	struct rpc_pipe_client *result = NULL;
@@ -251,10 +251,10 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 		return werr;
 	}
 
-	status = pipe_cm_open(ctx, ipc, interface, &result);
+	status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
-			get_pipe_name_from_syntax(talloc_tos(), interface),
+			get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
 			get_friendly_nt_error_msg(status));
 		return WERR_DEST_NOT_FOUND;
 	}
@@ -277,7 +277,7 @@ WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
 
 	*binding_handle = NULL;
 
-	result = libnetapi_open_pipe(ctx, server_name, &table->syntax_id, &pipe_cli);
+	result = libnetapi_open_pipe(ctx, server_name, table, &pipe_cli);
 	if (!W_ERROR_IS_OK(result)) {
 		return result;
 	}
diff --git a/source3/lib/netapi/group.c b/source3/lib/netapi/group.c
index b806fc4..6d9b248 100644
--- a/source3/lib/netapi/group.c
+++ b/source3/lib/netapi/group.c
@@ -76,7 +76,7 @@ WERROR NetGroupAdd_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -272,7 +272,7 @@ WERROR NetGroupDel_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -492,7 +492,7 @@ WERROR NetGroupSetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -770,7 +770,7 @@ WERROR NetGroupGetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -918,7 +918,7 @@ WERROR NetGroupAddUser_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1078,7 +1078,7 @@ WERROR NetGroupDelUser_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1397,7 +1397,7 @@ WERROR NetGroupEnum_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1544,7 +1544,7 @@ WERROR NetGroupGetUsers_r(struct libnetapi_ctx *ctx,
 
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1736,7 +1736,7 @@ WERROR NetGroupSetUsers_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/joindomain.c b/source3/lib/netapi/joindomain.c
index b6fb57a..d8e624f 100644
--- a/source3/lib/netapi/joindomain.c
+++ b/source3/lib/netapi/joindomain.c
@@ -116,7 +116,7 @@ WERROR NetJoinDomain_r(struct libnetapi_ctx *ctx,
 	DATA_BLOB session_key;
 
 	werr = libnetapi_open_pipe(ctx, r->in.server,
-				   &ndr_table_wkssvc.syntax_id,
+				   &ndr_table_wkssvc,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -257,7 +257,7 @@ WERROR NetUnjoinDomain_r(struct libnetapi_ctx *ctx,
 	DATA_BLOB session_key;
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_wkssvc.syntax_id,
+				   &ndr_table_wkssvc,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -313,7 +313,7 @@ WERROR NetGetJoinInformation_r(struct libnetapi_ctx *ctx,
 	struct dcerpc_binding_handle *b;
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_wkssvc.syntax_id,
+				   &ndr_table_wkssvc,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -455,7 +455,7 @@ WERROR NetGetJoinableOUs_r(struct libnetapi_ctx *ctx,
 	DATA_BLOB session_key;
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_wkssvc.syntax_id,
+				   &ndr_table_wkssvc,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -508,7 +508,7 @@ WERROR NetRenameMachineInDomain_r(struct libnetapi_ctx *ctx,
 	DATA_BLOB session_key;
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_wkssvc.syntax_id,
+				   &ndr_table_wkssvc,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c
index 17cab68..241970d 100644
--- a/source3/lib/netapi/localgroup.c
+++ b/source3/lib/netapi/localgroup.c
@@ -185,7 +185,7 @@ WERROR NetLocalGroupAdd_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -319,7 +319,7 @@ WERROR NetLocalGroupDel_r(struct libnetapi_ctx *ctx,
 	ZERO_STRUCT(alias_handle);
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -499,7 +499,7 @@ WERROR NetLocalGroupGetInfo_r(struct libnetapi_ctx *ctx,
 	ZERO_STRUCT(alias_handle);
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -678,7 +678,7 @@ WERROR NetLocalGroupSetInfo_r(struct libnetapi_ctx *ctx,
 	ZERO_STRUCT(alias_handle);
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -828,7 +828,7 @@ WERROR NetLocalGroupEnum_r(struct libnetapi_ctx *ctx,
 	ZERO_STRUCT(alias_handle);
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1141,7 +1141,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
 
 	if (r->in.level == 3) {
 		werr = libnetapi_open_pipe(ctx, r->in.server_name,
-					   &ndr_table_lsarpc.syntax_id,
+					   &ndr_table_lsarpc,
 					   &lsa_pipe);
 		if (!W_ERROR_IS_OK(werr)) {
 			goto done;
@@ -1160,7 +1160,7 @@ static WERROR NetLocalGroupModifyMembers_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
diff --git a/source3/lib/netapi/netapi_private.h b/source3/lib/netapi/netapi_private.h
index 62aa7ef..897cf3d 100644
--- a/source3/lib/netapi/netapi_private.h
+++ b/source3/lib/netapi/netapi_private.h
@@ -61,7 +61,7 @@ NET_API_STATUS libnetapi_get_debuglevel(struct libnetapi_ctx *ctx, char **debugl
 WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx);
 WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 			   const char *server_name,
-			   const struct ndr_syntax_id *interface,
+			   const struct ndr_interface_table *table,
 			   struct rpc_pipe_client **presult);
 WERROR libnetapi_get_binding_handle(struct libnetapi_ctx *ctx,
 				    const char *server_name,
diff --git a/source3/lib/netapi/user.c b/source3/lib/netapi/user.c
index a971e2d..4a39f69 100644
--- a/source3/lib/netapi/user.c
+++ b/source3/lib/netapi/user.c
@@ -400,7 +400,7 @@ WERROR NetUserAdd_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -552,7 +552,7 @@ WERROR NetUserDel_r(struct libnetapi_ctx *ctx,
 	ZERO_STRUCT(user_handle);
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 
 	if (!W_ERROR_IS_OK(werr)) {
@@ -1322,7 +1322,7 @@ WERROR NetUserEnum_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1630,7 +1630,7 @@ WERROR NetQueryDisplayInformation_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1764,7 +1764,7 @@ WERROR NetUserGetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -1936,7 +1936,7 @@ WERROR NetUserSetInfo_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -2395,7 +2395,7 @@ WERROR NetUserModalsGet_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -2880,7 +2880,7 @@ WERROR NetUserModalsSet_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -3015,7 +3015,7 @@ WERROR NetUserGetGroups_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -3206,7 +3206,7 @@ WERROR NetUserSetGroups_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
@@ -3547,7 +3547,7 @@ WERROR NetUserGetLocalGroups_r(struct libnetapi_ctx *ctx,
 	}
 
 	werr = libnetapi_open_pipe(ctx, r->in.server_name,
-				   &ndr_table_samr.syntax_id,
+				   &ndr_table_samr,
 				   &pipe_cli);
 	if (!W_ERROR_IS_OK(werr)) {
 		goto done;
-- 
1.9.3


From 4157ba43258373cd995b2ee74dcd4d65782dc2ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:13:26 +0200
Subject: [PATCH 020/249] s3-libnetapi: pass down ndr_interface_table to
 pipe_cm() and friends.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0ce2178f2ffeaee324c7e8fef7c87727def7bd77)
---
 source3/lib/netapi/cm.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index dd1f1e3..8551521 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -161,7 +161,7 @@ WERROR libnetapi_shutdown_cm(struct libnetapi_ctx *ctx)
 ********************************************************************/
 
 static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
-			     const struct ndr_syntax_id *interface,
+			     const struct ndr_interface_table *table,
 			     struct rpc_pipe_client **presult)
 {
 	struct client_pipe_connection *p;
@@ -177,7 +177,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
 
 		if (strequal(ipc_remote_name, p->pipe->desthost)
 		    && ndr_syntax_id_equal(&p->pipe->abstract_syntax,
-					   interface)) {
+					   &table->syntax_id)) {
 			*presult = p->pipe;
 			return NT_STATUS_OK;
 		}
@@ -191,7 +191,7 @@ static NTSTATUS pipe_cm_find(struct client_ipc_connection *ipc,
 
 static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
 				struct client_ipc_connection *ipc,
-				const struct ndr_syntax_id *interface,
+				const struct ndr_interface_table *table,
 				struct rpc_pipe_client **presult)
 {
 	struct client_pipe_connection *p;
@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = cli_rpc_pipe_open_noauth(ipc->cli, interface, &p->pipe);
+	status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(p);
 		return status;
@@ -219,14 +219,14 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
 
 static NTSTATUS pipe_cm_open(TALLOC_CTX *ctx,
 			     struct client_ipc_connection *ipc,
-			     const struct ndr_syntax_id *interface,
+			     const struct ndr_interface_table *table,
 			     struct rpc_pipe_client **presult)
 {
-	if (NT_STATUS_IS_OK(pipe_cm_find(ipc, interface, presult))) {
+	if (NT_STATUS_IS_OK(pipe_cm_find(ipc, table, presult))) {
 		return NT_STATUS_OK;
 	}
 
-	return pipe_cm_connect(ctx, ipc, interface, presult);
+	return pipe_cm_connect(ctx, ipc, table, presult);
 }
 
 /********************************************************************
@@ -251,7 +251,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 		return werr;
 	}
 
-	status = pipe_cm_open(ctx, ipc, &table->syntax_id, &result);
+	status = pipe_cm_open(ctx, ipc, table, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
 			get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-- 
1.9.3


From ec8ba2a371ce4c4cc14d04e852034dcd92862542 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:16:59 +0200
Subject: [PATCH 021/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_pipe_open_ncalrpc().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9b4fb5b074b035eaef98c4a463c9d68006ed52da)
---
 source3/librpc/rpc/dcerpc_ep.c | 2 +-
 source3/rpc_client/cli_pipe.c  | 4 ++--
 source3/rpc_client/cli_pipe.h  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc_ep.c b/source3/librpc/rpc/dcerpc_ep.c
index bb080c5..410caa7 100644
--- a/source3/librpc/rpc/dcerpc_ep.c
+++ b/source3/librpc/rpc/dcerpc_ep.c
@@ -365,7 +365,7 @@ static NTSTATUS ep_register(TALLOC_CTX *mem_ctx,
 
 		status = rpc_pipe_open_ncalrpc(tmp_ctx,
 					       ncalrpc_sock,
-					       &ndr_table_epmapper.syntax_id,
+					       &ndr_table_epmapper,
 					       &cli);
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 385ae25..427b628 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2682,7 +2682,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
  Create a rpc pipe client struct, connecting to a unix domain socket
  ********************************************************************/
 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
-			       const struct ndr_syntax_id *abstract_syntax,
+			       const struct ndr_interface_table *table,
 			       struct rpc_pipe_client **presult)
 {
 	struct rpc_pipe_client *result;
@@ -2696,7 +2696,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	result->abstract_syntax = *abstract_syntax;
+	result->abstract_syntax = table->syntax_id;
 	result->transfer_syntax = ndr_transfer_syntax_ndr;
 
 	result->desthost = get_myname(result);
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 34ae542..3415db0 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -71,7 +71,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
 			   struct rpc_pipe_client **presult);
 
 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
-			       const struct ndr_syntax_id *abstract_syntax,
+			       const struct ndr_interface_table *table,
 			       struct rpc_pipe_client **presult);
 
 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
-- 
1.9.3


From 816b7983c2342ea500e7467f2ab6c04dff89308f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 May 2013 16:44:05 +0200
Subject: [PATCH 022/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_pipe_open_interface().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6886cff0a7e97864e9094af936cbef08a3c8f6f4)
---
 source3/printing/nt_printing_migrate_internal.c |  2 +-
 source3/printing/printspoolss.c                 |  4 +--
 source3/rpc_server/rpc_ncacn_np.c               |  8 +++---
 source3/rpc_server/rpc_ncacn_np.h               |  2 +-
 source3/smbd/lanman.c                           | 34 ++++++++++++-------------
 source3/smbd/reply.c                            |  2 +-
 6 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/source3/printing/nt_printing_migrate_internal.c b/source3/printing/nt_printing_migrate_internal.c
index 200db07f..6bc7ea2 100644
--- a/source3/printing/nt_printing_migrate_internal.c
+++ b/source3/printing/nt_printing_migrate_internal.c
@@ -211,7 +211,7 @@ bool nt_printing_tdb_migrate(struct messaging_context *msg_ctx)
 	}
 
 	status = rpc_pipe_open_interface(tmp_ctx,
-					&ndr_table_winreg.syntax_id,
+					&ndr_table_winreg,
 					session_info,
 					NULL,
 					msg_ctx,
diff --git a/source3/printing/printspoolss.c b/source3/printing/printspoolss.c
index fc1e9c1..0507e83 100644
--- a/source3/printing/printspoolss.c
+++ b/source3/printing/printspoolss.c
@@ -154,7 +154,7 @@ NTSTATUS print_spool_open(files_struct *fsp,
 	 * a job id */
 
 	status = rpc_pipe_open_interface(fsp->conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 fsp->conn->session_info,
 					 fsp->conn->sconn->remote_address,
 					 fsp->conn->sconn->msg_ctx,
@@ -343,7 +343,7 @@ void print_spool_terminate(struct connection_struct *conn,
 	rap_jobid_delete(print_file->svcname, print_file->jobid);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index b4602a9..7389b3e 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -758,7 +758,7 @@ done:
  */
 
 NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
-				 const struct ndr_syntax_id *syntax,
+				 const struct ndr_interface_table *table,
 				 const struct auth_session_info *session_info,
 				 const struct tsocket_address *remote_address,
 				 struct messaging_context *msg_ctx,
@@ -783,7 +783,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	pipe_name = get_pipe_name_from_syntax(tmp_ctx, syntax);
+	pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
 	if (pipe_name == NULL) {
 		status = NT_STATUS_INVALID_PARAMETER;
 		goto done;
@@ -800,7 +800,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
 	switch (pipe_mode) {
 	case RPC_SERVICE_MODE_EMBEDDED:
 		status = rpc_pipe_open_internal(tmp_ctx,
-						syntax, session_info,
+						&table->syntax_id, session_info,
 						remote_address, msg_ctx,
 						&cli);
 		if (!NT_STATUS_IS_OK(status)) {
@@ -813,7 +813,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
 		 * to spoolssd. */
 
 		status = rpc_pipe_open_external(tmp_ctx,
-						pipe_name, syntax,
+						pipe_name, &table->syntax_id,
 						session_info,
 						&cli);
 		if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/rpc_server/rpc_ncacn_np.h b/source3/rpc_server/rpc_ncacn_np.h
index 586d61b..67cd8a1 100644
--- a/source3/rpc_server/rpc_ncacn_np.h
+++ b/source3/rpc_server/rpc_ncacn_np.h
@@ -50,7 +50,7 @@ NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
 			       struct messaging_context *msg_ctx,
 			       struct dcerpc_binding_handle **binding_handle);
 NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
-				 const struct ndr_syntax_id *syntax,
+				 const struct ndr_interface_table *table,
 				 const struct auth_session_info *session_info,
 				 const struct tsocket_address *remote_address,
 				 struct messaging_context *msg_ctx,
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index d0dae36..3c488ec 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -832,7 +832,7 @@ static bool api_DosPrintQGetInfo(struct smbd_server_connection *sconn,
 	}
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -1029,7 +1029,7 @@ static bool api_DosPrintQEnum(struct smbd_server_connection *sconn,
 	}
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -2256,7 +2256,7 @@ static bool api_RNetShareAdd(struct smbd_server_connection *sconn,
 		return false;
 	}
 
-	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
+	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
 					conn->session_info,
 					conn->sconn->remote_address,
 					conn->sconn->msg_ctx,
@@ -2368,7 +2368,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn,
 	}
 
 	status = rpc_pipe_open_interface(
-		talloc_tos(), &ndr_table_samr.syntax_id,
+		talloc_tos(), &ndr_table_samr,
 		conn->session_info, conn->sconn->remote_address,
 		conn->sconn->msg_ctx, &samr_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2574,7 +2574,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn,
 	endp = *rdata + *rdata_len;
 
 	status = rpc_pipe_open_interface(
-		talloc_tos(), &ndr_table_samr.syntax_id,
+		talloc_tos(), &ndr_table_samr,
 		conn->session_info, conn->sconn->remote_address,
 		conn->sconn->msg_ctx, &samr_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2774,7 +2774,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn,
 	endp = *rdata + *rdata_len;
 
 	status = rpc_pipe_open_interface(
-		talloc_tos(), &ndr_table_samr.syntax_id,
+		talloc_tos(), &ndr_table_samr,
 		conn->session_info, conn->sconn->remote_address,
 		conn->sconn->msg_ctx, &samr_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -3037,7 +3037,7 @@ static bool api_SamOEMChangePassword(struct smbd_server_connection *sconn,
 	memcpy(password.data, data, 516);
 	memcpy(hash.hash, data+516, 16);
 
-	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
+	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
 					conn->session_info,
 					conn->sconn->remote_address,
 					conn->sconn->msg_ctx,
@@ -3134,7 +3134,7 @@ static bool api_RDosPrintJobDel(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(handle);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -3262,7 +3262,7 @@ static bool api_WPrintQueueCtrl(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(handle);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -3444,7 +3444,7 @@ static bool api_PrintJobInfo(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(handle);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -3621,7 +3621,7 @@ static bool api_RNetServerGetInfo(struct smbd_server_connection *sconn,
 	p = *rdata;
 	p2 = p + struct_len;
 
-	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc.syntax_id,
+	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
 					conn->session_info,
 					conn->sconn->remote_address,
 					conn->sconn->msg_ctx,
@@ -4052,7 +4052,7 @@ static bool api_RNetUserGetInfo(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(domain_handle);
 	ZERO_STRUCT(user_handle);
 
-	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr.syntax_id,
+	status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
 					conn->session_info,
 					conn->sconn->remote_address,
 					conn->sconn->msg_ctx,
@@ -4581,7 +4581,7 @@ static bool api_WPrintJobGetInfo(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(handle);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -4723,7 +4723,7 @@ static bool api_WPrintJobEnumerate(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(handle);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -4923,7 +4923,7 @@ static bool api_WPrintDestGetInfo(struct smbd_server_connection *sconn,
 	ZERO_STRUCT(handle);
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -5055,7 +5055,7 @@ static bool api_WPrintDestEnum(struct smbd_server_connection *sconn,
 	queuecnt = 0;
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_spoolss.syntax_id,
+					 &ndr_table_spoolss,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
@@ -5366,7 +5366,7 @@ static bool api_RNetSessionEnum(struct smbd_server_connection *sconn,
 	}
 
 	status = rpc_pipe_open_interface(conn,
-					 &ndr_table_srvsvc.syntax_id,
+					 &ndr_table_srvsvc,
 					 conn->session_info,
 					 conn->sconn->remote_address,
 					 conn->sconn->msg_ctx,
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 3f5b950..eace557 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -5637,7 +5637,7 @@ void reply_printqueue(struct smb_request *req)
 		ZERO_STRUCT(handle);
 
 		status = rpc_pipe_open_interface(conn,
-						 &ndr_table_spoolss.syntax_id,
+						 &ndr_table_spoolss,
 						 conn->session_info,
 						 conn->sconn->remote_address,
 						 conn->sconn->msg_ctx,
-- 
1.9.3


From 3dc2d438f0b440f34b7cdd9eeac429a15f679460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:03:23 +0200
Subject: [PATCH 023/249] s3-rpc_cli: pass down ndr_interface_table to
 cli_rpc_pipe_open_schannel().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit f6d61b571d79ebf1df58513ec728057d00b95f3e)
---
 source3/auth/auth_domain.c             | 2 +-
 source3/rpc_client/cli_pipe.h          | 2 +-
 source3/rpc_client/cli_pipe_schannel.c | 4 ++--
 source3/rpcclient/rpcclient.c          | 2 +-
 source3/utils/net_rpc.c                | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 286c75c..a375f11 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -115,7 +115,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 	if (lp_client_schannel()) {
 		/* We also setup the creds chain in the open_schannel call. */
 		result = cli_rpc_pipe_open_schannel(
-			*cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
+			*cli, &ndr_table_netlogon, NCACN_NP,
 			DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
 	} else {
 		result = cli_rpc_pipe_open_noauth(
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 3415db0..d17322a 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -125,7 +125,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
 						 struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-				    const struct ndr_syntax_id *interface,
+				    const struct ndr_interface_table *table,
 				    enum dcerpc_transport_t transport,
 				    enum dcerpc_AuthLevel auth_level,
 				    const char *domain,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index c275720..8bc01a5 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -169,7 +169,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
  ****************************************************************************/
 
 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
-				    const struct ndr_syntax_id *interface,
+				    const struct ndr_interface_table *table,
 				    enum dcerpc_transport_t transport,
 				    enum dcerpc_AuthLevel auth_level,
 				    const char *domain,
@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
+		cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
 		&result);
 
 	/* Now we've bound using the session key we can close the netlog pipe. */
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index d204d7f..6b6478e 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -734,7 +734,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 			break;
 		case DCERPC_AUTH_TYPE_SCHANNEL:
 			ntresult = cli_rpc_pipe_open_schannel(
-				cli, &cmd_entry->table->syntax_id,
+				cli, cmd_entry->table,
 				default_transport,
 				pipe_default_auth_level,
 				get_cmdline_auth_info_domain(auth_info),
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 4503f59..dab9fcd 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -191,7 +191,7 @@ int run_rpc_command(struct net_context *c,
 					    &ndr_table_netlogon.syntax_id))) {
 			/* Always try and create an schannel netlogon pipe. */
 			nt_status = cli_rpc_pipe_open_schannel(
-				cli, &table->syntax_id, NCACN_NP,
+				cli, table, NCACN_NP,
 				DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
 				&pipe_hnd);
 			if (!NT_STATUS_IS_OK(nt_status)) {
-- 
1.9.3


From 428596faf89f424c83edb86d45c5a1322e3fb6b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:08:33 +0200
Subject: [PATCH 024/249] s3-rpc_cli: pass down ndr_interface_table to
 cli_rpc_pipe_open_ntlmssp_auth_schannel().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7f169474fc86479abe09a5716b8029c6febcfaa9)
---
 source3/rpc_client/cli_pipe.h          | 2 +-
 source3/rpc_client/cli_pipe_schannel.c | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index d17322a..7026692 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -116,7 +116,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-						 const struct ndr_syntax_id *interface,
+						 const struct ndr_interface_table *table,
 						 enum dcerpc_transport_t transport,
 						 enum dcerpc_AuthLevel auth_level,
 						 const char *domain,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index 8bc01a5..261a768 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -128,7 +128,7 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
  ****************************************************************************/
 
 NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-						 const struct ndr_syntax_id *interface,
+						 const struct ndr_interface_table *table,
 						 enum dcerpc_transport_t transport,
 						 enum dcerpc_AuthLevel auth_level,
 						 const char *domain,
@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, interface, transport, auth_level, domain, &netlogon_pipe->dc,
+		cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
 		&result);
 
 	/* Now we've bound using the session key we can close the netlog pipe. */
-- 
1.9.3


From cda31f4e490942ffc89513f000fa147f535a2713 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:17:24 +0200
Subject: [PATCH 025/249] s3-rpc_cli: pass down ndr_interface_table to
 cli_rpc_pipe_open_schannel_with_key().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3dc3a6c8483a8de22b483ecf164c81232d4a8d65)
---
 source3/libnet/libnet_join.c           | 2 +-
 source3/rpc_client/cli_pipe.c          | 6 +++---
 source3/rpc_client/cli_pipe.h          | 2 +-
 source3/rpc_client/cli_pipe_schannel.c | 4 ++--
 source3/utils/net_rpc_join.c           | 4 ++--
 source3/winbindd/winbindd_cm.c         | 8 ++++----
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 1418385..9f47f3b 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1287,7 +1287,7 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
+		cli, &ndr_table_netlogon, NCACN_NP,
 		DCERPC_AUTH_LEVEL_PRIVACY,
 		netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 427b628..34cef32 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3022,7 +3022,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
  ****************************************************************************/
 
 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
-					     const struct ndr_syntax_id *interface,
+					     const struct ndr_interface_table *table,
 					     enum dcerpc_transport_t transport,
 					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
@@ -3033,7 +3033,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	struct pipe_auth_data *auth;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open(cli, transport, interface, &result);
+	status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -3070,7 +3070,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 
 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
 		  "for domain %s and bound using schannel.\n",
-		  get_pipe_name_from_syntax(talloc_tos(), interface),
+		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
 		  result->desthost, domain));
 
 	*presult = result;
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 7026692..65bfbc8 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -108,7 +108,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
 				  struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
-					     const struct ndr_syntax_id *interface,
+					     const struct ndr_interface_table *table,
 					     enum dcerpc_transport_t transport,
 					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index 261a768..784e63f 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -151,7 +151,7 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
+		cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
 		&result);
 
 	/* Now we've bound using the session key we can close the netlog pipe. */
@@ -190,7 +190,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, &table->syntax_id, transport, auth_level, domain, &netlogon_pipe->dc,
+		cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
 		&result);
 
 	/* Now we've bound using the session key we can close the netlog pipe. */
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index 56799cd..4b43769 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -137,7 +137,7 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
 	}
 
 	ntret = cli_rpc_pipe_open_schannel_with_key(
-		cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
+		cli, &ndr_table_netlogon, NCACN_NP,
 		DCERPC_AUTH_LEVEL_PRIVACY,
 		domain, &netlogon_pipe->dc, &pipe_hnd);
 
@@ -497,7 +497,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
 		struct rpc_pipe_client *netlogon_schannel_pipe;
 
 		status = cli_rpc_pipe_open_schannel_with_key(
-			cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
+			cli, &ndr_table_netlogon, NCACN_NP,
 			DCERPC_AUTH_LEVEL_PRIVACY, domain, &pipe_hnd->dc,
 			&netlogon_schannel_pipe);
 
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 61917db..f17fc68 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2415,7 +2415,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 		goto anonymous;
 	}
 	status = cli_rpc_pipe_open_schannel_with_key
-		(conn->cli, &ndr_table_samr.syntax_id, NCACN_NP,
+		(conn->cli, &ndr_table_samr, NCACN_NP,
 		 DCERPC_AUTH_LEVEL_PRIVACY,
 		 domain->name, &p_creds, &conn->samr_pipe);
 
@@ -2547,7 +2547,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
-						     &ndr_table_lsarpc.syntax_id,
+						     &ndr_table_lsarpc,
 						     NCACN_IP_TCP,
 						     DCERPC_AUTH_LEVEL_PRIVACY,
 						     domain->name,
@@ -2646,7 +2646,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 		goto anonymous;
 	}
 	result = cli_rpc_pipe_open_schannel_with_key
-		(conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP,
+		(conn->cli, &ndr_table_lsarpc, NCACN_NP,
 		 DCERPC_AUTH_LEVEL_PRIVACY,
 		 domain->name, &p_creds, &conn->lsa_pipe);
 
@@ -2831,7 +2831,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 	*/
 
 	result = cli_rpc_pipe_open_schannel_with_key(
-		conn->cli, &ndr_table_netlogon.syntax_id, NCACN_NP,
+		conn->cli, &ndr_table_netlogon, NCACN_NP,
 		DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
 		&conn->netlogon_pipe);
 
-- 
1.9.3


From 9b569e91cd22806eedae76d3fb60cdbd7548e4c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:29:28 +0200
Subject: [PATCH 026/249] s3-rpc_cli: pass down ndr_interface_table to
 cli_rpc_pipe_open_noauth().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9813fe2b04a5b4abaa95ea1d893b3803edbede4d)
---
 source3/auth/auth_domain.c                  |  2 +-
 source3/client/client.c                     |  2 +-
 source3/lib/netapi/cm.c                     |  2 +-
 source3/libnet/libnet_join.c                |  8 ++++----
 source3/libsmb/libsmb_dir.c                 |  2 +-
 source3/libsmb/libsmb_server.c              |  2 +-
 source3/libsmb/passchange.c                 |  4 ++--
 source3/libsmb/trustdom_cache.c             |  2 +-
 source3/libsmb/trusts_util.c                |  2 +-
 source3/rpc_client/cli_pipe.c               |  4 ++--
 source3/rpc_client/cli_pipe.h               |  2 +-
 source3/rpc_client/cli_pipe_schannel.c      |  2 +-
 source3/rpc_server/spoolss/srv_spoolss_nt.c |  2 +-
 source3/rpcclient/cmd_spoolss.c             |  2 +-
 source3/rpcclient/cmd_test.c                |  4 ++--
 source3/rpcclient/rpcclient.c               |  2 +-
 source3/torture/test_async_echo.c           |  2 +-
 source3/utils/net_ads.c                     |  2 +-
 source3/utils/net_rpc.c                     | 20 ++++++++++----------
 source3/utils/net_rpc_join.c                |  6 +++---
 source3/utils/net_rpc_shell.c               |  2 +-
 source3/utils/net_rpc_trust.c               |  2 +-
 source3/utils/net_util.c                    |  8 ++++----
 source3/utils/netlookup.c                   |  2 +-
 source3/utils/smbcacls.c                    |  7 +++----
 source3/utils/smbcquotas.c                  |  2 +-
 source3/utils/smbtree.c                     |  2 +-
 source3/winbindd/winbindd_cm.c              | 10 +++++-----
 28 files changed, 54 insertions(+), 55 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index a375f11..54ee5a1 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -119,7 +119,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 			DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
 	} else {
 		result = cli_rpc_pipe_open_noauth(
-			*cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
+			*cli, &ndr_table_netlogon, &netlogon_pipe);
 	}
 
 	if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/client/client.c b/source3/client/client.c
index ab46cb8..dafc5f0 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -4227,7 +4227,7 @@ static bool browse_host_rpc(bool sort)
 	int i;
 	struct dcerpc_binding_handle *b;
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
 					  &pipe_hnd);
 
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index 8551521..1cfdccf 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -202,7 +202,7 @@ static NTSTATUS pipe_cm_connect(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = cli_rpc_pipe_open_noauth(ipc->cli, &table->syntax_id, &p->pipe);
+	status = cli_rpc_pipe_open_noauth(ipc->cli, table, &p->pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(p);
 		return status;
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 9f47f3b..324c8f3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -749,7 +749,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Error connecting to LSA pipe. Error was %s\n",
@@ -819,7 +819,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
 	fstring trust_passwd;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -908,7 +908,7 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 
 	/* Open the domain */
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
@@ -1377,7 +1377,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
 
 	/* Open the domain */
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Error connecting to SAM pipe. Error was %s\n",
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 87e10d8..3a07f11 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -277,7 +277,7 @@ net_share_enum_rpc(struct cli_state *cli,
 	struct dcerpc_binding_handle *b;
 
         /* Open the server service pipe */
-        nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
+        nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
 					     &pipe_hnd);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 DEBUG(1, ("net_share_enum_rpc pipe open fail!\n"));
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index d4254da..dff0062 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -802,7 +802,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
                 ipc_srv->cli = ipc_cli;
 
                 nt_status = cli_rpc_pipe_open_noauth(
-			ipc_srv->cli, &ndr_table_lsarpc.syntax_id, &pipe_hnd);
+			ipc_srv->cli, &ndr_table_lsarpc, &pipe_hnd);
                 if (!NT_STATUS_IS_OK(nt_status)) {
                         DEBUG(1, ("cli_nt_session_open fail!\n"));
                         errno = ENOTSUP;
diff --git a/source3/libsmb/passchange.c b/source3/libsmb/passchange.c
index 3933833..9736ada 100644
--- a/source3/libsmb/passchange.c
+++ b/source3/libsmb/passchange.c
@@ -169,7 +169,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
 		 * way.
 		 */
 		result = cli_rpc_pipe_open_noauth(
-			cli, &ndr_table_samr.syntax_id, &pipe_hnd);
+			cli, &ndr_table_samr, &pipe_hnd);
 	}
 
 	if (!NT_STATUS_IS_OK(result)) {
@@ -230,7 +230,7 @@ NTSTATUS remote_password_change(const char *remote_machine, const char *user_nam
 	result = NT_STATUS_UNSUCCESSFUL;
 
 	/* OK, this is ugly, but... try an anonymous pipe. */
-	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
 					  &pipe_hnd);
 
 	if ( NT_STATUS_IS_OK(result) &&
diff --git a/source3/libsmb/trustdom_cache.c b/source3/libsmb/trustdom_cache.c
index 8789d30..dadc751 100644
--- a/source3/libsmb/trustdom_cache.c
+++ b/source3/libsmb/trustdom_cache.c
@@ -289,7 +289,7 @@ static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
 
 	/* open the LSARPC_PIPE	*/
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &lsa_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 0d039bc..6156ba0 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -182,7 +182,7 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
 	/* Shouldn't we open this with schannel ? JRA. */
 
 	nt_status = cli_rpc_pipe_open_noauth(
-		cli, &ndr_table_netlogon.syntax_id, &netlogon_pipe);
+		cli, &ndr_table_netlogon, &netlogon_pipe);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
 			dc_name, nt_errstr(nt_status)));
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 34cef32..1137abd 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2948,11 +2948,11 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
  ****************************************************************************/
 
 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
-				  const struct ndr_syntax_id *interface,
+				  const struct ndr_interface_table *table,
 				  struct rpc_pipe_client **presult)
 {
 	return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
-						  interface, presult);
+						  &table->syntax_id, presult);
 }
 
 /****************************************************************************
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 65bfbc8..9aae61a 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -77,7 +77,7 @@ NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
 struct dcerpc_binding_handle *rpccli_bh_create(struct rpc_pipe_client *c);
 
 NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
-				  const struct ndr_syntax_id *interface,
+				  const struct ndr_interface_table *table,
 				  struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index 784e63f..bc672ef 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -217,7 +217,7 @@ NTSTATUS get_schannel_session_key(struct cli_state *cli,
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
 					  &netlogon_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
index 335647b..c12cd05 100644
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
@@ -2504,7 +2504,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe,
 	 * Now start the NT Domain stuff :-).
 	 */
 
-	ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss.syntax_id, pp_pipe);
+	ret = cli_rpc_pipe_open_noauth(the_cli, &ndr_table_spoolss, pp_pipe);
 	if (!NT_STATUS_IS_OK(ret)) {
 		DEBUG(2,("spoolss_connect_to_client: unable to open the spoolss pipe on machine %s. Error was : %s.\n",
 			remote_machine, nt_errstr(ret)));
diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
index 5c499d4..fb011f8 100644
--- a/source3/rpcclient/cmd_spoolss.c
+++ b/source3/rpcclient/cmd_spoolss.c
@@ -3453,7 +3453,7 @@ static WERROR cmd_spoolss_printercmp(struct rpc_pipe_client *cli,
 	if ( !NT_STATUS_IS_OK(nt_status) )
 		return WERR_GENERAL_FAILURE;
 
-	nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss.syntax_id,
+	nt_status = cli_rpc_pipe_open_noauth(cli_server2, &ndr_table_spoolss,
 					     &cli2);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		printf("failed to open spoolss pipe on server %s (%s)\n",
diff --git a/source3/rpcclient/cmd_test.c b/source3/rpcclient/cmd_test.c
index 591ae8c..367dc71 100644
--- a/source3/rpcclient/cmd_test.c
+++ b/source3/rpcclient/cmd_test.c
@@ -36,14 +36,14 @@ static NTSTATUS cmd_testme(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx,
 	d_printf("testme\n");
 
 	status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
-					  &ndr_table_lsarpc.syntax_id,
+					  &ndr_table_lsarpc,
 					  &lsa_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
 
 	status = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(cli),
-					  &ndr_table_samr.syntax_id,
+					  &ndr_table_samr,
 					  &samr_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 6b6478e..e3b35bb 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -167,7 +167,7 @@ static void fetch_machine_sid(struct cli_state *cli)
 		goto error;
 	}
 
-	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &lsapipe);
 	if (!NT_STATUS_IS_OK(result)) {
 		fprintf(stderr, "could not initialise lsa pipe. Error was %s\n", nt_errstr(result) );
diff --git a/source3/torture/test_async_echo.c b/source3/torture/test_async_echo.c
index 6df95dd..f21daa4 100644
--- a/source3/torture/test_async_echo.c
+++ b/source3/torture/test_async_echo.c
@@ -82,7 +82,7 @@ bool run_async_echo(int dummy)
 		printf("torture_open_connection failed\n");
 		goto fail;
 	}
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_rpcecho,
 					  &p);
 	if (!NT_STATUS_IS_OK(status)) {
 		printf("Could not open echo pipe: %s\n", nt_errstr(status));
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 5699943..89eebf3 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1957,7 +1957,7 @@ static int net_ads_printer_publish(struct net_context *c, int argc, const char *
 	SAFE_FREE(srv_cn_escaped);
 	SAFE_FREE(printername_escaped);
 
-	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss.syntax_id, &pipe_hnd);
+	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_spoolss, &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		d_fprintf(stderr, _("Unable to open a connection to the spoolss pipe on %s\n"),
 			 servername);
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index dab9fcd..69ff14d 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -82,7 +82,7 @@ NTSTATUS net_get_remote_domain_sid(struct cli_state *cli, TALLOC_CTX *mem_ctx,
 	union lsa_PolicyInformation *info = NULL;
 	struct dcerpc_binding_handle *b;
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &lsa_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
@@ -212,7 +212,7 @@ int run_rpc_command(struct net_context *c,
 					c->opt_password, &pipe_hnd);
 			} else {
 				nt_status = cli_rpc_pipe_open_noauth(
-					cli, &table->syntax_id,
+					cli, table,
 					&pipe_hnd);
 			}
 			if (!NT_STATUS_IS_OK(nt_status)) {
@@ -348,7 +348,7 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
 	NTSTATUS result;
 	enum netr_SchannelType sec_channel_type;
 
-	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
@@ -1966,7 +1966,7 @@ static NTSTATUS get_sid_from_name(struct cli_state *cli,
 	NTSTATUS status, result;
 	struct dcerpc_binding_handle *b;
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
@@ -2980,7 +2980,7 @@ static NTSTATUS rpc_list_alias_members(struct net_context *c,
 	}
 
 	result = cli_rpc_pipe_open_noauth(rpc_pipe_np_smb_conn(pipe_hnd),
-					  &ndr_table_lsarpc.syntax_id,
+					  &ndr_table_lsarpc,
 					  &lsa_pipe);
 	if (!NT_STATUS_IS_OK(result)) {
 		d_fprintf(stderr, _("Couldn't open LSA pipe. Error was %s\n"),
@@ -6232,7 +6232,7 @@ static NTSTATUS rpc_trustdom_get_pdc(struct net_context *c,
 
 	/* Try netr_GetDcName */
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
 					  &netr);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -6379,7 +6379,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc,
 	 * Call LsaOpenPolicy and LsaQueryInfo
 	 */
 
-	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					     &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n", nt_errstr(nt_status) ));
@@ -6656,7 +6656,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc,
 		return -1;
 	};
 
-	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					     &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
@@ -6834,7 +6834,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
 		return -1;
 	};
 
-	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					     &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Could not initialise lsa pipe. Error was %s\n",
@@ -6950,7 +6950,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv)
 	/*
 	 * Open \PIPE\samr and get needed policy handles
 	 */
-	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+	nt_status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
 					     &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Could not initialise samr pipe. Error was %s\n", nt_errstr(nt_status)));
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index 4b43769..aabbe54 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -245,7 +245,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
 
 	/* Fetch domain sid */
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Error connecting to LSA pipe. Error was %s\n",
@@ -280,7 +280,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
 	}
 
 	/* Create domain user */
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_samr,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Error connecting to SAM pipe. Error was %s\n",
@@ -456,7 +456,7 @@ int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
 
 	/* Now check the whole process from top-to-bottom */
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n",
diff --git a/source3/utils/net_rpc_shell.c b/source3/utils/net_rpc_shell.c
index 6086066..120cfa6 100644
--- a/source3/utils/net_rpc_shell.c
+++ b/source3/utils/net_rpc_shell.c
@@ -85,7 +85,7 @@ static NTSTATUS net_sh_run(struct net_context *c,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = cli_rpc_pipe_open_noauth(ctx->cli, &cmd->table->syntax_id,
+	status = cli_rpc_pipe_open_noauth(ctx->cli, cmd->table,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_fprintf(stderr, _("Could not open pipe: %s\n"),
diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c
index 9060700..5e58103 100644
--- a/source3/utils/net_rpc_trust.c
+++ b/source3/utils/net_rpc_trust.c
@@ -210,7 +210,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc.syntax_id, pipe_hnd);
+	status = cli_rpc_pipe_open_noauth(*cli, &ndr_table_lsarpc, pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Failed to initialise lsa pipe with error [%s]\n",
 			  nt_errstr(status)));
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index a4282ec..13a0ef1 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -45,7 +45,7 @@ NTSTATUS net_rpc_lookup_name(struct net_context *c,
 
 	ZERO_STRUCT(pol);
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &lsa_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_fprintf(stderr, _("Could not initialise lsa pipe\n"));
@@ -256,7 +256,7 @@ NTSTATUS connect_dst_pipe(struct net_context *c, struct cli_state **cli_dst,
 		return nt_status;
 	}
 
-	nt_status = cli_rpc_pipe_open_noauth(cli_tmp, &table->syntax_id,
+	nt_status = cli_rpc_pipe_open_noauth(cli_tmp, table,
 					     &pipe_hnd);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("couldn't not initialize pipe\n"));
@@ -571,7 +571,7 @@ static NTSTATUS net_scan_dc_noad(struct net_context *c,
 	ZERO_STRUCTP(dc_info);
 	ZERO_STRUCT(pol);
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &pipe_hnd);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -634,7 +634,7 @@ NTSTATUS net_scan_dc(struct net_context *c,
 
 	ZERO_STRUCTP(dc_info);
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_dssetup,
 					  &dssetup_pipe);
         if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10,("net_scan_dc: failed to open dssetup pipe with %s, "
diff --git a/source3/utils/netlookup.c b/source3/utils/netlookup.c
index b66c34e..56d3bfe 100644
--- a/source3/utils/netlookup.c
+++ b/source3/utils/netlookup.c
@@ -122,7 +122,7 @@ static struct con_struct *create_cs(struct net_context *c,
 	}
 
 	nt_status = cli_rpc_pipe_open_noauth(cs->cli,
-					&ndr_table_lsarpc.syntax_id,
+					&ndr_table_lsarpc,
 					&cs->lsapipe);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source3/utils/smbcacls.c b/source3/utils/smbcacls.c
index 23a1192..f092839 100644
--- a/source3/utils/smbcacls.c
+++ b/source3/utils/smbcacls.c
@@ -96,7 +96,7 @@ static NTSTATUS cli_lsa_lookup_sid(struct cli_state *cli,
 		goto tcon_fail;
 	}
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &p);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto fail;
@@ -146,7 +146,7 @@ static NTSTATUS cli_lsa_lookup_name(struct cli_state *cli,
 		goto tcon_fail;
 	}
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
 					  &p);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto fail;
@@ -187,14 +187,13 @@ static NTSTATUS cli_lsa_lookup_domain_sid(struct cli_state *cli,
 	struct policy_handle handle;
 	NTSTATUS status, result;
 	TALLOC_CTX *frame = talloc_stackframe();
-	const struct ndr_syntax_id *lsarpc_syntax = &ndr_table_lsarpc.syntax_id;
 
 	status = cli_tree_connect(cli, "IPC$", "?????", "", 0);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
 
-	status = cli_rpc_pipe_open_noauth(cli, lsarpc_syntax, &rpc_pipe);
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc, &rpc_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto tdis;
 	}
diff --git a/source3/utils/smbcquotas.c b/source3/utils/smbcquotas.c
index bf1f95c..2791b93 100644
--- a/source3/utils/smbcquotas.c
+++ b/source3/utils/smbcquotas.c
@@ -58,7 +58,7 @@ static bool cli_open_policy_hnd(void)
 		NTSTATUS ret;
 		cli_ipc = connect_one("IPC$");
 		ret = cli_rpc_pipe_open_noauth(cli_ipc,
-					       &ndr_table_lsarpc.syntax_id,
+					       &ndr_table_lsarpc,
 					       &global_pipe_hnd);
 		if (!NT_STATUS_IS_OK(ret)) {
 				return False;
diff --git a/source3/utils/smbtree.c b/source3/utils/smbtree.c
index 40b1f09..5c07b12 100644
--- a/source3/utils/smbtree.c
+++ b/source3/utils/smbtree.c
@@ -177,7 +177,7 @@ static bool get_rpc_shares(struct cli_state *cli,
 		return False;
 	}
 
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc.syntax_id,
+	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_srvsvc,
 					  &pipe_hnd);
 
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index f17fc68..facef64 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2078,7 +2078,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 	DEBUG(5, ("set_dc_type_and_flags_connect: domain %s\n", domain->name ));
 
 	status = cli_rpc_pipe_open_noauth(domain->conn.cli,
-					  &ndr_table_dssetup.syntax_id,
+					  &ndr_table_dssetup,
 					  &cli);
 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2129,7 +2129,7 @@ static void set_dc_type_and_flags_connect( struct winbindd_domain *domain )
 
 no_dssetup:
 	status = cli_rpc_pipe_open_noauth(domain->conn.cli,
-					  &ndr_table_lsarpc.syntax_id, &cli);
+					  &ndr_table_lsarpc, &cli);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(5, ("set_dc_type_and_flags_connect: Could not bind to "
@@ -2447,7 +2447,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 
 	/* Finally fall back to anonymous. */
-	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
+	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
 					  &conn->samr_pipe);
 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2674,7 +2674,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 
 	result = cli_rpc_pipe_open_noauth(conn->cli,
-					  &ndr_table_lsarpc.syntax_id,
+					  &ndr_table_lsarpc,
 					  &conn->lsa_pipe);
 	if (!NT_STATUS_IS_OK(result)) {
 		result = NT_STATUS_PIPE_NOT_AVAILABLE;
@@ -2765,7 +2765,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 	TALLOC_FREE(conn->netlogon_pipe);
 
 	result = cli_rpc_pipe_open_noauth(conn->cli,
-					  &ndr_table_netlogon.syntax_id,
+					  &ndr_table_netlogon,
 					  &netlogon_pipe);
 	if (!NT_STATUS_IS_OK(result)) {
 		return result;
-- 
1.9.3


From fce35e003f655b3564ee4df5ebfe7f3e6ff6d188 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:33:03 +0200
Subject: [PATCH 027/249] s3-rpc_cli: pass down ndr_interface_table to
 cli_rpc_pipe_open_noauth_transport().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9aa99c3cfb0ff7a290dd4df472a4ff30d0efcb76)
---
 source3/rpc_client/cli_pipe.c | 13 +++++++------
 source3/rpc_client/cli_pipe.h |  2 +-
 source3/rpcclient/rpcclient.c |  2 +-
 3 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 1137abd..4523ab7 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2865,14 +2865,14 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
 
 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 					    enum dcerpc_transport_t transport,
-					    const struct ndr_syntax_id *interface,
+					    const struct ndr_interface_table *table,
 					    struct rpc_pipe_client **presult)
 {
 	struct rpc_pipe_client *result;
 	struct pipe_auth_data *auth;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open(cli, transport, interface, &result);
+	status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2921,7 +2921,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 	status = rpc_pipe_bind(result, auth);
 	if (!NT_STATUS_IS_OK(status)) {
 		int lvl = 0;
-		if (ndr_syntax_id_equal(interface,
+		if (ndr_syntax_id_equal(&table->syntax_id,
 					&ndr_table_dssetup.syntax_id)) {
 			/* non AD domains just don't have this pipe, avoid
 			 * level 0 statement in that case - gd */
@@ -2929,7 +2929,8 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 		}
 		DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
 			    "%s failed with error %s\n",
-			    get_pipe_name_from_syntax(talloc_tos(), interface),
+			    get_pipe_name_from_syntax(talloc_tos(),
+						      &table->syntax_id),
 			    nt_errstr(status) ));
 		TALLOC_FREE(result);
 		return status;
@@ -2937,7 +2938,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 
 	DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
 		  "%s and bound anonymously.\n",
-		  get_pipe_name_from_syntax(talloc_tos(), interface),
+		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
 		  result->desthost));
 
 	*presult = result;
@@ -2952,7 +2953,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
 				  struct rpc_pipe_client **presult)
 {
 	return cli_rpc_pipe_open_noauth_transport(cli, NCACN_NP,
-						  &table->syntax_id, presult);
+						  table, presult);
 }
 
 /****************************************************************************
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 9aae61a..f37f8a9 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -82,7 +82,7 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli,
 
 NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 					    enum dcerpc_transport_t transport,
-					    const struct ndr_syntax_id *interface,
+					    const struct ndr_interface_table *table,
 					    struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index e3b35bb..c23ff2d 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -690,7 +690,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 		case DCERPC_AUTH_TYPE_NONE:
 			ntresult = cli_rpc_pipe_open_noauth_transport(
 				cli, default_transport,
-				&cmd_entry->table->syntax_id,
+				cmd_entry->table,
 				&cmd_entry->rpc_pipe);
 			break;
 		case DCERPC_AUTH_TYPE_SPNEGO:
-- 
1.9.3


From 0d85042853b635486912688102253b2f358b5056 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:38:01 +0200
Subject: [PATCH 028/249] s3-rpc_cli: pass down ndr_interface_table to
 cli_rpc_pipe_open().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 34cc4b409558f229fba24f59e81ef9100a851d24)
---
 source3/rpc_client/cli_pipe.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 4523ab7..4dc7345 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2843,7 +2843,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
 
 static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
 				  enum dcerpc_transport_t transport,
-				  const struct ndr_syntax_id *interface,
+				  const struct ndr_interface_table *table,
 				  struct rpc_pipe_client **presult)
 {
 	switch (transport) {
@@ -2851,9 +2851,9 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
 		return rpc_pipe_open_tcp(NULL,
 					 smbXcli_conn_remote_name(cli->conn),
 					 smbXcli_conn_remote_sockaddr(cli->conn),
-					 interface, presult);
+					 &table->syntax_id, presult);
 	case NCACN_NP:
-		return rpc_pipe_open_np(cli, interface, presult);
+		return rpc_pipe_open_np(cli, &table->syntax_id, presult);
 	default:
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
@@ -2872,7 +2872,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 	struct pipe_auth_data *auth;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
+	status = cli_rpc_pipe_open(cli, transport, table, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2977,7 +2977,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
 	
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
+	status = cli_rpc_pipe_open(cli, transport, table, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -3034,7 +3034,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	struct pipe_auth_data *auth;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
+	status = cli_rpc_pipe_open(cli, transport, table, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -3104,7 +3104,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	status = cli_rpc_pipe_open(cli, transport, &table->syntax_id, &result);
+	status = cli_rpc_pipe_open(cli, transport, table, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
-- 
1.9.3


From d5e312185a7adc8429f8caba29a9808ab7954a27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:40:45 +0200
Subject: [PATCH 029/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_pipe_open_np().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8cd3a060514ddcc178c938100edfb0b177c00c8c)
---
 source3/rpc_client/cli_pipe.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 4dc7345..0347d76 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2775,7 +2775,7 @@ static int rpc_pipe_client_np_ref_destructor(struct rpc_pipe_client_np_ref *np_r
  ****************************************************************************/
 
 static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
-				 const struct ndr_syntax_id *abstract_syntax,
+				 const struct ndr_interface_table *table,
 				 struct rpc_pipe_client **presult)
 {
 	struct rpc_pipe_client *result;
@@ -2793,7 +2793,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	result->abstract_syntax = *abstract_syntax;
+	result->abstract_syntax = table->syntax_id;
 	result->transfer_syntax = ndr_transfer_syntax_ndr;
 	result->desthost = talloc_strdup(result, smbXcli_conn_remote_name(cli->conn));
 	result->srv_name_slash = talloc_asprintf_strupper_m(
@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = rpc_transport_np_init(result, cli, abstract_syntax,
+	status = rpc_transport_np_init(result, cli, &table->syntax_id,
 				       &result->transport);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(result);
@@ -2853,7 +2853,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
 					 smbXcli_conn_remote_sockaddr(cli->conn),
 					 &table->syntax_id, presult);
 	case NCACN_NP:
-		return rpc_pipe_open_np(cli, &table->syntax_id, presult);
+		return rpc_pipe_open_np(cli, table, presult);
 	default:
 		return NT_STATUS_NOT_IMPLEMENTED;
 	}
-- 
1.9.3


From f1fa7838cb933fd0d390a56d823272f8528eb63c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:44:00 +0200
Subject: [PATCH 030/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_pipe_open_tcp().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5c5cff0a722a0925ae75ea7aa11ede0d82d5b92d)
---
 source3/rpc_client/cli_pipe.c  | 8 ++++----
 source3/rpc_client/cli_pipe.h  | 2 +-
 source3/torture/rpc_open_tcp.c | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 0347d76..46adf69 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2663,19 +2663,19 @@ done:
  */
 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
 			   const struct sockaddr_storage *addr,
-			   const struct ndr_syntax_id *abstract_syntax,
+			   const struct ndr_interface_table *table,
 			   struct rpc_pipe_client **presult)
 {
 	NTSTATUS status;
 	uint16_t port = 0;
 
-	status = rpc_pipe_get_tcp_port(host, addr, abstract_syntax, &port);
+	status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
 	return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
-					abstract_syntax, presult);
+				      &table->syntax_id, presult);
 }
 
 /********************************************************************
@@ -2851,7 +2851,7 @@ static NTSTATUS cli_rpc_pipe_open(struct cli_state *cli,
 		return rpc_pipe_open_tcp(NULL,
 					 smbXcli_conn_remote_name(cli->conn),
 					 smbXcli_conn_remote_sockaddr(cli->conn),
-					 &table->syntax_id, presult);
+					 table, presult);
 	case NCACN_NP:
 		return rpc_pipe_open_np(cli, table, presult);
 	default:
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index f37f8a9..6fcc587 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -67,7 +67,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
 			   const char *host,
 			   const struct sockaddr_storage *ss_addr,
-			   const struct ndr_syntax_id *abstract_syntax,
+			   const struct ndr_interface_table *table,
 			   struct rpc_pipe_client **presult);
 
 NTSTATUS rpc_pipe_open_ncalrpc(TALLOC_CTX *mem_ctx, const char *socket_path,
diff --git a/source3/torture/rpc_open_tcp.c b/source3/torture/rpc_open_tcp.c
index d29f4cf..cd27b5f 100644
--- a/source3/torture/rpc_open_tcp.c
+++ b/source3/torture/rpc_open_tcp.c
@@ -95,7 +95,7 @@ int main(int argc, const char **argv)
 	}
 
 	status = rpc_pipe_open_tcp(mem_ctx, argv[2], NULL,
-				   &((*table)->syntax_id),
+				   *table,
 				   &rpc_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf("ERROR calling rpc_pipe_open_tcp(): %s\n",
-- 
1.9.3


From 67c01c15af1bbb98916e75f7cad61edcc13c2e2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:46:07 +0200
Subject: [PATCH 031/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_pipe_get_tcp_port().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0ff8c2d508949f732716e24047694cecf38597df)
---
 source3/rpc_client/cli_pipe.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 46adf69..15e77db 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2518,7 +2518,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
  */
 static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
 				      const struct sockaddr_storage *addr,
-				      const struct ndr_syntax_id *abstract_syntax,
+				      const struct ndr_interface_table *table,
 				      uint16_t *pport)
 {
 	NTSTATUS status;
@@ -2541,7 +2541,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
 		goto done;
 	}
 
-	if (ndr_syntax_id_equal(abstract_syntax,
+	if (ndr_syntax_id_equal(&table->syntax_id,
 				&ndr_table_epmapper.syntax_id)) {
 		*pport = 135;
 		return NT_STATUS_OK;
@@ -2576,7 +2576,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
 	}
 
 	map_binding->transport = NCACN_IP_TCP;
-	map_binding->object = *abstract_syntax;
+	map_binding->object = table->syntax_id;
 	map_binding->host = host; /* needed? */
 	map_binding->endpoint = "0"; /* correct? needed? */
 
@@ -2612,7 +2612,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
 	status = dcerpc_epm_Map(epm_handle,
 				tmp_ctx,
 				discard_const_p(struct GUID,
-					      &(abstract_syntax->uuid)),
+					      &(table->syntax_id.uuid)),
 				map_tower,
 				entry_handle,
 				max_towers,
@@ -2669,7 +2669,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
 	NTSTATUS status;
 	uint16_t port = 0;
 
-	status = rpc_pipe_get_tcp_port(host, addr, &table->syntax_id, &port);
+	status = rpc_pipe_get_tcp_port(host, addr, table, &port);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
-- 
1.9.3


From a032ff8c89e479792947af4315ed6eb59a69f8f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:47:16 +0200
Subject: [PATCH 032/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_pipe_open_tcp_port().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7bdcfcb37c5b96ee6aa0cecffd89c6d17291fe62)
---
 source3/rpc_client/cli_pipe.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 15e77db..1b2955f 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2447,7 +2447,7 @@ NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
 static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
 				       const struct sockaddr_storage *ss_addr,
 				       uint16_t port,
-				       const struct ndr_syntax_id *abstract_syntax,
+				       const struct ndr_interface_table *table,
 				       struct rpc_pipe_client **presult)
 {
 	struct rpc_pipe_client *result;
@@ -2460,7 +2460,7 @@ static NTSTATUS rpc_pipe_open_tcp_port(TALLOC_CTX *mem_ctx, const char *host,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	result->abstract_syntax = *abstract_syntax;
+	result->abstract_syntax = table->syntax_id;
 	result->transfer_syntax = ndr_transfer_syntax_ndr;
 
 	result->desthost = talloc_strdup(result, host);
@@ -2549,7 +2549,7 @@ static NTSTATUS rpc_pipe_get_tcp_port(const char *host,
 
 	/* open the connection to the endpoint mapper */
 	status = rpc_pipe_open_tcp_port(tmp_ctx, host, addr, 135,
-					&ndr_table_epmapper.syntax_id,
+					&ndr_table_epmapper,
 					&epm_pipe);
 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2675,7 +2675,7 @@ NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx, const char *host,
 	}
 
 	return rpc_pipe_open_tcp_port(mem_ctx, host, addr, port,
-				      &table->syntax_id, presult);
+				      table, presult);
 }
 
 /********************************************************************
-- 
1.9.3


From 0b4ae5ec146e35c364f01c033d6c22efb99b7314 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:52:05 +0200
Subject: [PATCH 033/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_transport_np_init().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c41b6e5c5e7fcdbd98c1eb2bea08378b47d343d4)
---
 source3/rpc_client/cli_pipe.c         | 2 +-
 source3/rpc_client/rpc_transport.h    | 2 +-
 source3/rpc_client/rpc_transport_np.c | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 1b2955f..1fa8d91 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2807,7 +2807,7 @@ static NTSTATUS rpc_pipe_open_np(struct cli_state *cli,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = rpc_transport_np_init(result, cli, &table->syntax_id,
+	status = rpc_transport_np_init(result, cli, table,
 				       &result->transport);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(result);
diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
index bc115dd..2b4a323 100644
--- a/source3/rpc_client/rpc_transport.h
+++ b/source3/rpc_client/rpc_transport.h
@@ -89,7 +89,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
 				    TALLOC_CTX *mem_ctx,
 				    struct rpc_cli_transport **presult);
 NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
-			       const struct ndr_syntax_id *abstract_syntax,
+			       const struct ndr_interface_table *table,
 			       struct rpc_cli_transport **presult);
 
 /* The following definitions come from rpc_client/rpc_transport_sock.c  */
diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index f0696ad..7bd1ca3 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -152,7 +152,7 @@ NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
 }
 
 NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
-			       const struct ndr_syntax_id *abstract_syntax,
+			       const struct ndr_interface_table *table,
 			       struct rpc_cli_transport **presult)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
 		goto fail;
 	}
 
-	req = rpc_transport_np_init_send(frame, ev, cli, abstract_syntax);
+	req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
 	if (req == NULL) {
 		status = NT_STATUS_NO_MEMORY;
 		goto fail;
-- 
1.9.3


From 739d05d91f23c4c6e17078c84192f30911cbdfcd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 24 May 2013 13:56:53 +0200
Subject: [PATCH 034/249] s3-rpc_cli: pass down ndr_interface_table to
 rpc_transport_np_init_send().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b19e7e6638a5dd53e3c6e6701f78bf31184ed493)
---
 source3/rpc_client/rpc_transport.h    | 2 +-
 source3/rpc_client/rpc_transport_np.c | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/rpc_client/rpc_transport.h b/source3/rpc_client/rpc_transport.h
index 2b4a323..72e7609 100644
--- a/source3/rpc_client/rpc_transport.h
+++ b/source3/rpc_client/rpc_transport.h
@@ -84,7 +84,7 @@ struct cli_state;
 struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
 					      struct tevent_context *ev,
 					      struct cli_state *cli,
-					      const struct ndr_syntax_id *abstract_syntax);
+					      const struct ndr_interface_table *table);
 NTSTATUS rpc_transport_np_init_recv(struct tevent_req *req,
 				    TALLOC_CTX *mem_ctx,
 				    struct rpc_cli_transport **presult);
diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index 7bd1ca3..c0f313e 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -40,7 +40,7 @@ static void rpc_transport_np_init_pipe_open(struct tevent_req *subreq);
 struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
 					      struct tevent_context *ev,
 					      struct cli_state *cli,
-					      const struct ndr_syntax_id *abstract_syntax)
+					      const struct ndr_interface_table *table)
 {
 	struct tevent_req *req;
 	struct rpc_transport_np_init_state *state;
@@ -55,7 +55,7 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
 	state->ev = ev;
 	state->cli = cli;
 	state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
-	state->pipe_name = get_pipe_name_from_syntax(state, abstract_syntax);
+	state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
 	if (tevent_req_nomem(state->pipe_name, req)) {
 		return tevent_req_post(req, ev);
 	}
@@ -166,7 +166,7 @@ NTSTATUS rpc_transport_np_init(TALLOC_CTX *mem_ctx, struct cli_state *cli,
 		goto fail;
 	}
 
-	req = rpc_transport_np_init_send(frame, ev, cli, &table->syntax_id);
+	req = rpc_transport_np_init_send(frame, ev, cli, table);
 	if (req == NULL) {
 		status = NT_STATUS_NO_MEMORY;
 		goto fail;
-- 
1.9.3


From c5529ee9045c44114ab1716b05d3408baa1b4e42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 24 Sep 2008 11:04:42 +0200
Subject: [PATCH 035/249] s3: libnet_join: add admin_domain.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c11a79c5a054e862f61c97093fa2ce5e5040f111)
---
 source3/librpc/idl/libnet_join.idl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source3/librpc/idl/libnet_join.idl b/source3/librpc/idl/libnet_join.idl
index 4f28bb6..ac0a350 100644
--- a/source3/librpc/idl/libnet_join.idl
+++ b/source3/librpc/idl/libnet_join.idl
@@ -21,6 +21,7 @@ interface libnetjoin
 		[in,ref] string *domain_name,
 		[in] string account_ou,
 		[in] string admin_account,
+		[in] string admin_domain,
 		[in,noprint] string admin_password,
 		[in] string machine_password,
 		[in] wkssvc_joinflags join_flags,
@@ -51,6 +52,7 @@ interface libnetjoin
 		[in] string domain_name,
 		[in] string account_ou,
 		[in] string admin_account,
+		[in] string admin_domain,
 		[in,noprint] string admin_password,
 		[in] string machine_password,
 		[in] wkssvc_joinflags unjoin_flags,
-- 
1.9.3


From a0d8f42ac44d279ae7bc599792cd1d564925dcbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 24 Sep 2008 11:05:37 +0200
Subject: [PATCH 036/249] s3: libnet_join: use admin_domain in libnetjoin.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit cc0cbd4fdc6e07538d67cc41ca07bad1eaebf493)
---
 source3/libnet/libnet_join.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 324c8f3..2253079 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -701,6 +701,7 @@ static bool libnet_join_joindomain_store_secrets(TALLOC_CTX *mem_ctx,
 
 static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
 					   const char *user,
+					   const char *domain,
 					   const char *pass,
 					   bool use_kerberos,
 					   struct cli_state **cli)
@@ -720,7 +721,7 @@ static NTSTATUS libnet_join_connect_dc_ipc(const char *dc,
 				   NULL, 0,
 				   "IPC$", "IPC",
 				   user,
-				   NULL,
+				   domain,
 				   pass,
 				   flags,
 				   SMB_SIGNING_DEFAULT);
@@ -742,6 +743,7 @@ static NTSTATUS libnet_join_lookup_dc_rpc(TALLOC_CTX *mem_ctx,
 
 	status = libnet_join_connect_dc_ipc(r->in.dc_name,
 					    r->in.admin_account,
+					    r->in.admin_domain,
 					    r->in.admin_password,
 					    r->in.use_kerberos,
 					    cli);
@@ -1368,6 +1370,7 @@ static NTSTATUS libnet_join_unjoindomain_rpc(TALLOC_CTX *mem_ctx,
 
 	status = libnet_join_connect_dc_ipc(r->in.dc_name,
 					    r->in.admin_account,
+					    r->in.admin_domain,
 					    r->in.admin_password,
 					    r->in.use_kerberos,
 					    &cli);
@@ -1755,6 +1758,17 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 		return WERR_SETUP_DOMAIN_CONTROLLER;
 	}
 
+	if (!r->in.admin_domain) {
+		char *admin_domain = NULL;
+		char *admin_account = NULL;
+		split_domain_user(mem_ctx,
+				  r->in.admin_account,
+				  &admin_domain,
+				  &admin_account);
+		r->in.admin_domain = admin_domain;
+		r->in.admin_account = admin_account;
+	}
+
 	if (!secrets_init()) {
 		libnet_join_set_error_string(mem_ctx, r,
 			"Unable to open secrets database");
@@ -2316,6 +2330,17 @@ static WERROR libnet_unjoin_pre_processing(TALLOC_CTX *mem_ctx,
 		return WERR_SETUP_DOMAIN_CONTROLLER;
 	}
 
+	if (!r->in.admin_domain) {
+		char *admin_domain = NULL;
+		char *admin_account = NULL;
+		split_domain_user(mem_ctx,
+				  r->in.admin_account,
+				  &admin_domain,
+				  &admin_account);
+		r->in.admin_domain = admin_domain;
+		r->in.admin_account = admin_account;
+	}
+
 	if (!secrets_init()) {
 		libnet_unjoin_set_error_string(mem_ctx, r,
 			"Unable to open secrets database");
-- 
1.9.3


From 46f8496292a12b7acdd045d126b61fa9d8afee74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 6 Nov 2008 11:40:03 +0100
Subject: [PATCH 037/249] s3-libnetjoin: add machine_name length check.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c4d6d75cf48aed7b17728e283581366143fa4233)
---
 source3/libnet/libnet_join.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 2253079..b731d9b 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1746,6 +1746,15 @@ static WERROR libnet_join_pre_processing(TALLOC_CTX *mem_ctx,
 		return WERR_INVALID_PARAM;
 	}
 
+	if (strlen(r->in.machine_name) > 15) {
+		libnet_join_set_error_string(mem_ctx, r,
+			"Our netbios name can be at most 15 chars long, "
+                         "\"%s\" is %u chars long\n",
+                         r->in.machine_name,
+			 (unsigned int)strlen(r->in.machine_name));
+		return WERR_INVALID_PARAM;
+        }
+
 	if (!libnet_parse_domain_dc(mem_ctx, r->in.domain_name,
 				    &r->in.domain_name,
 				    &r->in.dc_name)) {
-- 
1.9.3


From a60cf7ddd4e2d41d92cdd35ab05f2d6a30b055c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 6 Nov 2008 13:37:45 +0100
Subject: [PATCH 038/249] s3-libnetjoin: move "net rpc oldjoin" to use
 libnetjoin.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d398a12f7907866189c1b253ca6a40e5454f42a1)
---
 source3/utils/net_rpc.c | 182 ++++++++++++++++++++++--------------------------
 1 file changed, 84 insertions(+), 98 deletions(-)

diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 69ff14d..720e9d2 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -37,6 +37,8 @@
 #include "secrets.h"
 #include "lib/netapi/netapi.h"
 #include "lib/netapi/netapi_net.h"
+#include "librpc/gen_ndr/libnet_join.h"
+#include "libnet/libnet_join.h"
 #include "rpc_client/init_lsa.h"
 #include "../libcli/security/security.h"
 #include "libsmb/libsmb.h"
@@ -314,48 +316,46 @@ int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv)
 }
 
 /**
- * Join a domain, the old way.
+ * Join a domain, the old way.  This function exists to allow
+ * the message to be displayed when oldjoin was explicitly
+ * requested, but not when it was implied by "net rpc join".
  *
  * This uses 'machinename' as the inital password, and changes it.
  *
  * The password should be created with 'server manager' or equiv first.
  *
- * All parameters are provided by the run_rpc_command function, except for
- * argc, argv which are passed through.
- *
- * @param domain_sid The domain sid acquired from the remote server.
- * @param cli A cli_state connected to the server.
- * @param mem_ctx Talloc context, destroyed on completion of the function.
  * @param argc  Standard main() style argc.
  * @param argv  Standard main() style argv. Initial components are already
  *              stripped.
  *
- * @return Normal NTSTATUS return.
+ * @return A shell status integer (0 for success).
  **/
 
-static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
-					const struct dom_sid *domain_sid,
-					const char *domain_name,
-					struct cli_state *cli,
-					struct rpc_pipe_client *pipe_hnd,
-					TALLOC_CTX *mem_ctx,
-					int argc,
-					const char **argv)
+static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
 {
+	struct libnet_JoinCtx *r = NULL;
+	TALLOC_CTX *mem_ctx;
+	WERROR werr;
+	const char *domain = lp_workgroup(); /* FIXME */
+	bool modify_config = lp_config_backend_is_registry();
+	enum netr_SchannelType sec_chan_type;
+	char *pw = NULL;
 
-	fstring trust_passwd;
-	unsigned char orig_trust_passwd_hash[16];
-	NTSTATUS result;
-	enum netr_SchannelType sec_channel_type;
+	if (c->display_usage) {
+		d_printf("Usage:\n"
+			 "net rpc oldjoin\n"
+			 "    Join a domain the old way\n");
+		return 0;
+	}
 
-	result = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-					  &pipe_hnd);
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0,("rpc_oldjoin_internals: netlogon pipe open to machine %s failed. "
-			"error was %s\n",
-			smbXcli_conn_remote_name(cli->conn),
-			nt_errstr(result) ));
-		return result;
+	mem_ctx = talloc_init("net_rpc_oldjoin");
+	if (!mem_ctx) {
+		return -1;
+	}
+
+	werr = libnet_init_JoinCtx(mem_ctx, &r);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto fail;
 	}
 
 	/*
@@ -363,92 +363,78 @@ static NTSTATUS rpc_oldjoin_internals(struct net_context *c,
 	   a BDC, the server must agree that we are a BDC.
 	*/
 	if (argc >= 0) {
-		sec_channel_type = get_sec_channel_type(argv[0]);
+		sec_chan_type = get_sec_channel_type(argv[0]);
 	} else {
-		sec_channel_type = get_sec_channel_type(NULL);
+		sec_chan_type = get_sec_channel_type(NULL);
 	}
 
-	fstrcpy(trust_passwd, lp_netbios_name());
-	if (!strlower_m(trust_passwd)) {
-		return NT_STATUS_UNSUCCESSFUL;
+	if (!c->msg_ctx) {
+		d_fprintf(stderr, _("Could not initialise message context. "
+			"Try running as root\n"));
+		werr = WERR_ACCESS_DENIED;
+		goto fail;
 	}
 
-	/*
-	 * Machine names can be 15 characters, but the max length on
-	 * a password is 14.  --jerry
-	 */
-
-	trust_passwd[14] = '\0';
-
-	E_md4hash(trust_passwd, orig_trust_passwd_hash);
-
-	result = trust_pw_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup,
-					      lp_netbios_name(),
-					      orig_trust_passwd_hash,
-					      sec_channel_type);
-
-	if (NT_STATUS_IS_OK(result))
-		printf(_("Joined domain %s.\n"), c->opt_target_workgroup);
+	pw = talloc_strndup(r, lp_netbios_name(), 14);
+	if (pw == NULL) {
+		werr = WERR_NOMEM;
+		goto fail;
+	}
 
+	r->in.msg_ctx			= c->msg_ctx;
+	r->in.domain_name		= domain;
+	r->in.secure_channel_type	= sec_chan_type;
+	r->in.dc_name			= c->opt_host;
+	r->in.admin_account		= "";
+	r->in.admin_password		= strlower_talloc(r, pw);
+	if (r->in.admin_password == NULL) {
+		werr = WERR_NOMEM;
+		goto fail;
+	}
+	r->in.debug			= true;
+	r->in.modify_config		= modify_config;
+	r->in.join_flags		= WKSSVC_JOIN_FLAGS_JOIN_TYPE |
+					  WKSSVC_JOIN_FLAGS_JOIN_UNSECURE |
+					  WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED;
 
-	if (!secrets_store_domain_sid(c->opt_target_workgroup, domain_sid)) {
-		DEBUG(0, ("error storing domain sid for %s\n", c->opt_target_workgroup));
-		result = NT_STATUS_UNSUCCESSFUL;
+	werr = libnet_Join(mem_ctx, r);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto fail;
 	}
 
-	return result;
-}
+	/* Check the short name of the domain */
 
-/**
- * Join a domain, the old way.
- *
- * @param argc  Standard main() style argc.
- * @param argv  Standard main() style argv. Initial components are already
- *              stripped.
- *
- * @return A shell status integer (0 for success).
- **/
+	if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
+		d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
+		d_printf("domain name obtained from the server.\n");
+		d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
+		d_printf("You should set \"workgroup = %s\" in %s.\n",
+			 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
+	}
 
-static int net_rpc_perform_oldjoin(struct net_context *c, int argc, const char **argv)
-{
-	return run_rpc_command(c, NULL, &ndr_table_netlogon,
-			       NET_FLAGS_NO_PIPE | NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC,
-			       rpc_oldjoin_internals,
-			       argc, argv);
-}
+	d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
 
-/**
- * Join a domain, the old way.  This function exists to allow
- * the message to be displayed when oldjoin was explicitly
- * requested, but not when it was implied by "net rpc join".
- *
- * @param argc  Standard main() style argc.
- * @param argv  Standard main() style argv. Initial components are already
- *              stripped.
- *
- * @return A shell status integer (0 for success).
- **/
+	if (r->out.dns_domain_name) {
+		d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
+			r->out.dns_domain_name);
+	} else {
+		d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
+			r->out.netbios_domain_name);
+	}
 
-static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
-{
-	int rc = -1;
+	TALLOC_FREE(mem_ctx);
 
-	if (c->display_usage) {
-		d_printf(  "%s\n"
-			   "net rpc oldjoin\n"
-			   "    %s\n",
-			 _("Usage:"),
-			 _("Join a domain the old way"));
-		return 0;
-	}
+	return 0;
 
-	rc = net_rpc_perform_oldjoin(c, argc, argv);
+fail:
+	/* issue an overall failure message at the end. */
+	d_fprintf(stderr, _("Failed to join domain: %s\n"),
+		r && r->out.error_string ? r->out.error_string :
+		get_friendly_werror_msg(werr));
 
-	if (rc) {
-		d_fprintf(stderr, _("Failed to join domain\n"));
-	}
+	TALLOC_FREE(mem_ctx);
 
-	return rc;
+	return -1;
 }
 
 /**
@@ -492,7 +478,7 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
 		return -1;
 	}
 
-	if ((net_rpc_perform_oldjoin(c, argc, argv) == 0))
+	if ((net_rpc_oldjoin(c, argc, argv) == 0))
 		return 0;
 
 	return net_rpc_join_newstyle(c, argc, argv);
-- 
1.9.3


From 3185251186366984b5ec06322c75cfda71dccdbc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 13 Jun 2013 19:12:27 +0200
Subject: [PATCH 039/249] s3:libnet: let the caller truncate the pw in
 libnet_join_joindomain_rpc_unsecure()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 1242ab0cb3bf575b695b39313604af9d0a7f1b3a)
---
 source3/libnet/libnet_join.c | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index b731d9b..d8ec235 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -818,7 +818,6 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	unsigned char orig_trust_passwd_hash[16];
 	unsigned char new_trust_passwd_hash[16];
-	fstring trust_passwd;
 	NTSTATUS status;
 
 	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
@@ -837,19 +836,7 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
 	E_md4hash(r->in.machine_password, new_trust_passwd_hash);
 
 	/* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
-	fstrcpy(trust_passwd, r->in.admin_password);
-	if (!strlower_m(trust_passwd)) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	/*
-	 * Machine names can be 15 characters, but the max length on
-	 * a password is 14.  --jerry
-	 */
-
-	trust_passwd[14] = '\0';
-
-	E_md4hash(trust_passwd, orig_trust_passwd_hash);
+	E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
 
 	status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
 						    r->in.machine_name,
-- 
1.9.3


From e1e15a73a9a5215866f6471c5e583457c516b47e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 3 Feb 2009 20:10:05 +0100
Subject: [PATCH 040/249] s3-net: use libnetjoin for "net rpc testjoin".
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9cfa6251600ddea0e821f2bd3fd359c28eb1b7f9)
---
 source3/utils/net_proto.h    |  2 +-
 source3/utils/net_rpc.c      | 66 ++++++++++++++++++++++++++++++++++++++++++++
 source3/utils/net_rpc_join.c | 29 -------------------
 3 files changed, 67 insertions(+), 30 deletions(-)

diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index 03fb312..d791708 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -145,6 +145,7 @@ int run_rpc_command(struct net_context *c,
 			int argc,
 			const char **argv);
 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
 int net_rpc_join(struct net_context *c, int argc, const char **argv);
 NTSTATUS rpc_info_internals(struct net_context *c,
 			const struct dom_sid *domain_sid,
@@ -205,7 +206,6 @@ NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
 			 const char *server,
 			 const struct sockaddr_storage *server_ss);
 int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
-int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
 
 /* The following definitions come from utils/net_rpc_printer.c  */
 
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 720e9d2..592be44 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -438,6 +438,72 @@ fail:
 }
 
 /**
+ * check that a join is OK
+ *
+ * @return A shell status integer (0 for success)
+ *
+ **/
+int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
+{
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx;
+	const char *domain = c->opt_target_workgroup;
+	const char *dc = c->opt_host;
+
+	if (c->display_usage) {
+		d_printf("Usage\n"
+			 "net rpc testjoin\n"
+			 "    Test if a join is OK\n");
+		return 0;
+	}
+
+	mem_ctx = talloc_init("net_rpc_testjoin");
+	if (!mem_ctx) {
+		return -1;
+	}
+
+	if (!dc) {
+		struct netr_DsRGetDCNameInfo *info;
+
+		if (!c->msg_ctx) {
+			d_fprintf(stderr, _("Could not initialise message context. "
+				"Try running as root\n"));
+			talloc_destroy(mem_ctx);
+			return -1;
+		}
+
+		status = dsgetdcname(mem_ctx,
+				     c->msg_ctx,
+				     domain,
+				     NULL,
+				     NULL,
+				     DS_RETURN_DNS_NAME,
+				     &info);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_destroy(mem_ctx);
+			return -1;
+		}
+
+		dc = strip_hostname(info->dc_unc);
+	}
+
+	/* Display success or failure */
+	status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
+				c->opt_kerberos);
+	if (!NT_STATUS_IS_OK(status)) {
+		fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
+			domain, nt_errstr(status));
+		talloc_destroy(mem_ctx);
+		return -1;
+	}
+
+	printf("Join to '%s' is OK\n",domain);
+	talloc_destroy(mem_ctx);
+
+	return 0;
+}
+
+/**
  * 'net rpc join' entrypoint.
  * @param argc  Standard main() style argc.
  * @param argv  Standard main() style argv. Initial components are already
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index aabbe54..ee39a5c 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -561,32 +561,3 @@ done:
 
 	return retval;
 }
-
-/**
- * check that a join is OK
- *
- * @return A shell status integer (0 for success)
- *
- **/
-int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
-{
-	NTSTATUS nt_status;
-
-	if (c->display_usage) {
-		d_printf(_("Usage\n"
-			   "net rpc testjoin\n"
-			   "    Test if a join is OK\n"));
-		return 0;
-	}
-
-	/* Display success or failure */
-	nt_status = net_rpc_join_ok(c, c->opt_target_workgroup, NULL, NULL);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		fprintf(stderr, _("Join to domain '%s' is not valid: %s\n"),
-			c->opt_target_workgroup, nt_errstr(nt_status));
-		return -1;
-	}
-
-	printf(_("Join to '%s' is OK\n"), c->opt_target_workgroup);
-	return 0;
-}
-- 
1.9.3


From a0474baa59c0991c2b2d8e3f425c9a6845162f45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 3 Feb 2009 20:21:05 +0100
Subject: [PATCH 041/249] s3-net: use libnetjoin for "net rpc join" newstyle.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 3e4ded48bbeacdcd128f3c667cbdd12a3efca312)
---
 source3/utils/net_proto.h |   8 +---
 source3/utils/net_rpc.c   | 106 ++++++++++++++++++++++++++++++++++++++++++++++
 source3/wscript_build     |   2 +-
 3 files changed, 108 insertions(+), 8 deletions(-)

diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index d791708..1809ba9 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -146,6 +146,7 @@ int run_rpc_command(struct net_context *c,
 			const char **argv);
 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
 int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
 int net_rpc_join(struct net_context *c, int argc, const char **argv);
 NTSTATUS rpc_info_internals(struct net_context *c,
 			const struct dom_sid *domain_sid,
@@ -200,13 +201,6 @@ int net_rpc(struct net_context *c, int argc, const char **argv);
 
 int net_rpc_audit(struct net_context *c, int argc, const char **argv);
 
-/* The following definitions come from utils/net_rpc_join.c  */
-
-NTSTATUS net_rpc_join_ok(struct net_context *c, const char *domain,
-			 const char *server,
-			 const struct sockaddr_storage *server_ss);
-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
-
 /* The following definitions come from utils/net_rpc_printer.c  */
 
 NTSTATUS net_copy_fileattr(struct net_context *c,
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 592be44..6358460 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -504,6 +504,112 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
 }
 
 /**
+ * Join a domain using the administrator username and password
+ *
+ * @param argc  Standard main() style argc
+ * @param argc  Standard main() style argv.  Initial components are already
+ *              stripped.  Currently not used.
+ * @return A shell status integer (0 for success)
+ *
+ **/
+
+int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+{
+	struct libnet_JoinCtx *r = NULL;
+	TALLOC_CTX *mem_ctx;
+	WERROR werr;
+	const char *domain = lp_workgroup(); /* FIXME */
+	bool modify_config = lp_config_backend_is_registry();
+	enum netr_SchannelType sec_chan_type;
+
+	if (c->display_usage) {
+		d_printf("Usage:\n"
+			 "net rpc join\n"
+			 "    Join a domain the new way\n");
+		return 0;
+	}
+
+	mem_ctx = talloc_init("net_rpc_join_newstyle");
+	if (!mem_ctx) {
+		return -1;
+	}
+
+	werr = libnet_init_JoinCtx(mem_ctx, &r);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto fail;
+	}
+
+	/*
+	   check what type of join - if the user want's to join as
+	   a BDC, the server must agree that we are a BDC.
+	*/
+	if (argc >= 0) {
+		sec_chan_type = get_sec_channel_type(argv[0]);
+	} else {
+		sec_chan_type = get_sec_channel_type(NULL);
+	}
+
+	if (!c->msg_ctx) {
+		d_fprintf(stderr, _("Could not initialise message context. "
+			"Try running as root\n"));
+		werr = WERR_ACCESS_DENIED;
+		goto fail;
+	}
+
+	r->in.msg_ctx			= c->msg_ctx;
+	r->in.domain_name		= domain;
+	r->in.secure_channel_type	= sec_chan_type;
+	r->in.dc_name			= c->opt_host;
+	r->in.admin_account		= c->opt_user_name;
+	r->in.admin_password		= net_prompt_pass(c, c->opt_user_name);
+	r->in.debug			= true;
+	r->in.use_kerberos		= c->opt_kerberos;
+	r->in.modify_config		= modify_config;
+	r->in.join_flags		= WKSSVC_JOIN_FLAGS_JOIN_TYPE |
+					  WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE |
+					  WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED;
+
+	werr = libnet_Join(mem_ctx, r);
+	if (!W_ERROR_IS_OK(werr)) {
+		goto fail;
+	}
+
+	/* Check the short name of the domain */
+
+	if (!modify_config && !strequal(lp_workgroup(), r->out.netbios_domain_name)) {
+		d_printf("The workgroup in %s does not match the short\n", get_dyn_CONFIGFILE());
+		d_printf("domain name obtained from the server.\n");
+		d_printf("Using the name [%s] from the server.\n", r->out.netbios_domain_name);
+		d_printf("You should set \"workgroup = %s\" in %s.\n",
+			 r->out.netbios_domain_name, get_dyn_CONFIGFILE());
+	}
+
+	d_printf("Using short domain name -- %s\n", r->out.netbios_domain_name);
+
+	if (r->out.dns_domain_name) {
+		d_printf("Joined '%s' to realm '%s'\n", r->in.machine_name,
+			r->out.dns_domain_name);
+	} else {
+		d_printf("Joined '%s' to domain '%s'\n", r->in.machine_name,
+			r->out.netbios_domain_name);
+	}
+
+	TALLOC_FREE(mem_ctx);
+
+	return 0;
+
+fail:
+	/* issue an overall failure message at the end. */
+	d_printf("Failed to join domain: %s\n",
+		r && r->out.error_string ? r->out.error_string :
+		get_friendly_werror_msg(werr));
+
+	TALLOC_FREE(mem_ctx);
+
+	return -1;
+}
+
+/**
  * 'net rpc join' entrypoint.
  * @param argc  Standard main() style argc.
  * @param argv  Standard main() style argv. Initial components are already
diff --git a/source3/wscript_build b/source3/wscript_build
index 9461b05..0bf84e2 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -507,7 +507,7 @@ LIBNET_SAMSYNC_SRC = '''libnet/libnet_samsync.c
 
 NET_SRC1 = '''utils/net.c utils/net_ads.c utils/net_help.c
               utils/net_rap.c utils/net_rpc.c utils/net_rpc_samsync.c
-              utils/net_rpc_join.c utils/net_time.c utils/net_lookup.c
+              utils/net_time.c utils/net_lookup.c
               utils/net_cache.c utils/net_groupmap.c
               utils/net_idmap.c utils/net_idmap_check.c
               utils/interact.c
-- 
1.9.3


From b2aad96d2ffd5545c250cce605dfdb7f0852806c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 15 Jul 2013 13:28:34 +0200
Subject: [PATCH 042/249] s3-net: avoid confusing output in net_rpc_oldjoin()
 if NET_FLAGS_EXPECT_FALLBACK is passed

"net rpc join" tries net_rpc_oldjoin() first and falls back to
net_rpc_join_newstyle(). We should not print the join failed
if just net_rpc_oldjoin() failed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 05d9b4165af9e7f03d3fbeb64db4fc305fcec4df)
---
 source3/utils/net.h       |  1 +
 source3/utils/net_proto.h |  1 -
 source3/utils/net_rpc.c   | 15 +++++++++++++--
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/source3/utils/net.h b/source3/utils/net.h
index 2056d89..e97734a 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -182,6 +182,7 @@ enum netdom_domain_t { ND_TYPE_NT4, ND_TYPE_AD };
 #define NET_FLAGS_SIGN				0x00000040	/* sign RPC connection */
 #define NET_FLAGS_SEAL				0x00000080	/* seal RPC connection */
 #define NET_FLAGS_TCP				0x00000100	/* use ncacn_ip_tcp */
+#define NET_FLAGS_EXPECT_FALLBACK		0x00000200	/* the caller will fallback */
 
 /* net share operation modes */
 #define NET_MODE_SHARE_MIGRATE 1
diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index 1809ba9..25e9db2 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -146,7 +146,6 @@ int run_rpc_command(struct net_context *c,
 			const char **argv);
 int net_rpc_changetrustpw(struct net_context *c, int argc, const char **argv);
 int net_rpc_testjoin(struct net_context *c, int argc, const char **argv);
-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv);
 int net_rpc_join(struct net_context *c, int argc, const char **argv);
 NTSTATUS rpc_info_internals(struct net_context *c,
 			const struct dom_sid *domain_sid,
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 6358460..dff8801 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -427,11 +427,16 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
 	return 0;
 
 fail:
+	if (c->opt_flags & NET_FLAGS_EXPECT_FALLBACK) {
+		goto cleanup;
+	}
+
 	/* issue an overall failure message at the end. */
 	d_fprintf(stderr, _("Failed to join domain: %s\n"),
 		r && r->out.error_string ? r->out.error_string :
 		get_friendly_werror_msg(werr));
 
+cleanup:
 	TALLOC_FREE(mem_ctx);
 
 	return -1;
@@ -513,7 +518,7 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
  *
  **/
 
-int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
+static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **argv)
 {
 	struct libnet_JoinCtx *r = NULL;
 	TALLOC_CTX *mem_ctx;
@@ -623,6 +628,8 @@ fail:
 
 int net_rpc_join(struct net_context *c, int argc, const char **argv)
 {
+	int ret;
+
 	if (c->display_usage) {
 		d_printf("%s\n%s",
 			 _("Usage:"),
@@ -650,8 +657,12 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
 		return -1;
 	}
 
-	if ((net_rpc_oldjoin(c, argc, argv) == 0))
+	c->opt_flags |= NET_FLAGS_EXPECT_FALLBACK;
+	ret = net_rpc_oldjoin(c, argc, argv);
+	c->opt_flags &= ~NET_FLAGS_EXPECT_FALLBACK;
+	if (ret == 0) {
 		return 0;
+	}
 
 	return net_rpc_join_newstyle(c, argc, argv);
 }
-- 
1.9.3


From 8e8a2602d1c793f9a46e5219dea91a46e34d24ca Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 16 Jul 2013 10:07:30 +0200
Subject: [PATCH 043/249] s4:librpc: fix netlogon connections against servers
 without AES support

LogonGetCapabilities() only works on the credential chain if
the server supports AES, so we need to work on a temporary copy
until we know the server replied a valid return authenticator.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 34fa7946993506fde2c6b30e4a41bea27390a814)
---
 source4/librpc/rpc/dcerpc_schannel.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 1480486..130ebeb 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -385,6 +385,7 @@ struct auth_schannel_state {
 	struct loadparm_context *lp_ctx;
 	uint8_t auth_level;
 	struct netlogon_creds_CredentialState *creds_state;
+	struct netlogon_creds_CredentialState save_creds_state;
 	struct netr_Authenticator auth;
 	struct netr_Authenticator return_auth;
 	union netr_Capabilities capabilities;
@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
 		s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
 		if (composite_nomem(s->creds_state, c)) return;
 
-		netlogon_creds_client_authenticator(s->creds_state, &s->auth);
+		s->save_creds_state = *s->creds_state;
+		netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
 
 		s->c.in.server_name = talloc_asprintf(c,
 						      "\\\\%s",
@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
 	}
 
 	/* verify credentials */
-	if (!netlogon_creds_client_check(s->creds_state,
+	if (!netlogon_creds_client_check(&s->save_creds_state,
 					 &s->c.out.return_authenticator->cred)) {
 		composite_error(c, NT_STATUS_UNSUCCESSFUL);
 		return;
 	}
 
+	*s->creds_state = s->save_creds_state;
+
 	if (!NT_STATUS_IS_OK(s->c.out.result)) {
 		composite_error(c, s->c.out.result);
 		return;
-- 
1.9.3


From 300fb415d5a6a60702b0c8464e0e76cf0e11fdeb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 22 Mar 2013 15:07:10 +0100
Subject: [PATCH 044/249] s3:rpcclient: use talloc_stackframe() in do_cmd()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit d54c908ff5bef774f5cca038741558089ff6baeb)
---
 source3/rpcclient/rpcclient.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index c23ff2d..9bf296e 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -678,7 +678,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 
 	/* Create mem_ctx */
 
-	if (!(mem_ctx = talloc_init("do_cmd"))) {
+	if (!(mem_ctx = talloc_stackframe())) {
 		DEBUG(0, ("talloc_init() failed\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -745,12 +745,14 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 				  "auth type %u\n",
 				  cmd_entry->table->name,
 				  pipe_default_auth_type ));
+			talloc_free(mem_ctx);
 			return NT_STATUS_UNSUCCESSFUL;
 		}
 		if (!NT_STATUS_IS_OK(ntresult)) {
 			DEBUG(0, ("Could not initialise %s. Error was %s\n",
 				  cmd_entry->table->name,
 				  nt_errstr(ntresult) ));
+			talloc_free(mem_ctx);
 			return ntresult;
 		}
 
@@ -765,6 +767,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 					       trust_password, &machine_account,
 					       &sec_channel_type))
 			{
+				talloc_free(mem_ctx);
 				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 			}
 
@@ -780,6 +783,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 			if (!NT_STATUS_IS_OK(ntresult)) {
 				DEBUG(0, ("Could not initialise credentials for %s.\n",
 					  cmd_entry->table->name));
+				talloc_free(mem_ctx);
 				return ntresult;
 			}
 		}
@@ -803,7 +807,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 
 	/* Cleanup */
 
-	talloc_destroy(mem_ctx);
+	talloc_free(mem_ctx);
 
 	return ntresult;
 }
-- 
1.9.3


From 95972ec54aafcf8a66e0164cd1fb478b6f4c58f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 24 Apr 2013 12:36:04 +0200
Subject: [PATCH 045/249] libcli/auth: make
 netlogon_creds_crypt_samlogon_validation more robust

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 39fedd27182d9e1985418ea79b86aef69999dd57)
---
 libcli/auth/credentials.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index fb77ede..5c8b25b 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -493,8 +493,12 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
 						     bool encrypt)
 {
 	static const char zeros[16];
-
 	struct netr_SamBaseInfo *base = NULL;
+
+	if (validation == NULL) {
+		return;
+	}
+
 	switch (validation_level) {
 	case 2:
 		if (validation->sam2) {
-- 
1.9.3


From ac092a319c388cc2577bcbd87e16522ba37dc2d0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 14 Jun 2013 09:47:50 +0200
Subject: [PATCH 046/249] libcli/auth: fix shadowed declaration in
 netlogon_creds_crypt_samlogon_validation()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 291f6a1e031dc9db7d03b3ca924c4309b313cae5)
---
 libcli/auth/credentials.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 5c8b25b..2e9c87e 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -490,7 +490,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 						     uint16_t validation_level,
 						     union netr_Validation *validation,
-						     bool encrypt)
+						     bool do_encrypt)
 {
 	static const char zeros[16];
 	struct netr_SamBaseInfo *base = NULL;
@@ -531,7 +531,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
 		/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
 		if (memcmp(base->key.key, zeros,
 			   sizeof(base->key.key)) != 0) {
-			if (encrypt) {
+			if (do_encrypt) {
 				netlogon_creds_aes_encrypt(creds,
 					    base->key.key,
 					    sizeof(base->key.key));
@@ -544,7 +544,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
 
 		if (memcmp(base->LMSessKey.key, zeros,
 			   sizeof(base->LMSessKey.key)) != 0) {
-			if (encrypt) {
+			if (do_encrypt) {
 				netlogon_creds_aes_encrypt(creds,
 					    base->LMSessKey.key,
 					    sizeof(base->LMSessKey.key));
@@ -574,7 +574,7 @@ static void netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_Crede
 		/* Don't crypt an all-zero key, it would give away the NETLOGON pipe session key */
 		if (memcmp(base->LMSessKey.key, zeros,
 			   sizeof(base->LMSessKey.key)) != 0) {
-			if (encrypt) {
+			if (do_encrypt) {
 				netlogon_creds_des_encrypt_LMKey(creds,
 						&base->LMSessKey);
 			} else {
-- 
1.9.3


From c535bfb9ead2175ae68b9d18a1692218a0fcf800 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 17:01:00 +0200
Subject: [PATCH 047/249] libcli/auth: add
 netlogon_creds_[de|en]crypt_samlogon_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit c7319fce604d5f89a89094b6b18ef459a347aef8)
---
 libcli/auth/credentials.c | 118 ++++++++++++++++++++++++++++++++++++++++++++++
 libcli/auth/proto.h       |   6 +++
 2 files changed, 124 insertions(+)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 2e9c87e..78a8d7a 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -601,6 +601,124 @@ void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_Credential
 							validation, true);
 }
 
+static void netlogon_creds_crypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
+						enum netr_LogonInfoClass level,
+						union netr_LogonLevel *logon,
+						bool encrypt)
+{
+	static const char zeros[16];
+
+	if (logon == NULL) {
+		return;
+	}
+
+	switch (level) {
+	case NetlogonInteractiveInformation:
+	case NetlogonInteractiveTransitiveInformation:
+	case NetlogonServiceInformation:
+	case NetlogonServiceTransitiveInformation:
+		if (logon->password == NULL) {
+			return;
+		}
+
+		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+			uint8_t *h;
+
+			h = logon->password->lmpassword.hash;
+			if (memcmp(h, zeros, 16) != 0) {
+				if (encrypt) {
+					netlogon_creds_aes_encrypt(creds, h, 16);
+				} else {
+					netlogon_creds_aes_decrypt(creds, h, 16);
+				}
+			}
+
+			h = logon->password->ntpassword.hash;
+			if (memcmp(h, zeros, 16) != 0) {
+				if (encrypt) {
+					netlogon_creds_aes_encrypt(creds, h, 16);
+				} else {
+					netlogon_creds_aes_decrypt(creds, h, 16);
+				}
+			}
+		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+			uint8_t *h;
+
+			h = logon->password->lmpassword.hash;
+			if (memcmp(h, zeros, 16) != 0) {
+				netlogon_creds_arcfour_crypt(creds, h, 16);
+			}
+
+			h = logon->password->ntpassword.hash;
+			if (memcmp(h, zeros, 16) != 0) {
+				netlogon_creds_arcfour_crypt(creds, h, 16);
+			}
+		} else {
+			struct samr_Password *p;
+
+			p = &logon->password->lmpassword;
+			if (memcmp(p->hash, zeros, 16) != 0) {
+				if (encrypt) {
+					netlogon_creds_des_encrypt(creds, p);
+				} else {
+					netlogon_creds_des_decrypt(creds, p);
+				}
+			}
+			p = &logon->password->ntpassword;
+			if (memcmp(p->hash, zeros, 16) != 0) {
+				if (encrypt) {
+					netlogon_creds_des_encrypt(creds, p);
+				} else {
+					netlogon_creds_des_decrypt(creds, p);
+				}
+			}
+		}
+		break;
+
+	case NetlogonNetworkInformation:
+	case NetlogonNetworkTransitiveInformation:
+		break;
+
+	case NetlogonGenericInformation:
+		if (logon->generic == NULL) {
+			return;
+		}
+
+		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+			if (encrypt) {
+				netlogon_creds_aes_encrypt(creds,
+						logon->generic->data,
+						logon->generic->length);
+			} else {
+				netlogon_creds_aes_decrypt(creds,
+						logon->generic->data,
+						logon->generic->length);
+			}
+		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+			netlogon_creds_arcfour_crypt(creds,
+						     logon->generic->data,
+						     logon->generic->length);
+		} else {
+			/* Using DES to verify kerberos tickets makes no sense */
+		}
+		break;
+	}
+}
+
+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
+					   enum netr_LogonInfoClass level,
+					   union netr_LogonLevel *logon)
+{
+	netlogon_creds_crypt_samlogon_logon(creds, level, logon, false);
+}
+
+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
+					   enum netr_LogonInfoClass level,
+					   union netr_LogonLevel *logon)
+{
+	netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
+}
+
 /*
   copy a netlogon_creds_CredentialState struct
 */
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 6bc18d7..110e039 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -64,6 +64,12 @@ void netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_Credential
 void netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 						uint16_t validation_level,
 						union netr_Validation *validation);
+void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
+					   enum netr_LogonInfoClass level,
+					   union netr_LogonLevel *logon);
+void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
+					   enum netr_LogonInfoClass level,
+					   union netr_LogonLevel *logon);
 
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c  */
 
-- 
1.9.3


From d4f36f187d7c87c8daae3f94cdba52225faa19b8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 24 Apr 2013 12:53:27 +0200
Subject: [PATCH 048/249] libcli/auth: add netlogon_creds_shallow_copy_logon()

This can be used before netlogon_creds_encrypt_samlogon_logon()
in order to keep the provided buffers unchanged.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2ea749a1a43a6539b01d36dbe0402a99619444e1)
---
 libcli/auth/credentials.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++
 libcli/auth/proto.h       |  3 ++
 2 files changed, 76 insertions(+)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 78a8d7a..1f664d3 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -719,6 +719,79 @@ void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState
 	netlogon_creds_crypt_samlogon_logon(creds, level, logon, true);
 }
 
+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
+					enum netr_LogonInfoClass level,
+					const union netr_LogonLevel *in)
+{
+	union netr_LogonLevel *out;
+
+	if (in == NULL) {
+		return NULL;
+	}
+
+	out = talloc(mem_ctx, union netr_LogonLevel);
+	if (out == NULL) {
+		return NULL;
+	}
+
+	*out = *in;
+
+	switch (level) {
+	case NetlogonInteractiveInformation:
+	case NetlogonInteractiveTransitiveInformation:
+	case NetlogonServiceInformation:
+	case NetlogonServiceTransitiveInformation:
+		if (in->password == NULL) {
+			return out;
+		}
+
+		out->password = talloc(out, struct netr_PasswordInfo);
+		if (out->password == NULL) {
+			talloc_free(out);
+			return NULL;
+		}
+		*out->password = *in->password;
+
+		return out;
+
+	case NetlogonNetworkInformation:
+	case NetlogonNetworkTransitiveInformation:
+		break;
+
+	case NetlogonGenericInformation:
+		if (in->generic == NULL) {
+			return out;
+		}
+
+		out->generic = talloc(out, struct netr_GenericInfo);
+		if (out->generic == NULL) {
+			talloc_free(out);
+			return NULL;
+		}
+		*out->generic = *in->generic;
+
+		if (in->generic->data == NULL) {
+			return out;
+		}
+
+		if (in->generic->length == 0) {
+			return out;
+		}
+
+		out->generic->data = talloc_memdup(out->generic,
+						   in->generic->data,
+						   in->generic->length);
+		if (out->generic->data == NULL) {
+			talloc_free(out);
+			return NULL;
+		}
+
+		return out;
+	}
+
+	return out;
+}
+
 /*
   copy a netlogon_creds_CredentialState struct
 */
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 110e039..0c319d3 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -70,6 +70,9 @@ void netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState
 void netlogon_creds_encrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
 					   enum netr_LogonInfoClass level,
 					   union netr_LogonLevel *logon);
+union netr_LogonLevel *netlogon_creds_shallow_copy_logon(TALLOC_CTX *mem_ctx,
+					enum netr_LogonInfoClass level,
+					const union netr_LogonLevel *in);
 
 /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/session.c  */
 
-- 
1.9.3


From 8cf11ba846fc31ce26020aabcf463817b56580a7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 24 Apr 2013 16:00:18 +0200
Subject: [PATCH 049/249] s4:netlogon: make use of
 netlogon_creds_decrypt_samlogon_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 9d548318da11247ffe8acf505cdb5299090c16f0)
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++---------------------
 1 file changed, 6 insertions(+), 22 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 70239a4..c41cd02 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -712,29 +712,15 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 	user_info = talloc_zero(mem_ctx, struct auth_usersupplied_info);
 	NT_STATUS_HAVE_NO_MEMORY(user_info);
 
+	netlogon_creds_decrypt_samlogon_logon(creds,
+					      r->in.logon_level,
+					      r->in.logon);
+
 	switch (r->in.logon_level) {
 	case NetlogonInteractiveInformation:
 	case NetlogonServiceInformation:
 	case NetlogonInteractiveTransitiveInformation:
 	case NetlogonServiceTransitiveInformation:
-		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			netlogon_creds_aes_decrypt(creds,
-						   r->in.logon->password->lmpassword.hash,
-						   sizeof(r->in.logon->password->lmpassword.hash));
-			netlogon_creds_aes_decrypt(creds,
-						   r->in.logon->password->ntpassword.hash,
-						   sizeof(r->in.logon->password->ntpassword.hash));
-		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			netlogon_creds_arcfour_crypt(creds,
-					    r->in.logon->password->lmpassword.hash,
-					    sizeof(r->in.logon->password->lmpassword.hash));
-			netlogon_creds_arcfour_crypt(creds,
-					    r->in.logon->password->ntpassword.hash,
-					    sizeof(r->in.logon->password->ntpassword.hash));
-		} else {
-			netlogon_creds_des_decrypt(creds, &r->in.logon->password->lmpassword);
-			netlogon_creds_des_decrypt(creds, &r->in.logon->password->ntpassword);
-		}
 
 		/* TODO: we need to deny anonymous access here */
 		nt_status = auth_context_create(mem_ctx,
@@ -788,11 +774,9 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
 	case NetlogonGenericInformation:
 	{
 		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			netlogon_creds_aes_decrypt(creds,
-					    r->in.logon->generic->data, r->in.logon->generic->length);
+			/* OK */
 		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			netlogon_creds_arcfour_crypt(creds,
-					    r->in.logon->generic->data, r->in.logon->generic->length);
+			/* OK */
 		} else {
 			/* Using DES to verify kerberos tickets makes no sense */
 			return NT_STATUS_INVALID_PARAMETER;
-- 
1.9.3


From 22bdc484af1b1a4ebd9451fd5cde4d3993dd6f0a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 24 Apr 2013 16:00:44 +0200
Subject: [PATCH 050/249] s3:netlogon: make use of
 netlogon_creds_decrypt_samlogon_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 7b3ddd1a0bb41fe84c115555113362044620e484)
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 45 ++++++++++++++---------------
 1 file changed, 21 insertions(+), 24 deletions(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index e5ca474..09857b6 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1467,6 +1467,15 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 	struct auth_context *auth_context = NULL;
 	const char *fn;
 
+#ifdef DEBUG_PASSWORD
+	logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
+						  r->in.logon_level,
+						  r->in.logon);
+	if (logon == NULL) {
+		logon = r->in.logon;
+	}
+#endif
+
 	switch (p->opnum) {
 		case NDR_NETR_LOGONSAMLOGON:
 			fn = "_netr_LogonSamLogon";
@@ -1547,6 +1556,10 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 
 	status = NT_STATUS_OK;
 
+	netlogon_creds_decrypt_samlogon_logon(creds,
+					      r->in.logon_level,
+					      logon);
+
 	switch (r->in.logon_level) {
 	case NetlogonNetworkInformation:
 	case NetlogonNetworkTransitiveInformation:
@@ -1592,32 +1605,16 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 		uint8_t chal[8];
 
 #ifdef DEBUG_PASSWORD
-		DEBUG(100,("lm owf password:"));
-		dump_data(100, logon->password->lmpassword.hash, 16);
-
-		DEBUG(100,("nt owf password:"));
-		dump_data(100, logon->password->ntpassword.hash, 16);
-#endif
-		if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			netlogon_creds_aes_decrypt(creds,
-						   logon->password->lmpassword.hash,
-						   16);
-			netlogon_creds_aes_decrypt(creds,
-						   logon->password->ntpassword.hash,
-						   16);
-		} else if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			netlogon_creds_arcfour_crypt(creds,
-						     logon->password->lmpassword.hash,
-						     16);
-			netlogon_creds_arcfour_crypt(creds,
-						     logon->password->ntpassword.hash,
-						     16);
-		} else {
-			netlogon_creds_des_decrypt(creds, &logon->password->lmpassword);
-			netlogon_creds_des_decrypt(creds, &logon->password->ntpassword);
+		if (logon != r->in.logon) {
+			DEBUG(100,("lm owf password:"));
+			dump_data(100,
+				  r->in.logon->password->lmpassword.hash, 16);
+
+			DEBUG(100,("nt owf password:"));
+			dump_data(100,
+				  r->in.logon->password->ntpassword.hash, 16);
 		}
 
-#ifdef DEBUG_PASSWORD
 		DEBUG(100,("decrypt of lm owf password:"));
 		dump_data(100, logon->password->lmpassword.hash, 16);
 
-- 
1.9.3


From b25c7249bdca17d4b4720a2e8f8ba329c4105e94 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 18:27:57 +0200
Subject: [PATCH 051/249] s3:rpc_client: make rpccli_schannel_bind_data()
 static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 6ce645e03c279cbb2ed8a94f033b8e0601b61ef4)
---
 source3/rpc_client/cli_pipe.c | 9 +++++----
 source3/rpc_client/cli_pipe.h | 6 ------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 1fa8d91..66fa2d2 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2401,10 +2401,11 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
 	return status;
 }
 
-NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx, const char *domain,
-				   enum dcerpc_AuthLevel auth_level,
-				   struct netlogon_creds_CredentialState *creds,
-				   struct pipe_auth_data **presult)
+static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
+				const char *domain,
+				enum dcerpc_AuthLevel auth_level,
+				struct netlogon_creds_CredentialState *creds,
+				struct pipe_auth_data **presult)
 {
 	struct schannel_state *schannel_auth;
 	struct pipe_auth_data *result;
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 6fcc587..8eb6040 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -58,12 +58,6 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
 NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
 			       struct pipe_auth_data **presult);
 
-NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
-				   const char *domain,
-				   enum dcerpc_AuthLevel auth_level,
-				   struct netlogon_creds_CredentialState *creds,
-				   struct pipe_auth_data **presult);
-
 NTSTATUS rpc_pipe_open_tcp(TALLOC_CTX *mem_ctx,
 			   const char *host,
 			   const struct sockaddr_storage *ss_addr,
-- 
1.9.3


From 9f56e42ba78ce4e1248f06a0cecfc97789aea260 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 18:29:31 +0200
Subject: [PATCH 052/249] s3:rpc_client: use the correct context for
 netlogon_creds_copy() in rpccli_schannel_bind_data()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 8a302fc353de8d373a0ec8544da4da6f305ec923)
---
 source3/rpc_client/cli_pipe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 66fa2d2..afe8030 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2431,7 +2431,10 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
 
 	schannel_auth->state = SCHANNEL_STATE_START;
 	schannel_auth->initiator = true;
-	schannel_auth->creds = netlogon_creds_copy(result, creds);
+	schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
+	if (schannel_auth->creds == NULL) {
+		goto fail;
+	}
 
 	result->auth_ctx = schannel_auth;
 	*presult = result;
-- 
1.9.3


From 08d78b16f0adf1d223f29d613a498878230522be Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 19:43:58 +0200
Subject: [PATCH 053/249] s3:rpc_client: rename same variables in
 cli_rpc_pipe_open_schannel_with_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 94be8d63cd21fbb9e31bf7a92af82e19c596f94f)
---
 source3/rpc_client/cli_pipe.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index afe8030..ec804e7 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3032,32 +3032,32 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
 					     struct netlogon_creds_CredentialState **pdc,
-					     struct rpc_pipe_client **presult)
+					     struct rpc_pipe_client **_rpccli)
 {
-	struct rpc_pipe_client *result;
-	struct pipe_auth_data *auth;
+	struct rpc_pipe_client *rpccli;
+	struct pipe_auth_data *rpcauth;
 	NTSTATUS status;
 
-	status = cli_rpc_pipe_open(cli, transport, table, &result);
+	status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
-	status = rpccli_schannel_bind_data(result, domain, auth_level,
-					   *pdc, &auth);
+	status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
+					   *pdc, &rpcauth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
 			  nt_errstr(status)));
-		TALLOC_FREE(result);
+		TALLOC_FREE(rpccli);
 		return status;
 	}
 
-	status = rpc_pipe_bind(result, auth);
+	status = rpc_pipe_bind(rpccli, rpcauth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
 			  "cli_rpc_pipe_bind failed with error %s\n",
 			  nt_errstr(status) ));
-		TALLOC_FREE(result);
+		TALLOC_FREE(rpccli);
 		return status;
 	}
 
@@ -3065,10 +3065,10 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	 * The credentials on a new netlogon pipe are the ones we are passed
 	 * in - copy them over
 	 */
-	if (result->dc == NULL) {
-		result->dc = netlogon_creds_copy(result, *pdc);
-		if (result->dc == NULL) {
-			TALLOC_FREE(result);
+	if (rpccli->dc == NULL) {
+		rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
+		if (rpccli->dc == NULL) {
+			TALLOC_FREE(rpccli);
 			return NT_STATUS_NO_MEMORY;
 		}
 	}
@@ -3076,9 +3076,9 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
 		  "for domain %s and bound using schannel.\n",
 		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-		  result->desthost, domain));
+		  rpccli->desthost, domain));
 
-	*presult = result;
+	*_rpccli = rpccli;
 	return NT_STATUS_OK;
 }
 
-- 
1.9.3


From 33991d3ea286fc5da1458ca64aa4fc004547ae04 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 20:26:54 +0200
Subject: [PATCH 054/249] s3:libsmb: remove unused cli_state->is_guestlogin

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 11e0be0e72cfc4bc65ba2b0ffd10cbae3ad69b2d)
---
 source3/include/client.h    | 1 -
 source3/libsmb/cliconnect.c | 5 -----
 2 files changed, 6 deletions(-)

diff --git a/source3/include/client.h b/source3/include/client.h
index 3f92d6d..59fb104 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -72,7 +72,6 @@ struct cli_state {
 	int timeout; /* in milliseconds. */
 	int initialised;
 	int win95;
-	bool is_guestlogin;
 	/* What the server offered. */
 	uint32_t server_posix_capabilities;
 	/* What the client requested. */
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index 13e7704..81bc028 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -240,7 +240,6 @@ static void cli_session_setup_lanman2_done(struct tevent_req *subreq)
 	p = bytes;
 
 	cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-	cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
 
 	status = smb_bytes_talloc_string(cli,
 					inhdr,
@@ -448,7 +447,6 @@ static void cli_session_setup_guest_done(struct tevent_req *subreq)
 	p = bytes;
 
 	cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-	cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
 
 	status = smb_bytes_talloc_string(cli,
 					inhdr,
@@ -613,7 +611,6 @@ static void cli_session_setup_plain_done(struct tevent_req *subreq)
 	p = bytes;
 
 	cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-	cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
 
 	status = smb_bytes_talloc_string(cli,
 					inhdr,
@@ -930,7 +927,6 @@ static void cli_session_setup_nt1_done(struct tevent_req *subreq)
 	p = bytes;
 
 	cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-	cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
 
 	status = smb_bytes_talloc_string(cli,
 					inhdr,
@@ -1180,7 +1176,6 @@ static void cli_sesssetup_blob_done(struct tevent_req *subreq)
 	state->inbuf = in;
 	inhdr = in + NBT_HDR_SIZE;
 	cli_state_set_uid(state->cli, SVAL(inhdr, HDR_UID));
-	cli->is_guestlogin = ((SVAL(vwv+2, 0) & 1) != 0);
 
 	blob_length = SVAL(vwv+3, 0);
 	if (blob_length > num_bytes) {
-- 
1.9.3


From 937a0f2fc020e12c21c10597a889275614603add Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 15 Jun 2013 09:41:52 +0200
Subject: [PATCH 055/249] s3:auth_domain: try to use NETLOGON_NEG_SUPPORTS_AES

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d82ab70579ff2bcb69f997068482b198f321d1ef)
---
 source3/auth/auth_domain.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 54ee5a1..06078e2 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -133,7 +133,8 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 
 	if (!lp_client_schannel()) {
 		/* We need to set up a creds chain on an unauthenticated netlogon pipe. */
-		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+					NETLOGON_NEG_SUPPORTS_AES;
 		enum netr_SchannelType sec_chan_type = 0;
 		unsigned char machine_pwd[16];
 		const char *account_name;
-- 
1.9.3


From 981a88bb20cef572e5573ee2f18115a6e395fbf9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 15 Jun 2013 09:41:52 +0200
Subject: [PATCH 056/249] s3:libnet_join: try to use NETLOGON_NEG_SUPPORTS_AES

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit beba32619a91977543f882432fd08acc9de78fd3)
---
 source3/libnet/libnet_join.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index d8ec235..c1eccda 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1194,7 +1194,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 			const char *dc_name,
 			const bool use_kerberos)
 {
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+				NETLOGON_NEG_SUPPORTS_AES;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
-- 
1.9.3


From 846a35f004850695ca7c9d4597cd8729bb7c99e3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 15 Jun 2013 09:41:52 +0200
Subject: [PATCH 057/249] s3:rpc_client: try to use NETLOGON_NEG_SUPPORTS_AES

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 04600634b3e761d7c56f699fd4ba80b4cd2926a1)
---
 source3/rpc_client/cli_netlogon.c      | 3 ++-
 source3/rpc_client/cli_pipe_schannel.c | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 3d6a3e1..5e8a2fc 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -610,7 +610,8 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 	struct dcerpc_binding_handle *b = cli->binding_handle;
 
 	if (!cli->dc) {
-		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+					NETLOGON_NEG_SUPPORTS_AES;
 		result = rpccli_netlogon_setup_creds(cli,
 						     cli->desthost, /* server name */
 						     lp_workgroup(), /* domain */
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index bc672ef..de745c0 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -136,7 +136,8 @@ NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
 						 const char *password,
 						 struct rpc_pipe_client **presult)
 {
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+				NETLOGON_NEG_SUPPORTS_AES;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	struct rpc_pipe_client *result = NULL;
 	NTSTATUS status;
@@ -175,7 +176,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 				    const char *domain,
 				    struct rpc_pipe_client **presult)
 {
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+				NETLOGON_NEG_SUPPORTS_AES;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 	struct rpc_pipe_client *result = NULL;
 	NTSTATUS status;
-- 
1.9.3


From a56391bc8cbe1fa9142d0a20f4bf977538f27e67 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 15 Jun 2013 09:41:52 +0200
Subject: [PATCH 058/249] s3:rpcclient: try to use NETLOGON_NEG_SUPPORTS_AES

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e77a64f505fc43628e487e832033d0cd8ec4de8e)
---
 source3/rpcclient/cmd_netlogon.c | 3 ++-
 source3/rpcclient/rpcclient.c    | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 01d6da4..d92434b 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -1120,7 +1120,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	NTSTATUS result;
 	const char *server_name = cli->desthost;
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+				NETLOGON_NEG_SUPPORTS_AES;
 	struct netr_Authenticator clnt_creds, srv_cred;
 	struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
 	unsigned char trust_passwd_hash[16];
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 9bf296e..cb7b70f 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -758,7 +758,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 
 		if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
 					&ndr_table_netlogon.syntax_id)) {
-			uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+			uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
+						NETLOGON_NEG_SUPPORTS_AES;
 			enum netr_SchannelType sec_channel_type;
 			uchar trust_password[16];
 			const char *machine_account;
-- 
1.9.3


From 06c4ff36efc63ef014c449602dc314ca4e7016bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 19:57:09 +0200
Subject: [PATCH 059/249] s3:rpc_client: fix/add AES downgrade detection to
 rpc_pipe_bind_step_two_done()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 90e28c1825b2c48714d7b34fdb57d3878116d07e)
---
 source3/rpc_client/cli_pipe.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index ec804e7..c354a6f 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1828,8 +1828,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
 	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
 	TALLOC_FREE(subreq);
 	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-		if (state->cli->dc && state->cli->dc->negotiate_flags &
-		    NETLOGON_NEG_SUPPORTS_AES) {
+		if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
 			DEBUG(5, ("AES is not supported and the error was %s\n",
 				  nt_errstr(status)));
 			tevent_req_nterror(req,
@@ -1880,9 +1879,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
 		return;
 	}
 
-	TALLOC_FREE(state->cli->dc);
-	state->cli->dc = talloc_steal(state->cli, state->creds);
-
 	if (!NT_STATUS_IS_OK(state->r.out.result)) {
 		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
 			  nt_errstr(state->r.out.result)));
@@ -1890,18 +1886,17 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
 		return;
 	}
 
-	if (state->creds->negotiate_flags !=
-	    state->r.out.capabilities->server_capabilities) {
-		DEBUG(0, ("The client capabilities don't match the server "
-			  "capabilities: local[0x%08X] remote[0x%08X]\n",
-			  state->creds->negotiate_flags,
-			  state->capabilities.server_capabilities));
+	if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
+		DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
+			  "but AES was not negotiated - downgrade detected",
+			 state->cli->desthost));
 		tevent_req_nterror(req,
 				   NT_STATUS_INVALID_NETWORK_RESPONSE);
 		return;
 	}
 
-	/* TODO: Add downgrade dectection. */
+	TALLOC_FREE(state->cli->dc);
+	state->cli->dc = talloc_move(state->cli, &state->creds);
 
 	tevent_req_done(req);
 	return;
-- 
1.9.3


From e6416b9fe5019c3ce1aa8ecf42d73125a049338f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 19:45:52 +0200
Subject: [PATCH 060/249] s3:rpc_client: use netlogon_creds_copy before
 rpc_pipe_bind

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e9c8e3fb92143525f846523e446e2213e5b55d9d)
---
 source3/rpc_client/cli_pipe.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index c354a6f..eb172db 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3047,6 +3047,18 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 		return status;
 	}
 
+	/*
+	 * The credentials on a new netlogon pipe are the ones we are passed
+	 * in - copy them over
+	 *
+	 * This may get overwritten... in rpc_pipe_bind()...
+	 */
+	rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
+	if (rpccli->dc == NULL) {
+		TALLOC_FREE(rpccli);
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	status = rpc_pipe_bind(rpccli, rpcauth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
@@ -3056,18 +3068,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 		return status;
 	}
 
-	/*
-	 * The credentials on a new netlogon pipe are the ones we are passed
-	 * in - copy them over
-	 */
-	if (rpccli->dc == NULL) {
-		rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
-		if (rpccli->dc == NULL) {
-			TALLOC_FREE(rpccli);
-			return NT_STATUS_NO_MEMORY;
-		}
-	}
-
 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
 		  "for domain %s and bound using schannel.\n",
 		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-- 
1.9.3


From 1836ea96ed7dd055278fd6cac3f69a06ea979ea2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 19:34:13 +0200
Subject: [PATCH 061/249] s3:rpc_client: add netr_LogonGetCapabilities to
 cli_rpc_pipe_open_schannel_with_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit eecb5bafba5b362d4fdf33d6a2a32e4ee56f30a4)
---
 source3/rpc_client/cli_pipe.c | 101 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index eb172db..314eb92 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3032,6 +3032,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	struct rpc_pipe_client *rpccli;
 	struct pipe_auth_data *rpcauth;
 	NTSTATUS status;
+	NTSTATUS result;
+	struct netlogon_creds_CredentialState save_creds;
+	struct netr_Authenticator auth;
+	struct netr_Authenticator return_auth;
+	union netr_Capabilities capabilities;
 
 	status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -3068,6 +3073,102 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 		return status;
 	}
 
+	if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
+		goto done;
+	}
+
+	save_creds = *rpccli->dc;
+	ZERO_STRUCT(return_auth);
+	ZERO_STRUCT(capabilities);
+
+	netlogon_creds_client_authenticator(&save_creds, &auth);
+
+	status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
+						  talloc_tos(),
+						  rpccli->srv_name_slash,
+						  save_creds.computer_name,
+						  &auth, &return_auth,
+						  1, &capabilities,
+						  &result);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+		if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+			DEBUG(5, ("AES was negotiated and the error was %s - "
+				  "downgrade detected\n",
+				  nt_errstr(status)));
+			TALLOC_FREE(rpccli);
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+
+		/* This is probably an old Samba Version */
+		DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
+			  nt_errstr(status)));
+		goto done;
+	}
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
+			  nt_errstr(status)));
+		TALLOC_FREE(rpccli);
+		return status;
+	}
+
+	if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+		if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+			/* This means AES isn't supported. */
+			DEBUG(5, ("AES was negotiated and the result was %s - "
+				  "downgrade detected\n",
+				  nt_errstr(result)));
+			TALLOC_FREE(rpccli);
+			return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		}
+
+		/* This is probably an old Windows version */
+		DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
+			  nt_errstr(result)));
+		goto done;
+	}
+
+	/*
+	 * We need to check the credential state here, cause win2k3 and earlier
+	 * returns NT_STATUS_NOT_IMPLEMENTED
+	 */
+	if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
+		/*
+		 * Server replied with bad credential. Fail.
+		 */
+		DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
+			 "replied with bad credential\n",
+			 rpccli->desthost));
+		TALLOC_FREE(rpccli);
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+	}
+	*rpccli->dc = save_creds;
+
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
+			  nt_errstr(result)));
+		TALLOC_FREE(rpccli);
+		return result;
+	}
+
+	if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
+		/* This means AES isn't supported. */
+		DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
+			  "was OK - downgrade detected\n"));
+		TALLOC_FREE(rpccli);
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+	}
+
+	if (save_creds.negotiate_flags != capabilities.server_capabilities) {
+		DEBUG(0, ("The client capabilities don't match the server "
+			  "capabilities: local[0x%08X] remote[0x%08X]\n",
+			  save_creds.negotiate_flags,
+			  capabilities.server_capabilities));
+		TALLOC_FREE(rpccli);
+		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+	}
+
+done:
 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
 		  "for domain %s and bound using schannel.\n",
 		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
-- 
1.9.3


From 675be19880c2ac4bca14d69592ce39bb66a34dec Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 18:30:36 +0200
Subject: [PATCH 062/249] s3:rpc_client: remove netr_LogonGetCapabilities check
 from rpc_pipe_bind*

It's done in the caller now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3302356226cca474f0afab9a129220241c16663f)
---
 source3/rpc_client/cli_pipe.c | 150 +-----------------------------------------
 1 file changed, 1 insertion(+), 149 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 314eb92..cba055a 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1568,15 +1568,9 @@ struct rpc_pipe_bind_state {
 	DATA_BLOB rpc_out;
 	bool auth3;
 	uint32_t rpc_call_id;
-	struct netr_Authenticator auth;
-	struct netr_Authenticator return_auth;
-	struct netlogon_creds_CredentialState *creds;
-	union netr_Capabilities capabilities;
-	struct netr_LogonGetCapabilities r;
 };
 
 static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq);
-static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req);
 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
 				   struct rpc_pipe_bind_state *state,
 				   DATA_BLOB *credentials);
@@ -1679,14 +1673,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 
 	case DCERPC_AUTH_TYPE_NONE:
 	case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
+	case DCERPC_AUTH_TYPE_SCHANNEL:
 		/* Bind complete. */
 		tevent_req_done(req);
 		return;
 
-	case DCERPC_AUTH_TYPE_SCHANNEL:
-		rpc_pipe_bind_step_two_trigger(req);
-		return;
-
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_SPNEGO:
 	case DCERPC_AUTH_TYPE_KRB5:
@@ -1763,145 +1754,6 @@ err_out:
 	tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
 }
 
-static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq);
-
-static void rpc_pipe_bind_step_two_trigger(struct tevent_req *req)
-{
-	struct rpc_pipe_bind_state *state =
-		tevent_req_data(req,
-				struct rpc_pipe_bind_state);
-	struct dcerpc_binding_handle *b = state->cli->binding_handle;
-	struct schannel_state *schannel_auth =
-		talloc_get_type_abort(state->cli->auth->auth_ctx,
-				      struct schannel_state);
-	struct tevent_req *subreq;
-
-	if (schannel_auth == NULL ||
-	    !ndr_syntax_id_equal(&state->cli->abstract_syntax,
-				 &ndr_table_netlogon.syntax_id)) {
-		tevent_req_done(req);
-		return;
-	}
-
-	ZERO_STRUCT(state->return_auth);
-
-	state->creds = netlogon_creds_copy(state, schannel_auth->creds);
-	if (state->creds == NULL) {
-		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-		return;
-	}
-
-	netlogon_creds_client_authenticator(state->creds, &state->auth);
-
-	state->r.in.server_name = state->cli->srv_name_slash;
-	state->r.in.computer_name = state->creds->computer_name;
-	state->r.in.credential = &state->auth;
-	state->r.in.query_level = 1;
-	state->r.in.return_authenticator = &state->return_auth;
-
-	state->r.out.capabilities = &state->capabilities;
-	state->r.out.return_authenticator = &state->return_auth;
-
-	subreq = dcerpc_netr_LogonGetCapabilities_r_send(talloc_tos(),
-							 state->ev,
-							 b,
-							 &state->r);
-	if (subreq == NULL) {
-		tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
-		return;
-	}
-
-	tevent_req_set_callback(subreq, rpc_pipe_bind_step_two_done, req);
-	return;
-}
-
-static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq)
-{
-	struct tevent_req *req =
-		tevent_req_callback_data(subreq,
-					 struct tevent_req);
-	struct rpc_pipe_bind_state *state =
-		tevent_req_data(req,
-				struct rpc_pipe_bind_state);
-	NTSTATUS status;
-
-	status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos());
-	TALLOC_FREE(subreq);
-	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-		if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			DEBUG(5, ("AES is not supported and the error was %s\n",
-				  nt_errstr(status)));
-			tevent_req_nterror(req,
-					   NT_STATUS_INVALID_NETWORK_RESPONSE);
-			return;
-		}
-
-		/* This is probably NT */
-		DEBUG(5, ("We are checking against an NT - %s\n",
-			  nt_errstr(status)));
-		tevent_req_done(req);
-		return;
-	} else if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
-			  nt_errstr(status)));
-		tevent_req_nterror(req, status);
-		return;
-	}
-
-	if (NT_STATUS_EQUAL(state->r.out.result, NT_STATUS_NOT_IMPLEMENTED)) {
-		if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			/* This means AES isn't supported. */
-			DEBUG(5, ("AES is not supported and the error was %s\n",
-				  nt_errstr(state->r.out.result)));
-			tevent_req_nterror(req,
-					   NT_STATUS_INVALID_NETWORK_RESPONSE);
-			return;
-		}
-
-		/* This is probably an old Samba version */
-		DEBUG(5, ("We are checking against an old Samba version - %s\n",
-			  nt_errstr(state->r.out.result)));
-		tevent_req_done(req);
-		return;
-	}
-
-	/* We need to check the credential state here, cause win2k3 and earlier
-	 * returns NT_STATUS_NOT_IMPLEMENTED */
-	if (!netlogon_creds_client_check(state->creds,
-					 &state->r.out.return_authenticator->cred)) {
-		/*
-		 * Server replied with bad credential. Fail.
-		 */
-		DEBUG(0,("rpc_pipe_bind_step_two_done: server %s "
-			 "replied with bad credential\n",
-			 state->cli->desthost));
-		tevent_req_nterror(req, NT_STATUS_UNSUCCESSFUL);
-		return;
-	}
-
-	if (!NT_STATUS_IS_OK(state->r.out.result)) {
-		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n",
-			  nt_errstr(state->r.out.result)));
-		tevent_req_nterror(req, state->r.out.result);
-		return;
-	}
-
-	if (!(state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
-		DEBUG(0, ("netr_LogonGetCapabilities is supported by %s, "
-			  "but AES was not negotiated - downgrade detected",
-			 state->cli->desthost));
-		tevent_req_nterror(req,
-				   NT_STATUS_INVALID_NETWORK_RESPONSE);
-		return;
-	}
-
-	TALLOC_FREE(state->cli->dc);
-	state->cli->dc = talloc_move(state->cli, &state->creds);
-
-	tevent_req_done(req);
-	return;
-}
-
 static NTSTATUS rpc_bind_next_send(struct tevent_req *req,
 				   struct rpc_pipe_bind_state *state,
 				   DATA_BLOB *auth_token)
-- 
1.9.3


From f9b4e38b8458ec905b5f78e402f21f23c4a967e1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 25 Apr 2013 19:33:28 +0200
Subject: [PATCH 063/249] s3:rpc_client: remove unused
 cli_rpc_pipe_open_ntlmssp_auth_schannel()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 04938cbeecc777f7b799a11f1ca0461b351d968a)
---
 source3/rpc_client/cli_pipe.h          |  9 ----
 source3/rpc_client/cli_pipe_schannel.c | 80 ----------------------------------
 2 files changed, 89 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 8eb6040..ab99373 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -109,15 +109,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     struct netlogon_creds_CredentialState **pdc,
 					     struct rpc_pipe_client **presult);
 
-NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-						 const struct ndr_interface_table *table,
-						 enum dcerpc_transport_t transport,
-						 enum dcerpc_AuthLevel auth_level,
-						 const char *domain,
-						 const char *username,
-						 const char *password,
-						 struct rpc_pipe_client **presult);
-
 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 				    const struct ndr_interface_table *table,
 				    enum dcerpc_transport_t transport,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index de745c0..aaae44b 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -86,86 +86,6 @@ static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon
 
 /****************************************************************************
  Open a named pipe to an SMB server and bind using schannel (bind type 68).
- Fetch the session key ourselves using a temporary netlogon pipe. This
- version uses an ntlmssp auth bound netlogon pipe to get the key.
- ****************************************************************************/
-
-static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli,
-						      const char *domain,
-						      const char *username,
-						      const char *password,
-						      uint32 *pneg_flags,
-						      struct rpc_pipe_client **presult)
-{
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	NTSTATUS status;
-
-	status = cli_rpc_pipe_open_spnego(
-		cli, &ndr_table_netlogon, NCACN_NP,
-		GENSEC_OID_NTLMSSP,
-		DCERPC_AUTH_LEVEL_PRIVACY,
-		smbXcli_conn_remote_name(cli->conn),
-		domain, username, password, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
-						 pneg_flags);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(netlogon_pipe);
-		return status;
-	}
-
-	*presult = netlogon_pipe;
-	return NT_STATUS_OK;
-}
-
-/****************************************************************************
- Open a named pipe to an SMB server and bind using schannel (bind type 68).
- Fetch the session key ourselves using a temporary netlogon pipe. This version
- uses an ntlmssp bind to get the session key.
- ****************************************************************************/
-
-NTSTATUS cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state *cli,
-						 const struct ndr_interface_table *table,
-						 enum dcerpc_transport_t transport,
-						 enum dcerpc_AuthLevel auth_level,
-						 const char *domain,
-						 const char *username,
-						 const char *password,
-						 struct rpc_pipe_client **presult)
-{
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-				NETLOGON_NEG_SUPPORTS_AES;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	struct rpc_pipe_client *result = NULL;
-	NTSTATUS status;
-
-	status = get_schannel_session_key_auth_ntlmssp(
-		cli, domain, username, password, &neg_flags, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
-			"key from server %s for domain %s.\n",
-			smbXcli_conn_remote_name(cli->conn), domain ));
-		return status;
-	}
-
-	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
-		&result);
-
-	/* Now we've bound using the session key we can close the netlog pipe. */
-	TALLOC_FREE(netlogon_pipe);
-
-	if (NT_STATUS_IS_OK(status)) {
-		*presult = result;
-	}
-	return status;
-}
-
-/****************************************************************************
- Open a named pipe to an SMB server and bind using schannel (bind type 68).
  Fetch the session key ourselves using a temporary netlogon pipe.
  ****************************************************************************/
 
-- 
1.9.3


From 35d07a4d7ca15e4cf22f7cc96d6958c9856dc0a0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Aug 2013 11:26:13 +0200
Subject: [PATCH 064/249] auth/gensec: first check GENSEC_FEATURE_SESSION_KEY
 before returning NOT_IMPLEMENTED

Preferr NT_STATUS_NO_USER_SESSION_KEY as return value of gensec_session_key().

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 45c74c8084d2db14fef6a79cd98068be2ab73f30)
---
 auth/gensec/gensec.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..9a8f0ef 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -155,13 +155,14 @@ _PUBLIC_ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
 				     TALLOC_CTX *mem_ctx,
 				     DATA_BLOB *session_key)
 {
-	if (!gensec_security->ops->session_key) {
-		return NT_STATUS_NOT_IMPLEMENTED;
-	}
 	if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SESSION_KEY)) {
 		return NT_STATUS_NO_USER_SESSION_KEY;
 	}
 
+	if (!gensec_security->ops->session_key) {
+		return NT_STATUS_NOT_IMPLEMENTED;
+	}
+
 	return gensec_security->ops->session_key(gensec_security, mem_ctx, session_key);
 }
 
-- 
1.9.3


From 6eda030bd26347cef3fb670b0876956c97c00bfa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Aug 2013 11:43:58 +0200
Subject: [PATCH 065/249] auth/gensec: add gensec_security_by_auth_type()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 59b09564a7edac8dc241269587146342244ce58b)
---
 auth/gensec/gensec.h       |  3 +++
 auth/gensec/gensec_start.c | 26 ++++++++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 396a16d..c080861 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -268,6 +268,9 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
 							 const char *oid_string);
 const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_security *gensec_security,
 							       const char *sasl_name);
+const struct gensec_security_ops *gensec_security_by_auth_type(
+				struct gensec_security *gensec_security,
+				uint32_t auth_type);
 struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
 						   TALLOC_CTX *mem_ctx);
 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index e46f0ee..c2cfa1c 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -246,6 +246,32 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
 	return NULL;
 }
 
+_PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
+				struct gensec_security *gensec_security,
+				uint32_t auth_type)
+{
+	int i;
+	struct gensec_security_ops **backends;
+	const struct gensec_security_ops *backend;
+	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
+	if (!mem_ctx) {
+		return NULL;
+	}
+	backends = gensec_security_mechs(gensec_security, mem_ctx);
+	for (i=0; backends && backends[i]; i++) {
+		if (!gensec_security_ops_enabled(backends[i], gensec_security))
+		    continue;
+		if (backends[i]->auth_type == auth_type) {
+			backend = backends[i];
+			talloc_free(mem_ctx);
+			return backend;
+		}
+	}
+	talloc_free(mem_ctx);
+
+	return NULL;
+}
+
 static const struct gensec_security_ops *gensec_security_by_name(struct gensec_security *gensec_security,
 								 const char *name)
 {
-- 
1.9.3


From f4e1506ed3a032d38605207f592cbc4ece93a414 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 24 Apr 2013 12:33:28 +0200
Subject: [PATCH 066/249] libcli/auth: maintain the sequence number for the
 NETLOGON SSP as 64bit

See [MS-NPRC] 3.3.4.2 The Netlogon Signature Token.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9f2e81ae02549369db49c05edf7071612a03a8b8)
---
 libcli/auth/schannel.h              |  2 +-
 libcli/auth/schannel_sign.c         | 17 +++++++++++++----
 source3/librpc/rpc/dcerpc_helpers.c |  4 ++--
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
index bfccd95..271b5bb 100644
--- a/libcli/auth/schannel.h
+++ b/libcli/auth/schannel.h
@@ -30,7 +30,7 @@ enum schannel_position {
 
 struct schannel_state {
 	enum schannel_position state;
-	uint32_t seq_num;
+	uint64_t seq_num;
 	bool initiator;
 	struct netlogon_creds_CredentialState *creds;
 };
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 1871da2..6e5d454 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -24,6 +24,17 @@
 #include "../libcli/auth/schannel.h"
 #include "../lib/crypto/crypto.h"
 
+#define SETUP_SEQNUM(state, buf, initiator) do { \
+	uint8_t *_buf = buf; \
+	uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
+	uint32_t _seq_num_high = (state)->seq_num >> 32; \
+	if (initiator) { \
+		_seq_num_high |= 0x80000000; \
+	} \
+	RSIVAL(_buf, 0, _seq_num_low); \
+	RSIVAL(_buf, 4, _seq_num_high); \
+} while(0)
+
 static void netsec_offset_and_sizes(struct schannel_state *state,
 				    bool do_seal,
 				    uint32_t *_min_sig_size,
@@ -255,8 +266,7 @@ NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 		confounder = NULL;
 	}
 
-	RSIVAL(seq_num, 0, state->seq_num);
-	SIVAL(seq_num, 4, state->initiator?0:0x80);
+	SETUP_SEQNUM(state, seq_num, !state->initiator);
 
 	if (do_unseal) {
 		netsec_do_seal(state, seq_num,
@@ -325,8 +335,7 @@ NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
 				&checksum_length,
 				&confounder_ofs);
 
-	RSIVAL(seq_num, 0, state->seq_num);
-	SIVAL(seq_num, 4, state->initiator?0x80:0);
+	SETUP_SEQNUM(state, seq_num, state->initiator);
 
 	if (do_seal) {
 		confounder = _confounder;
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index a55e419..0095990 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -462,8 +462,8 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%d\n",
-			sas->seq_num));
+	DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
+		  (unsigned long long)sas->seq_num));
 
 	switch (auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
-- 
1.9.3


From f99afc1924dbb267e696bbdf26db606a8c77f093 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 12:53:42 +0200
Subject: [PATCH 067/249] libcli/auth: add netsec_create_state()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 33215398f32c76f4b8ada7b547c6d0741cb2ac16)
---
 libcli/auth/schannel_proto.h |  3 +++
 libcli/auth/schannel_sign.c  | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
index 0414218..da76559 100644
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@@ -28,6 +28,9 @@ struct schannel_state;
 struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
 					       struct loadparm_context *lp_ctx);
 
+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_CredentialState *creds,
+				bool initiator);
 NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 				bool do_unseal,
 				uint8_t *data, size_t length,
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 6e5d454..518a6a9 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -35,6 +35,29 @@
 	RSIVAL(_buf, 4, _seq_num_high); \
 } while(0)
 
+struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_CredentialState *creds,
+				bool initiator)
+{
+	struct schannel_state *state;
+
+	state = talloc(mem_ctx, struct schannel_state);
+	if (state == NULL) {
+		return NULL;
+	}
+
+	state->state = SCHANNEL_STATE_UPDATE_1;
+	state->initiator = initiator;
+	state->seq_num = 0;
+	state->creds = netlogon_creds_copy(state, creds);
+	if (state->creds == NULL) {
+		talloc_free(state);
+		return NULL;
+	}
+
+	return state;
+}
+
 static void netsec_offset_and_sizes(struct schannel_state *state,
 				    bool do_seal,
 				    uint32_t *_min_sig_size,
-- 
1.9.3


From f13417a00173fcde96417773a1a551caced24c8b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:28:11 +0200
Subject: [PATCH 068/249] s3:cli_pipe: make use of netsec_create_state()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e96142fc439efb7c90719f9c387778c4218ae637)
---
 source3/rpc_client/cli_pipe.c | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index cba055a..9e979b0 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2271,18 +2271,11 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
 		goto fail;
 	}
 
-	schannel_auth = talloc_zero(result, struct schannel_state);
+	schannel_auth = netsec_create_state(result, creds, true /* initiator */);
 	if (schannel_auth == NULL) {
 		goto fail;
 	}
 
-	schannel_auth->state = SCHANNEL_STATE_START;
-	schannel_auth->initiator = true;
-	schannel_auth->creds = netlogon_creds_copy(schannel_auth, creds);
-	if (schannel_auth->creds == NULL) {
-		goto fail;
-	}
-
 	result->auth_ctx = schannel_auth;
 	*presult = result;
 	return NT_STATUS_OK;
-- 
1.9.3


From becf68bc072fdfab4489326d148775ebdbe27fda Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:28:59 +0200
Subject: [PATCH 069/249] s3:cli_pipe: pass down creds->computer_name to
 NL_AUTH_MESSAGE

We need to use the same computer_name value as in the netr_Authenticate3()
request.

We abuse cli->auth->user_name to pass the value down.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 838cb539621ef19cac6badb4b10678dcc3a6f68a)
---
 source3/rpc_client/cli_pipe.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 9e979b0..1de71fb 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1027,13 +1027,12 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 	NTSTATUS status;
 	struct NL_AUTH_MESSAGE r;
 
-	/* Use lp_workgroup() if domain not specified */
+	if (!cli->auth->user_name || !cli->auth->user_name[0]) {
+		return NT_STATUS_INVALID_PARAMETER_MIX;
+	}
 
 	if (!cli->auth->domain || !cli->auth->domain[0]) {
-		cli->auth->domain = talloc_strdup(cli, lp_workgroup());
-		if (cli->auth->domain == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
+		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
 
 	/*
@@ -1044,7 +1043,7 @@ static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 	r.Flags				= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
 					  NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
 	r.oem_netbios_domain.a		= cli->auth->domain;
-	r.oem_netbios_computer.a	= lp_netbios_name();
+	r.oem_netbios_computer.a	= cli->auth->user_name;
 
 	status = dcerpc_push_schannel_bind(cli, &r, auth_token);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2265,7 +2264,7 @@ static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
 	result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 	result->auth_level = auth_level;
 
-	result->user_name = talloc_strdup(result, "");
+	result->user_name = talloc_strdup(result, creds->computer_name);
 	result->domain = talloc_strdup(result, domain);
 	if ((result->user_name == NULL) || (result->domain == NULL)) {
 		goto fail;
-- 
1.9.3


From b447ab32047f33d306ee891d1d3fe2ae5a8c56f1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Aug 2013 08:50:54 +0200
Subject: [PATCH 070/249] s3:cli_pipe.c: return NO_USER_SESSION_KEY in
 cli_get_session_key() for schannel

SCHANNEL connections don't have a user session key,
they're like anonymous connections.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit af4dc306846a30a5a1201306cc2cbf4d494e16e7)
---
 source3/rpc_client/cli_pipe.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 1de71fb..470469f 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3091,7 +3091,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
 {
 	NTSTATUS status;
 	struct pipe_auth_data *a;
-	struct schannel_state *schannel_auth;
 	struct gensec_security *gensec_security;
 	DATA_BLOB sk = data_blob_null;
 	bool make_dup = false;
@@ -3107,12 +3106,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
 	}
 
 	switch (cli->auth->auth_type) {
-	case DCERPC_AUTH_TYPE_SCHANNEL:
-		schannel_auth = talloc_get_type_abort(a->auth_ctx,
-						      struct schannel_state);
-		sk = data_blob_const(schannel_auth->creds->session_key, 16);
-		make_dup = true;
-		break;
 	case DCERPC_AUTH_TYPE_SPNEGO:
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_KRB5:
-- 
1.9.3


From abebeb10c26f6fa7e61c56553ce1e52b5d45937a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:33:37 +0200
Subject: [PATCH 071/249] s3:rpc_server: make use of netsec_create_state()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a964309bf7631f4f6953e0d6556f8ed8e5300dcc)
---
 source3/rpc_server/srv_pipe.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7daff04..9043a14 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -462,8 +462,8 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 	 */
 
 	become_root();
-	status = schannel_get_creds_state(p, lp_ctx,
-					    neg.oem_netbios_computer.a, &creds);
+	status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
+					  neg.oem_netbios_computer.a, &creds);
 	unbecome_root();
 	
 	talloc_unlink(p, lp_ctx);
@@ -472,16 +472,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 		return False;
 	}
 
-	schannel_auth = talloc_zero(p, struct schannel_state);
+	schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
+	TALLOC_FREE(creds);
 	if (!schannel_auth) {
-		TALLOC_FREE(creds);
 		return False;
 	}
 
-	schannel_auth->state = SCHANNEL_STATE_START;
-	schannel_auth->initiator = false;
-	schannel_auth->creds = creds;
-
 	/*
 	 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
 	 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
-- 
1.9.3


From b567c4ef93de5c098d724c15b614f5f233903812 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:36:30 +0200
Subject: [PATCH 072/249] s3:dcerpc_helpers: remove unused DEBUG message of
 schannel_state->seq_num.

This is a layer violation and not needed anymore as we know
how the seqnum handling works now.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a36ccdc83edb7437dd00601c459421286fd79db4)
---
 source3/librpc/rpc/dcerpc_helpers.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 0095990..97999d7 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -462,9 +462,6 @@ static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	DEBUG(10,("add_schannel_auth_footer: SCHANNEL seq_num=%llu\n",
-		  (unsigned long long)sas->seq_num));
-
 	switch (auth_level) {
 	case DCERPC_AUTH_LEVEL_PRIVACY:
 		status = netsec_outgoing_packet(sas,
-- 
1.9.3


From e044773b51b76b3582669ee7e3a388d6471e2f2e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 10:08:54 +0200
Subject: [PATCH 073/249] s4:libnet: avoid usage of dcerpc_schannel_creds()

We use cli_credentials_get_netlogon_creds() which returns the same value.

dcerpc_schannel_creds() is a layer violation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c0144273af8f0956a05d102113c40cec77069f7a)
---
 source4/libnet/libnet_samsync.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/source4/libnet/libnet_samsync.c b/source4/libnet/libnet_samsync.c
index 9629b9f..206d81e 100644
--- a/source4/libnet/libnet_samsync.c
+++ b/source4/libnet/libnet_samsync.c
@@ -25,7 +25,6 @@
 #include "libcli/auth/libcli_auth.h"
 #include "../libcli/samsync/samsync.h"
 #include "auth/gensec/gensec.h"
-#include "auth/gensec/schannel.h"
 #include "auth/credentials/credentials.h"
 #include "libcli/auth/schannel.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
@@ -183,9 +182,9 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx
 
 	/* get NETLOGON credentials */
 
-	nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer");
+	creds = cli_credentials_get_netlogon_creds(machine_account);
+	if (creds == NULL) {
+		r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from credentials");
 		talloc_free(samsync_ctx);
 		return nt_status;
 	}
-- 
1.9.3


From 322dc86454fc4e60de641ef02da2c2744c347001 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 10:08:54 +0200
Subject: [PATCH 074/249] s4:torture: avoid usage of dcerpc_schannel_creds()

We use cli_credentials_get_netlogon_creds() which returns the same value.

dcerpc_schannel_creds() is a layer violation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2ea3a24dced0814100e352bbbca124011be73602)
---
 source4/torture/rpc/samlogon.c |  5 ++---
 source4/torture/rpc/samr.c     |  6 +++---
 source4/torture/rpc/samsync.c  | 11 ++++-------
 source4/torture/rpc/schannel.c |  6 ++----
 4 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index 4861038..886ff39 100644
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -29,7 +29,6 @@
 #include "lib/cmdline/popt_common.h"
 #include "torture/rpc/torture_rpc.h"
 #include "auth/gensec/gensec.h"
-#include "auth/gensec/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "param/param.h"
 
@@ -1764,8 +1763,8 @@ bool torture_rpc_samlogon(struct torture_context *torture)
 	torture_assert_ntstatus_ok_goto(torture, status, ret, failed,
 		talloc_asprintf(torture, "RPC pipe connect as domain member failed: %s\n", nt_errstr(status)));
 
-	status = dcerpc_schannel_creds(p->conn->security_state.generic_state, mem_ctx, &creds);
-	if (!NT_STATUS_IS_OK(status)) {
+	creds = cli_credentials_get_netlogon_creds(machine_credentials);
+	if (creds == NULL) {
 		ret = false;
 		goto failed;
 	}
diff --git a/source4/torture/rpc/samr.c b/source4/torture/rpc/samr.c
index cdfa2b8..d4d64f9 100644
--- a/source4/torture/rpc/samr.c
+++ b/source4/torture/rpc/samr.c
@@ -37,7 +37,6 @@
 #include "torture/rpc/torture_rpc.h"
 #include "param/param.h"
 #include "auth/gensec/gensec.h"
-#include "auth/gensec/schannel.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
 
@@ -2959,6 +2958,7 @@ static bool test_QueryUserInfo_pwdlastset(struct dcerpc_binding_handle *b,
 
 static bool test_SamLogon(struct torture_context *tctx,
 			  struct dcerpc_pipe *p,
+			  struct cli_credentials *machine_credentials,
 			  struct cli_credentials *test_credentials,
 			  NTSTATUS expected_result,
 			  bool interactive)
@@ -2978,7 +2978,7 @@ static bool test_SamLogon(struct torture_context *tctx,
 	struct netr_Authenticator a;
 	struct dcerpc_binding_handle *b = p->binding_handle;
 
-	torture_assert_ntstatus_ok(tctx, dcerpc_schannel_creds(p->conn->security_state.generic_state, tctx, &creds), "");
+	torture_assert(tctx, (creds = cli_credentials_get_netlogon_creds(machine_credentials)), "");
 
 	if (lpcfg_client_lanman_auth(tctx->lp_ctx)) {
 		flags |= CLI_CRED_LANMAN_AUTH;
@@ -3105,7 +3105,7 @@ static bool test_SamLogon_with_creds(struct torture_context *tctx,
 	torture_comment(tctx, "Testing samlogon (%s) as %s password: %s\n",
 		interactive ? "interactive" : "network", acct_name, password);
 
-	if (!test_SamLogon(tctx, p, test_credentials,
+	if (!test_SamLogon(tctx, p, machine_creds, test_credentials,
 			    expected_samlogon_result, interactive)) {
 		torture_warning(tctx, "new password did not work\n");
 		ret = false;
diff --git a/source4/torture/rpc/samsync.c b/source4/torture/rpc/samsync.c
index 81027d0..15cab73 100644
--- a/source4/torture/rpc/samsync.c
+++ b/source4/torture/rpc/samsync.c
@@ -27,7 +27,6 @@
 #include "system/time.h"
 #include "torture/rpc/torture_rpc.h"
 #include "auth/gensec/gensec.h"
-#include "auth/gensec/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/samsync/samsync.h"
 #include "libcli/security/security.h"
@@ -1720,9 +1719,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
 	}
 	samsync_state->b = samsync_state->p->binding_handle;
 
-	status = dcerpc_schannel_creds(samsync_state->p->conn->security_state.generic_state,
-				       samsync_state, &samsync_state->creds);
-	if (!NT_STATUS_IS_OK(status)) {
+	samsync_state->creds = cli_credentials_get_netlogon_creds(credentials);
+	if (samsync_state->creds == NULL) {
 		ret = false;
 	}
 
@@ -1758,9 +1756,8 @@ bool torture_rpc_samsync(struct torture_context *torture)
 		goto failed;
 	}
 
-	status = dcerpc_schannel_creds(samsync_state->p_netlogon_wksta->conn->security_state.generic_state,
-				       samsync_state, &samsync_state->creds_netlogon_wksta);
-	if (!NT_STATUS_IS_OK(status)) {
+	samsync_state->creds_netlogon_wksta = cli_credentials_get_netlogon_creds(credentials_wksta);
+	if (samsync_state->creds_netlogon_wksta == NULL) {
 		torture_comment(torture, "Failed to obtail schanel creds!\n");
 		ret = false;
 	}
diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c
index 8203749..0098dcf 100644
--- a/source4/torture/rpc/schannel.c
+++ b/source4/torture/rpc/schannel.c
@@ -26,14 +26,12 @@
 #include "auth/credentials/credentials.h"
 #include "torture/rpc/torture_rpc.h"
 #include "lib/cmdline/popt_common.h"
-#include "auth/gensec/schannel.h"
 #include "../libcli/auth/schannel.h"
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/security/security.h"
 #include "system/filesys.h"
 #include "param/param.h"
 #include "librpc/rpc/dcerpc_proto.h"
-#include "auth/gensec/gensec.h"
 #include "libcli/composite/composite.h"
 #include "lib/events/events.h"
 
@@ -413,8 +411,8 @@ static bool test_schannel(struct torture_context *tctx,
 
 	torture_assert_ntstatus_ok(tctx, status, "bind auth");
 
-	status = dcerpc_schannel_creds(p_netlogon->conn->security_state.generic_state, tctx, &creds);
-	torture_assert_ntstatus_ok(tctx, status, "schannel creds");
+	creds = cli_credentials_get_netlogon_creds(credentials);
+	torture_assert(tctx, (creds != NULL), "schannel creds");
 
 	/* checks the capabilities */
 	torture_assert(tctx, test_netlogon_capabilities(p_netlogon, tctx, credentials, creds),
-- 
1.9.3


From fa1c5bc2cdff9decd361c919567c502ef0c09385 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 12:31:41 +0200
Subject: [PATCH 075/249] s4:gensec/schannel: remove unused
 dcerpc_schannel_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4cad5dcb6d5e49cc9bb1aa4ca454f369e00e8c6f)
---
 source4/auth/gensec/schannel.c | 23 -----------------------
 source4/auth/gensec/schannel.h | 26 --------------------------
 2 files changed, 49 deletions(-)
 delete mode 100644 source4/auth/gensec/schannel.h

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index e7c545f..10d2565 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -29,7 +29,6 @@
 #include "../libcli/auth/schannel.h"
 #include "librpc/rpc/dcerpc.h"
 #include "param/param.h"
-#include "auth/gensec/schannel.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 
 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
@@ -204,28 +203,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 }
 
 /**
- * Return the struct netlogon_creds_CredentialState.
- *
- * Make sure not to call this unless gensec is using schannel...
- */
-
-/* TODO: make this non-public */
-
-_PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
-					TALLOC_CTX *mem_ctx,
-					struct netlogon_creds_CredentialState **creds)
-{
-	struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
-
-	*creds = talloc_reference(mem_ctx, state->creds);
-	if (!*creds) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	return NT_STATUS_OK;
-}
-
-
-/**
  * Returns anonymous credentials for schannel, matching Win2k3.
  *
  */
diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h
deleted file mode 100644
index 88a32a7..0000000
--- a/source4/auth/gensec/schannel.h
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-
-   dcerpc schannel operations
-
-   Copyright (C) Andrew Tridgell 2004
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-struct netlogon_creds_CredentialState;
-NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
-			       TALLOC_CTX *mem_ctx,
-			       struct netlogon_creds_CredentialState **creds);
-- 
1.9.3


From eeb52af669e963ac856fc77be6a47f7ed33d8580 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:04:07 +0200
Subject: [PATCH 076/249] s4:gensec/schannel: simplify the code by using
 netsec_create_state()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 49f347eb11bd12a3f25b0fcb8ba36d4a36594868)
---
 source4/auth/gensec/schannel.c | 98 +++++++++++++-----------------------------
 1 file changed, 30 insertions(+), 68 deletions(-)

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 10d2565..3896a41 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -35,12 +35,11 @@ _PUBLIC_ NTSTATUS gensec_schannel_init(void);
 
 static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
 {
-	struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
-	uint32_t sig_size;
-
-	sig_size = netsec_outgoing_sig_size(state);
+	struct schannel_state *state =
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
 
-	return sig_size;
+	return netsec_outgoing_sig_size(state);
 }
 
 static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
@@ -54,7 +53,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 				struct tevent_context *ev,
 				const DATA_BLOB in, DATA_BLOB *out)
 {
-	struct schannel_state *state = (struct schannel_state *)gensec_security->private_data;
+	struct schannel_state *state =
+		talloc_get_type(gensec_security->private_data,
+		struct schannel_state);
 	NTSTATUS status;
 	enum ndr_err_code ndr_err;
 	struct NL_AUTH_MESSAGE bind_schannel;
@@ -67,24 +68,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 
 	switch (gensec_security->gensec_role) {
 	case GENSEC_CLIENT:
-		if (state->state != SCHANNEL_STATE_START) {
+		if (state != NULL) {
 			/* we could parse the bind ack, but we don't know what it is yet */
 			return NT_STATUS_OK;
 		}
 
-		state->creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
-		if (state->creds == NULL) {
+		creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
+		if (creds == NULL) {
 			return NT_STATUS_INVALID_PARAMETER_MIX;
 		}
-		/*
-		 * We need to create a reference here or we don't get
-		 * updates performed on the credentials if we create a
-		 * copy.
-		 */
-		state->creds = talloc_reference(state, state->creds);
-		if (state->creds == NULL) {
+
+		state = netsec_create_state(gensec_security,
+					    creds, true /* initiator */);
+		if (state == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
+		gensec_security->private_data = state;
 
 		bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
 #if 0
@@ -117,12 +116,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 			return status;
 		}
 
-		state->state = SCHANNEL_STATE_UPDATE_1;
-
 		return NT_STATUS_MORE_PROCESSING_REQUIRED;
 	case GENSEC_SERVER:
 
-		if (state->state != SCHANNEL_STATE_START) {
+		if (state != NULL) {
 			/* no third leg on this protocol */
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -177,7 +174,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 			return status;
 		}
 
-		state->creds = talloc_steal(state, creds);
+		state = netsec_create_state(gensec_security,
+					    creds, false /* not initiator */);
+		if (state == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		gensec_security->private_data = state;
 
 		bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
 		bind_schannel_ack.Flags = 0;
@@ -195,8 +197,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 			return status;
 		}
 
-		state->state = SCHANNEL_STATE_UPDATE_1;
-
 		return NT_STATUS_OK;
 	}
 	return NT_STATUS_INVALID_PARAMETER;
@@ -214,54 +214,16 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
 	return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
 }
 
-static NTSTATUS schannel_start(struct gensec_security *gensec_security)
-{
-	struct schannel_state *state;
-
-	state = talloc_zero(gensec_security, struct schannel_state);
-	if (!state) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	state->state = SCHANNEL_STATE_START;
-	gensec_security->private_data = state;
-
-	return NT_STATUS_OK;
-}
-
 static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
 {
-	NTSTATUS status;
-	struct schannel_state *state;
-
-	status = schannel_start(gensec_security);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	state = (struct schannel_state *)gensec_security->private_data;
-	state->initiator = false;
-
 	return NT_STATUS_OK;
 }
 
 static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
 {
-	NTSTATUS status;
-	struct schannel_state *state;
-
-	status = schannel_start(gensec_security);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	state = (struct schannel_state *)gensec_security->private_data;
-	state->initiator = true;
-
 	return NT_STATUS_OK;
 }
 
-
 static bool schannel_have_feature(struct gensec_security *gensec_security,
 					 uint32_t feature)
 {
@@ -287,8 +249,8 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
 				       const DATA_BLOB *sig)
 {
 	struct schannel_state *state =
-		talloc_get_type(gensec_security->private_data,
-				struct schannel_state);
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
 
 	return netsec_incoming_packet(state, true,
 				      discard_const_p(uint8_t, data),
@@ -304,8 +266,8 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
 				      const DATA_BLOB *sig)
 {
 	struct schannel_state *state =
-		talloc_get_type(gensec_security->private_data,
-				struct schannel_state);
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
 
 	return netsec_incoming_packet(state, false,
 				      discard_const_p(uint8_t, data),
@@ -321,8 +283,8 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
 				     DATA_BLOB *sig)
 {
 	struct schannel_state *state =
-		talloc_get_type(gensec_security->private_data,
-				struct schannel_state);
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
 
 	return netsec_outgoing_packet(state, mem_ctx, true,
 				      data, length, sig);
@@ -338,8 +300,8 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
 				     DATA_BLOB *sig)
 {
 	struct schannel_state *state =
-		talloc_get_type(gensec_security->private_data,
-				struct schannel_state);
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
 
 	return netsec_outgoing_packet(state, mem_ctx, false,
 				      discard_const_p(uint8_t, data),
-- 
1.9.3


From 685f00cfd7be11f4c62441e17d6416b9a668bb47 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:25:20 +0200
Subject: [PATCH 077/249] s4:gensec/schannel: use the correct computer_name
 from netlogon_creds_CredentialState

We need to use the same computer_name we used in the netr_Authenticate3
request.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b5104768225ae0308aa3f22f8d9bca389ef3cb3a)
---
 source4/auth/gensec/schannel.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 3896a41..91f166b 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -94,17 +94,17 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 				      NL_FLAG_UTF8_DNS_DOMAIN_NAME |
 				      NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
 		bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-		bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
+		bind_schannel.oem_netbios_computer.a = creds->computer_name;
 		bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
 		/* w2k3 refuses us if we use the full DNS workstation?
 		 why? perhaps because we don't fill in the dNSHostName
 		 attribute in the machine account? */
-		bind_schannel.utf8_netbios_computer = cli_credentials_get_workstation(gensec_security->credentials);
+		bind_schannel.utf8_netbios_computer = creds->computer_name;
 #else
 		bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
 				      NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
 		bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-		bind_schannel.oem_netbios_computer.a = cli_credentials_get_workstation(gensec_security->credentials);
+		bind_schannel.oem_netbios_computer.a = creds->computer_name;
 #endif
 
 		ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
-- 
1.9.3


From bd54e89fc5eb4d6afed3ef770dabf14a6ac6b060 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Aug 2013 11:21:32 +0200
Subject: [PATCH 078/249] s4:gensec/schannel: GENSEC_FEATURE_ASYNC_REPLIES is
 not supported

There's a sequence number attached to the connection,
which needs to be incremented with each message...

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a07049a839729e29ca888bae353cd37fd6238486)
---
 source4/auth/gensec/schannel.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 91f166b..7fc0c7c 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -234,9 +234,6 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
 	if (feature & GENSEC_FEATURE_DCE_STYLE) {
 		return true;
 	}
-	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
-		return true;
-	}
 	return false;
 }
 
-- 
1.9.3


From afcf626800e8aaf94878d62d1fd7318b2ffe21c1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Aug 2013 11:27:55 +0200
Subject: [PATCH 079/249] s4:gensec/schannel: there's no point in having
 schannel_session_key()

gensec_session_key() will return NT_STATUS_NO_USER_SESSION_KEY
before calling schannel_session_key(), as we don't provide
GENSEC_FEATURE_SESSION_KEY.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9b9ab1ae6963b3819dc2b095cbe9e1432f3459b7)
---
 source4/auth/gensec/schannel.c | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 7fc0c7c..ebf6469 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -42,13 +42,6 @@ static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t
 	return netsec_outgoing_sig_size(state);
 }
 
-static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
-				     TALLOC_CTX *mem_ctx,
-				     DATA_BLOB *session_key)
-{
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
-
 static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 				struct tevent_context *ev,
 				const DATA_BLOB in, DATA_BLOB *out)
@@ -315,7 +308,6 @@ static const struct gensec_security_ops gensec_schannel_security_ops = {
 	.sign_packet   	= schannel_sign_packet,
 	.check_packet	= schannel_check_packet,
 	.unseal_packet 	= schannel_unseal_packet,
-	.session_key	= schannel_session_key,
 	.session_info	= schannel_session_info,
 	.sig_size	= schannel_sig_size,
 	.have_feature   = schannel_have_feature,
-- 
1.9.3


From 56599b7019eabe3656bdba676214c74191ad068f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 3 Aug 2013 11:32:31 +0200
Subject: [PATCH 080/249] s4:gensec/schannel: only require
 librpc/gen_ndr/dcerpc.h

We just need DCERPC_AUTH_TYPE_SCHANNEL

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e90e1b5c76db4cf589adf8856eb32e5f0d955734)
---
 source4/auth/gensec/schannel.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index ebf6469..e67432c 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -27,7 +27,7 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
-#include "librpc/rpc/dcerpc.h"
+#include "librpc/gen_ndr/dcerpc.h"
 #include "param/param.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 
-- 
1.9.3


From baa82a6ef22c1761c7206323e90781d008a7888b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 13:37:54 +0200
Subject: [PATCH 081/249] libcli/auth/schannel: make struct schannel_state
 private

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4c978b68d9a87001f625c10421e7d4cc140b4554)
---
 libcli/auth/schannel.h      | 13 -------------
 libcli/auth/schannel_sign.c | 12 ++++++++++++
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/libcli/auth/schannel.h b/libcli/auth/schannel.h
index 271b5bb..c53d68e 100644
--- a/libcli/auth/schannel.h
+++ b/libcli/auth/schannel.h
@@ -22,17 +22,4 @@
 
 #include "libcli/auth/libcli_auth.h"
 #include "libcli/auth/schannel_state.h"
-
-enum schannel_position {
-	SCHANNEL_STATE_START = 0,
-	SCHANNEL_STATE_UPDATE_1
-};
-
-struct schannel_state {
-	enum schannel_position state;
-	uint64_t seq_num;
-	bool initiator;
-	struct netlogon_creds_CredentialState *creds;
-};
-
 #include "libcli/auth/schannel_proto.h"
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 518a6a9..88a6e1e 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -24,6 +24,18 @@
 #include "../libcli/auth/schannel.h"
 #include "../lib/crypto/crypto.h"
 
+enum schannel_position {
+	SCHANNEL_STATE_START = 0,
+	SCHANNEL_STATE_UPDATE_1
+};
+
+struct schannel_state {
+	enum schannel_position state;
+	uint64_t seq_num;
+	bool initiator;
+	struct netlogon_creds_CredentialState *creds;
+};
+
 #define SETUP_SEQNUM(state, buf, initiator) do { \
 	uint8_t *_buf = buf; \
 	uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
-- 
1.9.3


From 29806ef23a9826688ace1dc52cd7af554cf83294 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Aug 2013 15:42:21 +0200
Subject: [PATCH 082/249] libcli/auth/schannel: remove unused schannel_position

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 57bcbb9c50f0a0252110a1e04a2883b511cd9165)
---
 libcli/auth/schannel_sign.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
index 88a6e1e..9502cba 100644
--- a/libcli/auth/schannel_sign.c
+++ b/libcli/auth/schannel_sign.c
@@ -24,13 +24,7 @@
 #include "../libcli/auth/schannel.h"
 #include "../lib/crypto/crypto.h"
 
-enum schannel_position {
-	SCHANNEL_STATE_START = 0,
-	SCHANNEL_STATE_UPDATE_1
-};
-
 struct schannel_state {
-	enum schannel_position state;
 	uint64_t seq_num;
 	bool initiator;
 	struct netlogon_creds_CredentialState *creds;
@@ -58,7 +52,6 @@ struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	state->state = SCHANNEL_STATE_UPDATE_1;
 	state->initiator = initiator;
 	state->seq_num = 0;
 	state->creds = netlogon_creds_copy(state, creds);
-- 
1.9.3


From a6ad9118c250446ea9571f5ce9895b11ab8537ed Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 07:12:01 +0200
Subject: [PATCH 083/249] auth/gensec: introduce gensec_internal.h

We should treat most gensec related structures private.

It's a long way, but this is a start.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 71c63e85e7a09acb57f6b75284358f2b3b29eeed)
---
 auth/gensec/gensec.c                 |   1 +
 auth/gensec/gensec.h                 | 100 ++-------------------------
 auth/gensec/gensec_internal.h        | 127 +++++++++++++++++++++++++++++++++++
 auth/gensec/gensec_start.c           |   1 +
 auth/gensec/gensec_util.c            |   1 +
 auth/gensec/spnego.c                 |   1 +
 auth/ntlmssp/gensec_ntlmssp.c        |   1 +
 auth/ntlmssp/gensec_ntlmssp_server.c |   1 +
 auth/ntlmssp/ntlmssp.c               |   1 +
 auth/ntlmssp/ntlmssp_client.c        |   1 +
 auth/ntlmssp/ntlmssp_server.c        |   1 +
 source3/libads/authdata.c            |   1 +
 source3/librpc/crypto/gse.c          |   1 +
 source3/libsmb/ntlmssp_wrap.c        |   1 +
 source3/utils/ntlm_auth.c            |   1 +
 source4/auth/gensec/cyrus_sasl.c     |   1 +
 source4/auth/gensec/gensec_gssapi.c  |   1 +
 source4/auth/gensec/gensec_krb5.c    |   1 +
 source4/auth/gensec/pygensec.c       |   1 +
 source4/auth/gensec/schannel.c       |   1 +
 source4/ldap_server/ldap_backend.c   |   1 +
 source4/libcli/ldap/ldap_bind.c      |   1 +
 source4/torture/auth/ntlmssp.c       |   1 +
 source4/utils/ntlm_auth.c            |   1 +
 24 files changed, 153 insertions(+), 96 deletions(-)
 create mode 100644 auth/gensec/gensec_internal.h

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index 9a8f0ef..d364a34 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -26,6 +26,7 @@
 #include "lib/tsocket/tsocket.h"
 #include "lib/util/tevent_ntstatus.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "librpc/rpc/dcerpc.h"
 
 /*
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index c080861..5d39d81 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -76,6 +76,7 @@ struct gensec_settings;
 struct tevent_context;
 struct tevent_req;
 struct smb_krb5_context;
+struct tsocket_address;
 
 struct gensec_settings {
 	struct loadparm_context *lp_ctx;
@@ -93,106 +94,13 @@ struct gensec_settings {
 	const char *server_netbios_name;
 };
 
-struct gensec_security_ops {
-	const char *name;
-	const char *sasl_name;
-	uint8_t auth_type;  /* 0 if not offered on DCE-RPC */
-	const char **oid;  /* NULL if not offered by SPNEGO */
-	NTSTATUS (*client_start)(struct gensec_security *gensec_security);
-	NTSTATUS (*server_start)(struct gensec_security *gensec_security);
-	/**
-	   Determine if a packet has the right 'magic' for this mechanism
-	*/
-	NTSTATUS (*magic)(struct gensec_security *gensec_security,
-			  const DATA_BLOB *first_packet);
-	NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
-			   struct tevent_context *ev,
-			   const DATA_BLOB in, DATA_BLOB *out);
-	NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-				uint8_t *data, size_t length,
-				const uint8_t *whole_pdu, size_t pdu_length,
-				DATA_BLOB *sig);
-	NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
-				const uint8_t *data, size_t length,
-				const uint8_t *whole_pdu, size_t pdu_length,
-				DATA_BLOB *sig);
-	size_t   (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
-	size_t   (*max_input_size)(struct gensec_security *gensec_security);
-	size_t   (*max_wrapped_size)(struct gensec_security *gensec_security);
-	NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
-				 const uint8_t *data, size_t length,
-				 const uint8_t *whole_pdu, size_t pdu_length,
-				 const DATA_BLOB *sig);
-	NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
-				  uint8_t *data, size_t length,
-				  const uint8_t *whole_pdu, size_t pdu_length,
-				  const DATA_BLOB *sig);
-	NTSTATUS (*wrap)(struct gensec_security *gensec_security,
-				  TALLOC_CTX *mem_ctx,
-				  const DATA_BLOB *in,
-				  DATA_BLOB *out);
-	NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
-			   TALLOC_CTX *mem_ctx,
-			   const DATA_BLOB *in,
-			   DATA_BLOB *out);
-	NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
-				 TALLOC_CTX *mem_ctx,
-				 const DATA_BLOB *in,
-				 DATA_BLOB *out,
-				 size_t *len_processed);
-	NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
-				   TALLOC_CTX *mem_ctx,
-				   const DATA_BLOB *in,
-				   DATA_BLOB *out,
-				   size_t *len_processed);
-	NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
-					DATA_BLOB blob, size_t *size);
-	NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
-				DATA_BLOB *session_key);
-	NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
-				 struct auth_session_info **session_info);
-	void (*want_feature)(struct gensec_security *gensec_security,
-				    uint32_t feature);
-	bool (*have_feature)(struct gensec_security *gensec_security,
-				    uint32_t feature);
-	NTTIME (*expire_time)(struct gensec_security *gensec_security);
-	bool enabled;
-	bool kerberos;
-	enum gensec_priority priority;
-};
-
-struct gensec_security_ops_wrapper {
-	const struct gensec_security_ops *op;
-	const char *oid;
-};
+struct gensec_security_ops;
+struct gensec_security_ops_wrapper;
 
 #define GENSEC_INTERFACE_VERSION 0
 
-struct gensec_security {
-	const struct gensec_security_ops *ops;
-	void *private_data;
-	struct cli_credentials *credentials;
-	struct gensec_target target;
-	enum gensec_role gensec_role;
-	bool subcontext;
-	uint32_t want_features;
-	uint32_t max_update_size;
-	uint8_t dcerpc_auth_level;
-	struct tsocket_address *local_addr, *remote_addr;
-	struct gensec_settings *settings;
-
-	/* When we are a server, this may be filled in to provide an
-	 * NTLM authentication backend, and user lookup (such as if no
-	 * PAC is found) */
-	struct auth4_context *auth_context;
-};
-
 /* this structure is used by backends to determine the size of some critical types */
-struct gensec_critical_sizes {
-	int interface_version;
-	int sizeof_gensec_security_ops;
-	int sizeof_gensec_security;
-};
+struct gensec_critical_sizes;
 const struct gensec_critical_sizes *gensec_interface_version(void);
 
 /* Socket wrapper */
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
new file mode 100644
index 0000000..41b6f0d
--- /dev/null
+++ b/auth/gensec/gensec_internal.h
@@ -0,0 +1,127 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Generic Authentication Interface
+
+   Copyright (C) Andrew Tridgell 2003
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef __GENSEC_INTERNAL_H__
+#define __GENSEC_INTERNAL_H__
+
+struct gensec_security;
+
+struct gensec_security_ops {
+	const char *name;
+	const char *sasl_name;
+	uint8_t auth_type;  /* 0 if not offered on DCE-RPC */
+	const char **oid;  /* NULL if not offered by SPNEGO */
+	NTSTATUS (*client_start)(struct gensec_security *gensec_security);
+	NTSTATUS (*server_start)(struct gensec_security *gensec_security);
+	/**
+	   Determine if a packet has the right 'magic' for this mechanism
+	*/
+	NTSTATUS (*magic)(struct gensec_security *gensec_security,
+			  const DATA_BLOB *first_packet);
+	NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+			   struct tevent_context *ev,
+			   const DATA_BLOB in, DATA_BLOB *out);
+	NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+				uint8_t *data, size_t length,
+				const uint8_t *whole_pdu, size_t pdu_length,
+				DATA_BLOB *sig);
+	NTSTATUS (*sign_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
+				const uint8_t *data, size_t length,
+				const uint8_t *whole_pdu, size_t pdu_length,
+				DATA_BLOB *sig);
+	size_t   (*sig_size)(struct gensec_security *gensec_security, size_t data_size);
+	size_t   (*max_input_size)(struct gensec_security *gensec_security);
+	size_t   (*max_wrapped_size)(struct gensec_security *gensec_security);
+	NTSTATUS (*check_packet)(struct gensec_security *gensec_security,
+				 const uint8_t *data, size_t length,
+				 const uint8_t *whole_pdu, size_t pdu_length,
+				 const DATA_BLOB *sig);
+	NTSTATUS (*unseal_packet)(struct gensec_security *gensec_security,
+				  uint8_t *data, size_t length,
+				  const uint8_t *whole_pdu, size_t pdu_length,
+				  const DATA_BLOB *sig);
+	NTSTATUS (*wrap)(struct gensec_security *gensec_security,
+				  TALLOC_CTX *mem_ctx,
+				  const DATA_BLOB *in,
+				  DATA_BLOB *out);
+	NTSTATUS (*unwrap)(struct gensec_security *gensec_security,
+			   TALLOC_CTX *mem_ctx,
+			   const DATA_BLOB *in,
+			   DATA_BLOB *out);
+	NTSTATUS (*wrap_packets)(struct gensec_security *gensec_security,
+				 TALLOC_CTX *mem_ctx,
+				 const DATA_BLOB *in,
+				 DATA_BLOB *out,
+				 size_t *len_processed);
+	NTSTATUS (*unwrap_packets)(struct gensec_security *gensec_security,
+				   TALLOC_CTX *mem_ctx,
+				   const DATA_BLOB *in,
+				   DATA_BLOB *out,
+				   size_t *len_processed);
+	NTSTATUS (*packet_full_request)(struct gensec_security *gensec_security,
+					DATA_BLOB blob, size_t *size);
+	NTSTATUS (*session_key)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
+				DATA_BLOB *session_key);
+	NTSTATUS (*session_info)(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx,
+				 struct auth_session_info **session_info);
+	void (*want_feature)(struct gensec_security *gensec_security,
+				    uint32_t feature);
+	bool (*have_feature)(struct gensec_security *gensec_security,
+				    uint32_t feature);
+	NTTIME (*expire_time)(struct gensec_security *gensec_security);
+	bool enabled;
+	bool kerberos;
+	enum gensec_priority priority;
+};
+
+struct gensec_security_ops_wrapper {
+	const struct gensec_security_ops *op;
+	const char *oid;
+};
+
+struct gensec_security {
+	const struct gensec_security_ops *ops;
+	void *private_data;
+	struct cli_credentials *credentials;
+	struct gensec_target target;
+	enum gensec_role gensec_role;
+	bool subcontext;
+	uint32_t want_features;
+	uint32_t max_update_size;
+	uint8_t dcerpc_auth_level;
+	struct tsocket_address *local_addr, *remote_addr;
+	struct gensec_settings *settings;
+
+	/* When we are a server, this may be filled in to provide an
+	 * NTLM authentication backend, and user lookup (such as if no
+	 * PAC is found) */
+	struct auth4_context *auth_context;
+};
+
+/* this structure is used by backends to determine the size of some critical types */
+struct gensec_critical_sizes {
+	int interface_version;
+	int sizeof_gensec_security_ops;
+	int sizeof_gensec_security;
+};
+
+#endif /* __GENSEC_H__ */
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index c2cfa1c..34029f5 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -27,6 +27,7 @@
 #include "librpc/rpc/dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "lib/param/param.h"
 #include "lib/util/tsort.h"
 #include "lib/util/samba_modules.h"
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 64952b1..568128a 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -22,6 +22,7 @@
 
 #include "includes.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
 #include "../lib/util/asn1.h"
 
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index da1fc0e..38a45f8 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -27,6 +27,7 @@
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "param/param.h"
 #include "lib/util/asn1.h"
 
diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
index 9e1d8a8..654c0e3 100644
--- a/auth/ntlmssp/gensec_ntlmssp.c
+++ b/auth/ntlmssp/gensec_ntlmssp.c
@@ -22,6 +22,7 @@
 #include "includes.h"
 #include "auth/ntlmssp/ntlmssp.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/ntlmssp/ntlmssp_private.h"
 
 NTSTATUS gensec_ntlmssp_magic(struct gensec_security *gensec_security,
diff --git a/auth/ntlmssp/gensec_ntlmssp_server.c b/auth/ntlmssp/gensec_ntlmssp_server.c
index f4dfab3..69c56fb 100644
--- a/auth/ntlmssp/gensec_ntlmssp_server.c
+++ b/auth/ntlmssp/gensec_ntlmssp_server.c
@@ -31,6 +31,7 @@
 #include "../libcli/auth/libcli_auth.h"
 #include "../lib/crypto/crypto.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
 #include "param/param.h"
 
diff --git a/auth/ntlmssp/ntlmssp.c b/auth/ntlmssp/ntlmssp.c
index 1a2d662..916b376 100644
--- a/auth/ntlmssp/ntlmssp.c
+++ b/auth/ntlmssp/ntlmssp.c
@@ -29,6 +29,7 @@ struct auth_session_info;
 #include "../libcli/auth/libcli_auth.h"
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 
 /**
  * Callbacks for NTLMSSP - for both client and server operating modes
diff --git a/auth/ntlmssp/ntlmssp_client.c b/auth/ntlmssp/ntlmssp_client.c
index fc66a8d..f99257d 100644
--- a/auth/ntlmssp/ntlmssp_client.c
+++ b/auth/ntlmssp/ntlmssp_client.c
@@ -29,6 +29,7 @@ struct auth_session_info;
 #include "../libcli/auth/libcli_auth.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "param/param.h"
 #include "auth/ntlmssp/ntlmssp_private.h"
 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 57179e1..2f3f0bb 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -28,6 +28,7 @@
 #include "../libcli/auth/libcli_auth.h"
 #include "../lib/crypto/crypto.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/common_auth.h"
 
 /**
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 2c667a6..582917d 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -30,6 +30,7 @@
 #include "lib/param/param.h"
 #include "librpc/crypto/gse.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
 #include "../libcli/auth/spnego.h"
 
 #ifdef HAVE_KRB5
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 11a5457..8db3cdd 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -26,6 +26,7 @@
 #include "libads/kerberos_proto.h"
 #include "auth/common_auth.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/credentials/credentials.h"
 #include "../librpc/gen_ndr/dcerpc.h"
 
diff --git a/source3/libsmb/ntlmssp_wrap.c b/source3/libsmb/ntlmssp_wrap.c
index 9ce4b12..46f68ae 100644
--- a/source3/libsmb/ntlmssp_wrap.c
+++ b/source3/libsmb/ntlmssp_wrap.c
@@ -23,6 +23,7 @@
 #include "auth/ntlmssp/ntlmssp_private.h"
 #include "auth_generic.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/credentials/credentials.h"
 #include "librpc/rpc/dcerpc.h"
 #include "lib/param/param.h"
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index a5e0cd2..5fcb60e 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -32,6 +32,7 @@
 #include "../libcli/auth/spnego.h"
 #include "auth/ntlmssp/ntlmssp.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/credentials/credentials.h"
 #include "librpc/crypto/gse.h"
 #include "smb_krb5.h"
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index 2e733bf..08dccd6 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -23,6 +23,7 @@
 #include "lib/tsocket/tsocket.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/gensec/gensec_proto.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 #include <sasl/sasl.h>
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 4fc544f..63a53bf 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -34,6 +34,7 @@
 #include "auth/credentials/credentials.h"
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/gensec/gensec_proto.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 #include "param/param.h"
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index fbec64c..ecc3331 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -34,6 +34,7 @@
 #include "auth/credentials/credentials_krb5.h"
 #include "auth/kerberos/kerberos_credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/gensec/gensec_proto.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
 #include "param/param.h"
diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c
index 02e5ae2..fd6daff 100644
--- a/source4/auth/gensec/pygensec.c
+++ b/source4/auth/gensec/pygensec.c
@@ -20,6 +20,7 @@
 #include "includes.h"
 #include "param/pyparam.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
 #include "auth/credentials/pycredentials.h"
 #include "libcli/util/pyerrors.h"
 #include "python/modules.h"
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index e67432c..eb2e100 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -25,6 +25,7 @@
 #include "auth/auth.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
 #include "librpc/gen_ndr/dcerpc.h"
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 4a195e5..f0da82c 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -23,6 +23,7 @@
 #include "../lib/util/dlinklist.h"
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
 #include "param/param.h"
 #include "smbd/service_stream.h"
 #include "dsdb/samdb/samdb.h"
diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c
index b355e18..f0a498b 100644
--- a/source4/libcli/ldap/ldap_bind.c
+++ b/source4/libcli/ldap/ldap_bind.c
@@ -27,6 +27,7 @@
 #include "libcli/ldap/ldap_client.h"
 #include "lib/tls/tls.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
 #include "auth/gensec/gensec_socket.h"
 #include "auth/credentials/credentials.h"
 #include "lib/stream/packet.h"
diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c
index bdaa65b..45e5889 100644
--- a/source4/torture/auth/ntlmssp.c
+++ b/source4/torture/auth/ntlmssp.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
 #include "auth/ntlmssp/ntlmssp.h"
 #include "auth/ntlmssp/ntlmssp_private.h"
 #include "lib/cmdline/popt_common.h"
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 136e238..1e2feb0 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -27,6 +27,7 @@
 #include <ldb.h>
 #include "auth/credentials/credentials.h"
 #include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h" /* TODO: remove this */
 #include "auth/auth.h"
 #include "librpc/gen_ndr/ndr_netlogon.h"
 #include "auth/auth_sam.h"
-- 
1.9.3


From fabdf9f539385d97bc4bf2550e7fd4de2d1b5d01 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 10:37:26 +0200
Subject: [PATCH 084/249] auth/gensec: avoid talloc_reference in
 gensec_use_kerberos_mechs()

We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3e3534f882651880093381f5a7846c0938df6501)
---
 auth/gensec/gensec_start.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 34029f5..096ad36 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -80,13 +80,6 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
 		use_kerberos = cli_credentials_get_kerberos_state(creds);
 	}
 
-	if (use_kerberos == CRED_AUTO_USE_KERBEROS) {
-		if (!talloc_reference(mem_ctx, old_gensec_list)) {
-			return NULL;
-		}
-		return old_gensec_list;
-	}
-
 	for (num_mechs_in=0; old_gensec_list && old_gensec_list[num_mechs_in]; num_mechs_in++) {
 		/* noop */
 	}
@@ -99,35 +92,44 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
 	j = 0;
 	for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
 		int oid_idx;
-		bool found_spnego = false;
+		bool keep = false;
+
 		for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
 			if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
-				new_gensec_list[j] = old_gensec_list[i];
-				j++;
-				found_spnego = true;
+				keep = true;
 				break;
 			}
 		}
-		if (found_spnego) {
-			continue;
-		}
+
 		switch (use_kerberos) {
+		case CRED_AUTO_USE_KERBEROS:
+			keep = true;
+			break;
+
 		case CRED_DONT_USE_KERBEROS:
 			if (old_gensec_list[i]->kerberos == false) {
-				new_gensec_list[j] = old_gensec_list[i];
-				j++;
+				keep = true;
 			}
+
 			break;
+
 		case CRED_MUST_USE_KERBEROS:
 			if (old_gensec_list[i]->kerberos == true) {
-				new_gensec_list[j] = old_gensec_list[i];
-				j++;
+				keep = true;
 			}
+
 			break;
 		default:
 			/* Can't happen or invalid parameter */
 			return NULL;
 		}
+
+		if (!keep) {
+			continue;
+		}
+
+		new_gensec_list[j] = old_gensec_list[i];
+		j++;
 	}
 	new_gensec_list[j] = NULL;
 
-- 
1.9.3


From b71ed3dd183d64beda108d0881c03978ef4b3892 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 10:39:16 +0200
Subject: [PATCH 085/249] auth/gensec: avoid talloc_reference in
 gensec_security_mechs()

We now always copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6a7a44db5999af7262478eb1c186d784d6075beb)
---
 auth/gensec/gensec_start.c | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 096ad36..00e2759 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -140,28 +140,19 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
 				struct gensec_security *gensec_security,
 				TALLOC_CTX *mem_ctx)
 {
-	struct gensec_security_ops **backends;
-	if (!gensec_security) {
-		backends = gensec_security_all();
-		if (!talloc_reference(mem_ctx, backends)) {
-			return NULL;
-		}
-		return backends;
-	} else {
-		struct cli_credentials *creds = gensec_get_credentials(gensec_security);
+	struct cli_credentials *creds = NULL;
+	struct gensec_security_ops **backends = gensec_security_all();
+
+	if (gensec_security != NULL) {
+		creds = gensec_get_credentials(gensec_security);
+
 		if (gensec_security->settings->backends) {
 			backends = gensec_security->settings->backends;
-		} else {
-			backends = gensec_security_all();
 		}
-		if (!creds) {
-			if (!talloc_reference(mem_ctx, backends)) {
-				return NULL;
-			}
-			return backends;
-		}
-		return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
 	}
+
+	return gensec_use_kerberos_mechs(mem_ctx, backends, creds);
+
 }
 
 static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
-- 
1.9.3


From fe6a14d48b0eb3dfcfc6d7f0b68e8f28b7ad9796 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 16:12:13 +0200
Subject: [PATCH 086/249] auth/gensec: make it possible to implement async
 backends

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e81550c8117166d0fbf69ba1d3957cb950c42961)
---
 auth/gensec/gensec.c          | 202 ++++++++++++++++++++++++++++++++----------
 auth/gensec/gensec_internal.h |   7 ++
 2 files changed, 160 insertions(+), 49 deletions(-)

diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index d364a34..abcbcb9 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -218,61 +218,92 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
 				const DATA_BLOB in, DATA_BLOB *out)
 {
 	NTSTATUS status;
+	const struct gensec_security_ops *ops = gensec_security->ops;
+	TALLOC_CTX *frame = NULL;
+	struct tevent_req *subreq = NULL;
+	bool ok;
 
-	status = gensec_security->ops->update(gensec_security, out_mem_ctx,
-					      ev, in, out);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
+	if (ops->update_send == NULL) {
 
-	/*
-	 * Because callers using the
-	 * gensec_start_mech_by_auth_type() never call
-	 * gensec_want_feature(), it isn't sensible for them
-	 * to have to call gensec_have_feature() manually, and
-	 * these are not points of negotiation, but are
-	 * asserted by the client
-	 */
-	switch (gensec_security->dcerpc_auth_level) {
-	case DCERPC_AUTH_LEVEL_INTEGRITY:
-		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			DEBUG(0,("Did not manage to negotiate mandetory feature "
-				 "SIGN for dcerpc auth_level %u\n",
-				 gensec_security->dcerpc_auth_level));
-			return NT_STATUS_ACCESS_DENIED;
-		}
-		break;
-	case DCERPC_AUTH_LEVEL_PRIVACY:
-		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
-			DEBUG(0,("Did not manage to negotiate mandetory feature "
-				 "SIGN for dcerpc auth_level %u\n",
-				 gensec_security->dcerpc_auth_level));
-			return NT_STATUS_ACCESS_DENIED;
+		status = ops->update(gensec_security, out_mem_ctx,
+				     ev, in, out);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
 		}
-		if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
-			DEBUG(0,("Did not manage to negotiate mandetory feature "
-				 "SEAL for dcerpc auth_level %u\n",
-				 gensec_security->dcerpc_auth_level));
-			return NT_STATUS_ACCESS_DENIED;
+
+		/*
+		 * Because callers using the
+		 * gensec_start_mech_by_auth_type() never call
+		 * gensec_want_feature(), it isn't sensible for them
+		 * to have to call gensec_have_feature() manually, and
+		 * these are not points of negotiation, but are
+		 * asserted by the client
+		 */
+		switch (gensec_security->dcerpc_auth_level) {
+		case DCERPC_AUTH_LEVEL_INTEGRITY:
+			if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+				DEBUG(0,("Did not manage to negotiate mandetory feature "
+					 "SIGN for dcerpc auth_level %u\n",
+					 gensec_security->dcerpc_auth_level));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+			break;
+		case DCERPC_AUTH_LEVEL_PRIVACY:
+			if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SIGN)) {
+				DEBUG(0,("Did not manage to negotiate mandetory feature "
+					 "SIGN for dcerpc auth_level %u\n",
+					 gensec_security->dcerpc_auth_level));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+			if (!gensec_have_feature(gensec_security, GENSEC_FEATURE_SEAL)) {
+				DEBUG(0,("Did not manage to negotiate mandetory feature "
+					 "SEAL for dcerpc auth_level %u\n",
+					 gensec_security->dcerpc_auth_level));
+				return NT_STATUS_ACCESS_DENIED;
+			}
+			break;
+		default:
+			break;
 		}
-		break;
-	default:
-		break;
+
+		return NT_STATUS_OK;
 	}
 
-	return NT_STATUS_OK;
+	frame = talloc_stackframe();
+
+	subreq = ops->update_send(frame, ev, gensec_security, in);
+	if (subreq == NULL) {
+		goto fail;
+	}
+	ok = tevent_req_poll_ntstatus(subreq, ev, &status);
+	if (!ok) {
+		goto fail;
+	}
+	status = ops->update_recv(subreq, out_mem_ctx, out);
+ fail:
+	TALLOC_FREE(frame);
+	return status;
 }
 
 struct gensec_update_state {
-	struct tevent_immediate *im;
+	const struct gensec_security_ops *ops;
+	struct tevent_req *subreq;
 	struct gensec_security *gensec_security;
-	DATA_BLOB in;
 	DATA_BLOB out;
+
+	/*
+	 * only for sync backends, we should remove this
+	 * once all backends are async.
+	 */
+	struct tevent_immediate *im;
+	DATA_BLOB in;
 };
 
 static void gensec_update_async_trigger(struct tevent_context *ctx,
 					struct tevent_immediate *im,
 					void *private_data);
+static void gensec_update_subreq_done(struct tevent_req *subreq);
+
 /**
  * Next state function for the GENSEC state machine async version
  *
@@ -298,17 +329,31 @@ _PUBLIC_ struct tevent_req *gensec_update_send(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
-	state->gensec_security		= gensec_security;
-	state->in			= in;
-	state->out			= data_blob(NULL, 0);
-	state->im			= tevent_create_immediate(state);
-	if (tevent_req_nomem(state->im, req)) {
+	state->ops = gensec_security->ops;
+	state->gensec_security = gensec_security;
+
+	if (state->ops->update_send == NULL) {
+		state->in = in;
+		state->im = tevent_create_immediate(state);
+		if (tevent_req_nomem(state->im, req)) {
+			return tevent_req_post(req, ev);
+		}
+
+		tevent_schedule_immediate(state->im, ev,
+					  gensec_update_async_trigger,
+					  req);
+
+		return req;
+	}
+
+	state->subreq = state->ops->update_send(state, ev, gensec_security, in);
+	if (tevent_req_nomem(state->subreq, req)) {
 		return tevent_req_post(req, ev);
 	}
 
-	tevent_schedule_immediate(state->im, ev,
-				  gensec_update_async_trigger,
-				  req);
+	tevent_req_set_callback(state->subreq,
+				gensec_update_subreq_done,
+				req);
 
 	return req;
 }
@@ -323,12 +368,71 @@ static void gensec_update_async_trigger(struct tevent_context *ctx,
 		tevent_req_data(req, struct gensec_update_state);
 	NTSTATUS status;
 
-	status = gensec_update(state->gensec_security, state, ctx,
-			       state->in, &state->out);
+	status = state->ops->update(state->gensec_security, state, ctx,
+				    state->in, &state->out);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	tevent_req_done(req);
+}
+
+static void gensec_update_subreq_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct gensec_update_state *state =
+		tevent_req_data(req,
+		struct gensec_update_state);
+	NTSTATUS status;
+
+	state->subreq = NULL;
+
+	status = state->ops->update_recv(subreq, state, &state->out);
+	TALLOC_FREE(subreq);
 	if (tevent_req_nterror(req, status)) {
 		return;
 	}
 
+	/*
+	 * Because callers using the
+	 * gensec_start_mech_by_authtype() never call
+	 * gensec_want_feature(), it isn't sensible for them
+	 * to have to call gensec_have_feature() manually, and
+	 * these are not points of negotiation, but are
+	 * asserted by the client
+	 */
+	switch (state->gensec_security->dcerpc_auth_level) {
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+		if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
+			DEBUG(0,("Did not manage to negotiate mandetory feature "
+				 "SIGN for dcerpc auth_level %u\n",
+				 state->gensec_security->dcerpc_auth_level));
+			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+			return;
+		}
+		break;
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SIGN)) {
+			DEBUG(0,("Did not manage to negotiate mandetory feature "
+				 "SIGN for dcerpc auth_level %u\n",
+				 state->gensec_security->dcerpc_auth_level));
+			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+			return;
+		}
+		if (!gensec_have_feature(state->gensec_security, GENSEC_FEATURE_SEAL)) {
+			DEBUG(0,("Did not manage to negotiate mandetory feature "
+				 "SEAL for dcerpc auth_level %u\n",
+				 state->gensec_security->dcerpc_auth_level));
+			tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+			return;
+		}
+		break;
+	default:
+		break;
+	}
+
 	tevent_req_done(req);
 }
 
diff --git a/auth/gensec/gensec_internal.h b/auth/gensec/gensec_internal.h
index 41b6f0d..c04164a 100644
--- a/auth/gensec/gensec_internal.h
+++ b/auth/gensec/gensec_internal.h
@@ -40,6 +40,13 @@ struct gensec_security_ops {
 	NTSTATUS (*update)(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
 			   struct tevent_context *ev,
 			   const DATA_BLOB in, DATA_BLOB *out);
+	struct tevent_req *(*update_send)(TALLOC_CTX *mem_ctx,
+					  struct tevent_context *ev,
+					  struct gensec_security *gensec_security,
+					  const DATA_BLOB in);
+	NTSTATUS (*update_recv)(struct tevent_req *req,
+				TALLOC_CTX *out_mem_ctx,
+				DATA_BLOB *out);
 	NTSTATUS (*seal_packet)(struct gensec_security *gensec_security, TALLOC_CTX *sig_mem_ctx,
 				uint8_t *data, size_t length,
 				const uint8_t *whole_pdu, size_t pdu_length,
-- 
1.9.3


From aa559f2fc6f228fba268adafa92392dff8152747 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 11:10:55 +0200
Subject: [PATCH 087/249] auth/gensec: use 'const char * const *' for function
 parameters

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c81b6f7448d7f945635784de645bea4f7f2e230f)
---
 auth/gensec/gensec.h       | 2 +-
 auth/gensec/gensec_start.c | 2 +-
 auth/gensec/spnego.c       | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index 5d39d81..d0bc451 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -184,7 +184,7 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense
 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 					struct gensec_security *gensec_security,
 					TALLOC_CTX *mem_ctx,
-					const char **oid_strings,
+					const char * const *oid_strings,
 					const char *skip);
 const char **gensec_security_oids(struct gensec_security *gensec_security,
 				  TALLOC_CTX *mem_ctx,
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 00e2759..2874c13 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -373,7 +373,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
 _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 					struct gensec_security *gensec_security,
 					TALLOC_CTX *mem_ctx,
-					const char **oid_strings,
+					const char * const *oid_strings,
 					const char *skip)
 {
 	struct gensec_security_ops_wrapper *backends_out;
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 38a45f8..0eb6da1 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -417,7 +417,7 @@ static NTSTATUS gensec_spnego_parse_negTokenInit(struct gensec_security *gensec_
 						 struct spnego_state *spnego_state, 
 						 TALLOC_CTX *out_mem_ctx, 
 						 struct tevent_context *ev,
-						 const char **mechType,
+						 const char * const *mechType,
 						 const DATA_BLOB unwrapped_in, DATA_BLOB *unwrapped_out) 
 {
 	int i;
-- 
1.9.3


From a2e14962e1eeebaac2fb4539794a454b0f486869 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 11:20:21 +0200
Subject: [PATCH 088/249] auth/gensec: treat struct gensec_security_ops as
 const if possible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 966faef9c61d2ec02d75fc3ccc82a61524fb77e4)
---
 auth/gensec/gensec.h               | 14 +++++-----
 auth/gensec/gensec_start.c         | 52 ++++++++++++++++++++------------------
 auth/gensec/spnego.c               |  8 +++---
 source3/auth/auth_generic.c        | 15 ++++++-----
 source3/libads/authdata.c          | 11 ++++----
 source3/libsmb/auth_generic.c      | 15 ++++++-----
 source3/utils/ntlm_auth.c          | 22 ++++++++--------
 source4/ldap_server/ldap_backend.c |  4 +--
 8 files changed, 75 insertions(+), 66 deletions(-)

diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index d0bc451..ac1fadf 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -85,7 +85,7 @@ struct gensec_settings {
 	/* this allows callers to specify a specific set of ops that
 	 * should be used, rather than those loaded by the plugin
 	 * mechanism */
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops * const *backends;
 
 	/* To fill in our own name in the NTLMSSP server */
 	const char *server_dns_domain;
@@ -179,7 +179,7 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
 const struct gensec_security_ops *gensec_security_by_auth_type(
 				struct gensec_security *gensec_security,
 				uint32_t auth_type);
-struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
+const struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gensec_security,
 						   TALLOC_CTX *mem_ctx);
 const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 					struct gensec_security *gensec_security,
@@ -243,11 +243,11 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
 		     const DATA_BLOB *in,
 		     DATA_BLOB *out);
 
-struct gensec_security_ops **gensec_security_all(void);
-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security);
-struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
-						       struct gensec_security_ops **old_gensec_list,
-						       struct cli_credentials *creds);
+const struct gensec_security_ops * const *gensec_security_all(void);
+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security);
+const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+			const struct gensec_security_ops * const *old_gensec_list,
+			struct cli_credentials *creds);
 
 NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
 					const char *sasl_name);
diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 2874c13..3ae64d5 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -33,17 +33,17 @@
 #include "lib/util/samba_modules.h"
 
 /* the list of currently registered GENSEC backends */
-static struct gensec_security_ops **generic_security_ops;
+static const struct gensec_security_ops **generic_security_ops;
 static int gensec_num_backends;
 
 /* Return all the registered mechs.  Don't modify the return pointer,
- * but you may talloc_reference it if convient */
-_PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
+ * but you may talloc_referen it if convient */
+_PUBLIC_ const struct gensec_security_ops * const *gensec_security_all(void)
 {
 	return generic_security_ops;
 }
 
-bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
+bool gensec_security_ops_enabled(const struct gensec_security_ops *ops, struct gensec_security *security)
 {
 	return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
 }
@@ -68,11 +68,11 @@ bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_
  * more compplex.
  */
 
-_PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
-						       struct gensec_security_ops **old_gensec_list,
-						       struct cli_credentials *creds)
+_PUBLIC_ const struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
+			const struct gensec_security_ops * const *old_gensec_list,
+			struct cli_credentials *creds)
 {
-	struct gensec_security_ops **new_gensec_list;
+	const struct gensec_security_ops **new_gensec_list;
 	int i, j, num_mechs_in;
 	enum credentials_use_kerberos use_kerberos = CRED_AUTO_USE_KERBEROS;
 
@@ -84,7 +84,9 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
 		/* noop */
 	}
 
-	new_gensec_list = talloc_array(mem_ctx, struct gensec_security_ops *, num_mechs_in + 1);
+	new_gensec_list = talloc_array(mem_ctx,
+				       const struct gensec_security_ops *,
+				       num_mechs_in + 1);
 	if (!new_gensec_list) {
 		return NULL;
 	}
@@ -136,12 +138,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
 	return new_gensec_list;
 }
 
-_PUBLIC_ struct gensec_security_ops **gensec_security_mechs(
+_PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
 				struct gensec_security *gensec_security,
 				TALLOC_CTX *mem_ctx)
 {
 	struct cli_credentials *creds = NULL;
-	struct gensec_security_ops **backends = gensec_security_all();
+	const struct gensec_security_ops * const *backends = gensec_security_all();
 
 	if (gensec_security != NULL) {
 		creds = gensec_get_credentials(gensec_security);
@@ -159,7 +161,7 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
 								     uint8_t auth_type)
 {
 	int i;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	const struct gensec_security_ops *backend;
 	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
 	if (!mem_ctx) {
@@ -185,7 +187,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
 				const char *oid_string)
 {
 	int i, j;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	const struct gensec_security_ops *backend;
 	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
 	if (!mem_ctx) {
@@ -218,7 +220,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_sasl_name(
 				const char *sasl_name)
 {
 	int i;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	const struct gensec_security_ops *backend;
 	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
 	if (!mem_ctx) {
@@ -245,7 +247,7 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
 				uint32_t auth_type)
 {
 	int i;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	const struct gensec_security_ops *backend;
 	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
 	if (!mem_ctx) {
@@ -270,7 +272,7 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
 								 const char *name)
 {
 	int i;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	const struct gensec_security_ops *backend;
 	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
 	if (!mem_ctx) {
@@ -306,7 +308,7 @@ static const struct gensec_security_ops **gensec_security_by_sasl_list(
 	const char **sasl_names)
 {
 	const struct gensec_security_ops **backends_out;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	int i, k, sasl_idx;
 	int num_backends_out = 0;
 
@@ -377,7 +379,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 					const char *skip)
 {
 	struct gensec_security_ops_wrapper *backends_out;
-	struct gensec_security_ops **backends;
+	const struct gensec_security_ops **backends;
 	int i, j, k, oid_idx;
 	int num_backends_out = 0;
 
@@ -451,7 +453,7 @@ _PUBLIC_ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(
 static const char **gensec_security_oids_from_ops(
 	struct gensec_security *gensec_security,
 	TALLOC_CTX *mem_ctx,
-	struct gensec_security_ops **ops,
+	const struct gensec_security_ops * const *ops,
 	const char *skip)
 {
 	int i;
@@ -542,8 +544,10 @@ _PUBLIC_ const char **gensec_security_oids(struct gensec_security *gensec_securi
 					   TALLOC_CTX *mem_ctx,
 					   const char *skip)
 {
-	struct gensec_security_ops **ops
-		= gensec_security_mechs(gensec_security, mem_ctx);
+	const struct gensec_security_ops **ops;
+
+	ops = gensec_security_mechs(gensec_security, mem_ctx);
+
 	return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
 }
 
@@ -876,13 +880,13 @@ _PUBLIC_ NTSTATUS gensec_register(const struct gensec_security_ops *ops)
 
 	generic_security_ops = talloc_realloc(talloc_autofree_context(),
 					      generic_security_ops,
-					      struct gensec_security_ops *,
+					      const struct gensec_security_ops *,
 					      gensec_num_backends+2);
 	if (!generic_security_ops) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	generic_security_ops[gensec_num_backends] = discard_const_p(struct gensec_security_ops, ops);
+	generic_security_ops[gensec_num_backends] = ops;
 	gensec_num_backends++;
 	generic_security_ops[gensec_num_backends] = NULL;
 
@@ -908,7 +912,7 @@ _PUBLIC_ const struct gensec_critical_sizes *gensec_interface_version(void)
 	return &critical_sizes;
 }
 
-static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ops **gs2) {
+static int sort_gensec(const struct gensec_security_ops **gs1, const struct gensec_security_ops **gs2) {
 	return (*gs2)->priority - (*gs1)->priority;
 }
 
diff --git a/auth/gensec/spnego.c b/auth/gensec/spnego.c
index 0eb6da1..d90a50c 100644
--- a/auth/gensec/spnego.c
+++ b/auth/gensec/spnego.c
@@ -352,9 +352,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
 						  const DATA_BLOB in, DATA_BLOB *out) 
 {
 	int i,j;
-	struct gensec_security_ops **all_ops
-		= gensec_security_mechs(gensec_security, out_mem_ctx);
-	for (i=0; all_ops[i]; i++) {
+	const struct gensec_security_ops **all_ops;
+
+	all_ops = gensec_security_mechs(gensec_security, out_mem_ctx);
+
+	for (i=0; all_ops && all_ops[i]; i++) {
 		bool is_spnego;
 		NTSTATUS nt_status;
 
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index a2ba4e3..e15c87e 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -203,6 +203,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 			return nt_status;
 		}
 	} else {
+		const struct gensec_security_ops **backends = NULL;
 		struct gensec_settings *gensec_settings;
 		struct loadparm_context *lp_ctx;
 		size_t idx = 0;
@@ -259,24 +260,24 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		gensec_settings->backends = talloc_zero_array(gensec_settings,
-						struct gensec_security_ops *, 4);
-		if (gensec_settings->backends == NULL) {
+		backends = talloc_zero_array(gensec_settings,
+					     const struct gensec_security_ops *, 4);
+		if (backends == NULL) {
 			TALLOC_FREE(tmp_ctx);
 			return NT_STATUS_NO_MEMORY;
 		}
+		gensec_settings->backends = backends;
 
 		gensec_init();
 
 		/* These need to be in priority order, krb5 before NTLMSSP */
 #if defined(HAVE_KRB5)
-		gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
+		backends[idx++] = &gensec_gse_krb5_security_ops;
 #endif
 
-		gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+		backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
 
-		gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
-							GENSEC_OID_SPNEGO);
+		backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
 
 		/*
 		 * This is anonymous for now, because we just use it
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 582917d..801e551 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -111,7 +111,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	const char *cc = "MEMORY:kerberos_return_pac";
 	struct auth_session_info *session_info;
 	struct gensec_security *gensec_server_context;
-
+	const struct gensec_security_ops **backends;
 	struct gensec_settings *gensec_settings;
 	size_t idx = 0;
 	struct auth4_context *auth_context;
@@ -230,16 +230,17 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		goto out;
 	}
 
-	gensec_settings->backends = talloc_zero_array(gensec_settings,
-						      struct gensec_security_ops *, 2);
-	if (gensec_settings->backends == NULL) {
+	backends = talloc_zero_array(gensec_settings,
+				     const struct gensec_security_ops *, 2);
+	if (backends == NULL) {
 		status = NT_STATUS_NO_MEMORY;
 		goto out;
 	}
+	gensec_settings->backends = backends;
 
 	gensec_init();
 
-	gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
+	backends[idx++] = &gensec_gse_krb5_security_ops;
 
 	status = gensec_server_start(tmp_ctx, gensec_settings,
 					auth_context, &gensec_server_context);
diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
index ba0a0ce..e30c1b7 100644
--- a/source3/libsmb/auth_generic.c
+++ b/source3/libsmb/auth_generic.c
@@ -54,6 +54,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
 	NTSTATUS nt_status;
 	size_t idx = 0;
 	struct gensec_settings *gensec_settings;
+	const struct gensec_security_ops **backends = NULL;
 	struct loadparm_context *lp_ctx;
 
 	ans = talloc_zero(mem_ctx, struct auth_generic_state);
@@ -76,24 +77,24 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	gensec_settings->backends = talloc_zero_array(gensec_settings,
-					struct gensec_security_ops *, 4);
-	if (gensec_settings->backends == NULL) {
+	backends = talloc_zero_array(gensec_settings,
+				     const struct gensec_security_ops *, 4);
+	if (backends == NULL) {
 		TALLOC_FREE(ans);
 		return NT_STATUS_NO_MEMORY;
 	}
+	gensec_settings->backends = backends;
 
 	gensec_init();
 
 	/* These need to be in priority order, krb5 before NTLMSSP */
 #if defined(HAVE_KRB5)
-	gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
+	backends[idx++] = &gensec_gse_krb5_security_ops;
 #endif
 
-	gensec_settings->backends[idx++] = &gensec_ntlmssp3_client_ops;
+	backends[idx++] = &gensec_ntlmssp3_client_ops;
 
-	gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
-						GENSEC_OID_SPNEGO);
+	backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
 
 	nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
 
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 5fcb60e..25e717c 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1035,7 +1035,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
 	NTSTATUS nt_status;
 
 	TALLOC_CTX *tmp_ctx;
-
+	const struct gensec_security_ops **backends;
 	struct gensec_settings *gensec_settings;
 	size_t idx = 0;
 	struct cli_credentials *server_credentials;
@@ -1079,26 +1079,26 @@ static NTSTATUS ntlm_auth_start_ntlmssp_server(TALLOC_CTX *mem_ctx,
 	gensec_settings->server_dns_name = strlower_talloc(gensec_settings,
 							   get_mydnsfullname());
 	
-	gensec_settings->backends = talloc_zero_array(gensec_settings,
-						      struct gensec_security_ops *, 4);
+	backends = talloc_zero_array(gensec_settings,
+				     const struct gensec_security_ops *, 4);
 	
-	if (gensec_settings->backends == NULL) {
+	if (backends == NULL) {
 		TALLOC_FREE(tmp_ctx);
 		return NT_STATUS_NO_MEMORY;
 	}
-	
+	gensec_settings->backends = backends;
+
 	gensec_init();
 	
 	/* These need to be in priority order, krb5 before NTLMSSP */
 #if defined(HAVE_KRB5)
-	gensec_settings->backends[idx++] = &gensec_gse_krb5_security_ops;
+	backends[idx++] = &gensec_gse_krb5_security_ops;
 #endif
-	
-	gensec_settings->backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
 
-	gensec_settings->backends[idx++] = gensec_security_by_oid(NULL,
-								  GENSEC_OID_SPNEGO);
-	
+	backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_NTLMSSP);
+
+	backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+
 	/*
 	 * This is anonymous for now, because we just use it
 	 * to set the kerberos state at the moment
diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index f0da82c..3432594 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -192,8 +192,8 @@ NTSTATUS ldapsrv_backend_Init(struct ldapsrv_connection *conn)
 
 	if (conn->server_credentials) {
 		char **sasl_mechs = NULL;
-		struct gensec_security_ops **backends = gensec_security_all();
-		struct gensec_security_ops **ops
+		const struct gensec_security_ops * const *backends = gensec_security_all();
+		const struct gensec_security_ops **ops
 			= gensec_use_kerberos_mechs(conn, backends, conn->server_credentials);
 		unsigned int i, j = 0;
 		for (i = 0; ops && ops[i]; i++) {
-- 
1.9.3


From 6a58d4f4cb60bf25c1493ef0aedd5978abc06969 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 10:43:38 +0200
Subject: [PATCH 089/249] libcli/auth: avoid possible mem leak in
 read_negTokenInit()

Also add error checks.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f1e60142e12deb560e3c62441fd9ff2acd086b60)
---
 libcli/auth/spnego_parse.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index 3bf7aea..2c73613 100644
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -46,13 +46,24 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
 			asn1_start_tag(asn1, ASN1_CONTEXT(0));
 			asn1_start_tag(asn1, ASN1_SEQUENCE(0));
 
-			token->mechTypes = talloc(NULL, const char *);
+			token->mechTypes = talloc(mem_ctx, const char *);
+			if (token->mechTypes == NULL) {
+				asn1->has_error = true;
+				return false;
+			}
 			for (i = 0; !asn1->has_error &&
 				     0 < asn1_tag_remaining(asn1); i++) {
 				char *oid;
-				token->mechTypes = talloc_realloc(NULL,
-								  token->mechTypes,
-								  const char *, i+2);
+				const char **p;
+				p = talloc_realloc(mem_ctx,
+						   token->mechTypes,
+						   const char *, i+2);
+				if (p == NULL) {
+					TALLOC_FREE(token->mechTypes);
+					asn1->has_error = true;
+					return false;
+				}
+				token->mechTypes = p;
 				asn1_read_OID(asn1, token->mechTypes, &oid);
 				token->mechTypes[i] = oid;
 			}
-- 
1.9.3


From 8835471a993521e49aa48ef55f324874e1933108 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Aug 2013 10:46:47 +0200
Subject: [PATCH 090/249] libcli/auth: add more const to
 spnego_negTokenInit->mechTypes

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Aug 10 11:11:54 CEST 2013 on sn-devel-104
(cherry picked from commit 9177a0d1c1c92c45ef92fbda55fc6dd8aeb76b6c)
---
 libcli/auth/spnego.h       |  2 +-
 libcli/auth/spnego_parse.c | 27 ++++++++++++++++-----------
 libcli/auth/spnego_proto.h |  2 +-
 source3/utils/ntlm_auth.c  |  2 +-
 4 files changed, 19 insertions(+), 14 deletions(-)

diff --git a/libcli/auth/spnego.h b/libcli/auth/spnego.h
index 9a93f2e..539b903 100644
--- a/libcli/auth/spnego.h
+++ b/libcli/auth/spnego.h
@@ -49,7 +49,7 @@ enum spnego_negResult {
 };
 
 struct spnego_negTokenInit {
-	const char **mechTypes;
+	const char * const *mechTypes;
 	DATA_BLOB reqFlags;
 	uint8_t reqFlagsPadding;
 	DATA_BLOB mechToken;
diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index 2c73613..b1ca07d 100644
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -42,12 +42,14 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
 
 		switch (context) {
 		/* Read mechTypes */
-		case ASN1_CONTEXT(0):
+		case ASN1_CONTEXT(0): {
+			const char **mechTypes;
+
 			asn1_start_tag(asn1, ASN1_CONTEXT(0));
 			asn1_start_tag(asn1, ASN1_SEQUENCE(0));
 
-			token->mechTypes = talloc(mem_ctx, const char *);
-			if (token->mechTypes == NULL) {
+			mechTypes = talloc(mem_ctx, const char *);
+			if (mechTypes == NULL) {
 				asn1->has_error = true;
 				return false;
 			}
@@ -56,22 +58,25 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
 				char *oid;
 				const char **p;
 				p = talloc_realloc(mem_ctx,
-						   token->mechTypes,
+						   mechTypes,
 						   const char *, i+2);
 				if (p == NULL) {
-					TALLOC_FREE(token->mechTypes);
+					talloc_free(mechTypes);
 					asn1->has_error = true;
 					return false;
 				}
-				token->mechTypes = p;
-				asn1_read_OID(asn1, token->mechTypes, &oid);
-				token->mechTypes[i] = oid;
+				mechTypes = p;
+
+				asn1_read_OID(asn1, mechTypes, &oid);
+				mechTypes[i] = oid;
 			}
-			token->mechTypes[i] = NULL;
+			mechTypes[i] = NULL;
+			token->mechTypes = mechTypes;
 
 			asn1_end_tag(asn1);
 			asn1_end_tag(asn1);
 			break;
+		}
 		/* Read reqFlags */
 		case ASN1_CONTEXT(1):
 			asn1_start_tag(asn1, ASN1_CONTEXT(1));
@@ -366,7 +371,7 @@ bool spnego_free_data(struct spnego_data *spnego)
 	switch(spnego->type) {
 	case SPNEGO_NEG_TOKEN_INIT:
 		if (spnego->negTokenInit.mechTypes) {
-			talloc_free(spnego->negTokenInit.mechTypes);
+			talloc_free(discard_const(spnego->negTokenInit.mechTypes));
 		}
 		data_blob_free(&spnego->negTokenInit.reqFlags);
 		data_blob_free(&spnego->negTokenInit.mechToken);
@@ -390,7 +395,7 @@ out:
 }
 
 bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
-			     const char **mech_types,
+			     const char * const *mech_types,
 			     DATA_BLOB *blob)
 {
 	struct asn1_data *asn1 = asn1_init(mem_ctx);
diff --git a/libcli/auth/spnego_proto.h b/libcli/auth/spnego_proto.h
index 5fd5e59..c0fa934 100644
--- a/libcli/auth/spnego_proto.h
+++ b/libcli/auth/spnego_proto.h
@@ -24,5 +24,5 @@ ssize_t spnego_read_data(TALLOC_CTX *mem_ctx, DATA_BLOB data, struct spnego_data
 ssize_t spnego_write_data(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, struct spnego_data *spnego);
 bool spnego_free_data(struct spnego_data *spnego);
 bool spnego_write_mech_types(TALLOC_CTX *mem_ctx,
-			     const char **mech_types,
+			     const char * const *mech_types,
 			     DATA_BLOB *blob);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 25e717c..1df615c 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -2058,7 +2058,7 @@ static void manage_gss_spnego_client_request(enum stdio_helper_mode stdio_helper
 
 		/* The server offers a list of mechanisms */
 
-		const char **mechType = (const char **)spnego.negTokenInit.mechTypes;
+		const char *const *mechType = spnego.negTokenInit.mechTypes;
 
 		while (*mechType != NULL) {
 
-- 
1.9.3


From c06bb0c3d2c032f8b4848c75baa1fd900650866a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 9 Aug 2013 10:15:05 +0200
Subject: [PATCH 091/249] auth/credentials: make sure
 cli_credentials_get_nt_hash() always returns a talloc object

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 auth/credentials/credentials.c | 19 ++++++++++++++-----
 auth/credentials/credentials.h |  4 ++--
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index be497bc..57a7c0b 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -471,8 +471,8 @@ _PUBLIC_ bool cli_credentials_set_old_password(struct cli_credentials *cred,
  * @param cred credentials context
  * @retval If set, the cleartext password, otherwise NULL
  */
-_PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, 
-							TALLOC_CTX *mem_ctx)
+_PUBLIC_ struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+							   TALLOC_CTX *mem_ctx)
 {
 	const char *password = cli_credentials_get_password(cred);
 
@@ -481,13 +481,22 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred
 		if (!nt_hash) {
 			return NULL;
 		}
-		
+
 		E_md4hash(password, nt_hash->hash);    
 
 		return nt_hash;
-	} else {
-		return cred->nt_hash;
+	} else if (cred->nt_hash != NULL) {
+		struct samr_Password *nt_hash = talloc(mem_ctx, struct samr_Password);
+		if (!nt_hash) {
+			return NULL;
+		}
+
+		*nt_hash = *cred->nt_hash;
+
+		return nt_hash;
 	}
+
+	return NULL;
 }
 
 /**
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index cb09dc3..766a513 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -141,8 +141,8 @@ bool cli_credentials_set_password(struct cli_credentials *cred,
 				  enum credentials_obtained obtained);
 struct cli_credentials *cli_credentials_init_anon(TALLOC_CTX *mem_ctx);
 void cli_credentials_parse_string(struct cli_credentials *credentials, const char *data, enum credentials_obtained obtained);
-const struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred, 
-							TALLOC_CTX *mem_ctx);
+struct samr_Password *cli_credentials_get_nt_hash(struct cli_credentials *cred,
+						  TALLOC_CTX *mem_ctx);
 bool cli_credentials_set_realm(struct cli_credentials *cred, 
 			       const char *val, 
 			       enum credentials_obtained obtained);
-- 
1.9.3


From 8a3ed9f72ef9f9de32da4d454b866d64eb24ee17 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@symas.com>
Date: Tue, 17 Sep 2013 13:09:50 -0700
Subject: [PATCH 092/249] Add SASL/EXTERNAL gensec module

Signed-off-by: Howard Chu <hyc@symas.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Nadezhda Ivanova <nivanova@symas.com>
(cherry picked from commit 6bf59b03d72b94b71e53fc2404c11e0d237e41b2)
---
 auth/gensec/external.c    | 82 +++++++++++++++++++++++++++++++++++++++++++++++
 auth/gensec/gensec.h      |  3 +-
 auth/gensec/wscript_build |  7 ++++
 3 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 auth/gensec/external.c

diff --git a/auth/gensec/external.c b/auth/gensec/external.c
new file mode 100644
index 0000000..a26e435
--- /dev/null
+++ b/auth/gensec/external.c
@@ -0,0 +1,82 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   SASL/EXTERNAL authentication.
+
+   Copyright (C) Howard Chu <hyc@symas.com> 2013
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
+#include "auth/gensec/gensec_proto.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
+
+/* SASL/EXTERNAL is essentially a no-op; it is only usable when the transport
+ * layer is already mutually authenticated.
+ */
+
+NTSTATUS gensec_external_init(void);
+
+static NTSTATUS gensec_external_start(struct gensec_security *gensec_security)
+{
+	if (gensec_security->want_features & GENSEC_FEATURE_SIGN)
+		return NT_STATUS_INVALID_PARAMETER;
+	if (gensec_security->want_features & GENSEC_FEATURE_SEAL)
+		return NT_STATUS_INVALID_PARAMETER;
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS gensec_external_update(struct gensec_security *gensec_security,
+				   TALLOC_CTX *out_mem_ctx,
+				   struct tevent_context *ev,
+				   const DATA_BLOB in, DATA_BLOB *out)
+{
+	*out = data_blob_talloc(out_mem_ctx, "", 0);
+	return NT_STATUS_OK;
+}
+
+/* We have no features */
+static bool gensec_external_have_feature(struct gensec_security *gensec_security,
+				     uint32_t feature)
+{
+	return false;
+}
+
+static const struct gensec_security_ops gensec_external_ops = {
+	.name             = "sasl-EXTERNAL",
+	.sasl_name        = "EXTERNAL",
+	.client_start     = gensec_external_start,
+	.update 	  = gensec_external_update,
+	.have_feature     = gensec_external_have_feature,
+	.enabled          = true,
+	.priority         = GENSEC_EXTERNAL
+};
+
+
+NTSTATUS gensec_external_init(void)
+{
+	NTSTATUS ret;
+
+	ret = gensec_register(&gensec_external_ops);
+	if (!NT_STATUS_IS_OK(ret)) {
+		DEBUG(0,("Failed to register '%s' gensec backend!\n",
+			 gensec_external_ops.name));
+	}
+	return ret;
+}
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index ac1fadf..6974f87 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -41,7 +41,8 @@ enum gensec_priority {
 	GENSEC_SCHANNEL = 60,
 	GENSEC_NTLMSSP = 50,
 	GENSEC_SASL = 20,
-	GENSEC_OTHER = 0
+	GENSEC_OTHER = 10,
+	GENSEC_EXTERNAL = 0
 };
 
 struct gensec_security;
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index fcd74a3..71222f7 100755
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -16,3 +16,10 @@ bld.SAMBA_MODULE('gensec_spnego',
 	init_function='gensec_spnego_init',
 	deps='asn1util samba-credentials SPNEGO_PARSE'
 	)
+
+bld.SAMBA_MODULE('gensec_external',
+	source='external.c',
+	autoproto='external_proto.h',
+	subsystem='gensec',
+	init_function='gensec_external_init'
+	)
-- 
1.9.3


From 75d9566940069ebeb367191ec6a6641bf7d45a83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 17:24:10 +0200
Subject: [PATCH 093/249] gensec: move schannel module to toplevel.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4d2ec9e37ee9dcf7b521806a1c0aabdffe524d47)
---
 auth/gensec/schannel.c            | 330 ++++++++++++++++++++++++++++++++++++++
 auth/gensec/wscript_build         |   8 +
 source4/auth/gensec/schannel.c    | 330 --------------------------------------
 source4/auth/gensec/wscript_build |  10 --
 4 files changed, 338 insertions(+), 340 deletions(-)
 create mode 100644 auth/gensec/schannel.c
 delete mode 100644 source4/auth/gensec/schannel.c

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
new file mode 100644
index 0000000..eb2e100
--- /dev/null
+++ b/auth/gensec/schannel.c
@@ -0,0 +1,330 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   dcerpc schannel operations
+
+   Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_schannel.h"
+#include "auth/auth.h"
+#include "auth/credentials/credentials.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
+#include "auth/gensec/gensec_proto.h"
+#include "../libcli/auth/schannel.h"
+#include "librpc/gen_ndr/dcerpc.h"
+#include "param/param.h"
+#include "auth/gensec/gensec_toplevel_proto.h"
+
+_PUBLIC_ NTSTATUS gensec_schannel_init(void);
+
+static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
+{
+	struct schannel_state *state =
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
+
+	return netsec_outgoing_sig_size(state);
+}
+
+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+				struct tevent_context *ev,
+				const DATA_BLOB in, DATA_BLOB *out)
+{
+	struct schannel_state *state =
+		talloc_get_type(gensec_security->private_data,
+		struct schannel_state);
+	NTSTATUS status;
+	enum ndr_err_code ndr_err;
+	struct NL_AUTH_MESSAGE bind_schannel;
+	struct NL_AUTH_MESSAGE bind_schannel_ack;
+	struct netlogon_creds_CredentialState *creds;
+	const char *workstation;
+	const char *domain;
+
+	*out = data_blob(NULL, 0);
+
+	switch (gensec_security->gensec_role) {
+	case GENSEC_CLIENT:
+		if (state != NULL) {
+			/* we could parse the bind ack, but we don't know what it is yet */
+			return NT_STATUS_OK;
+		}
+
+		creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
+		if (creds == NULL) {
+			return NT_STATUS_INVALID_PARAMETER_MIX;
+		}
+
+		state = netsec_create_state(gensec_security,
+					    creds, true /* initiator */);
+		if (state == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		gensec_security->private_data = state;
+
+		bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
+#if 0
+		/* to support this we'd need to have access to the full domain name */
+		/* 0x17, 23 */
+		bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+				      NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
+				      NL_FLAG_UTF8_DNS_DOMAIN_NAME |
+				      NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+		bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+		bind_schannel.oem_netbios_computer.a = creds->computer_name;
+		bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
+		/* w2k3 refuses us if we use the full DNS workstation?
+		 why? perhaps because we don't fill in the dNSHostName
+		 attribute in the machine account? */
+		bind_schannel.utf8_netbios_computer = creds->computer_name;
+#else
+		bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
+				      NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
+		bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
+		bind_schannel.oem_netbios_computer.a = creds->computer_name;
+#endif
+
+		ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
+					       (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
+		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+			status = ndr_map_error2ntstatus(ndr_err);
+			DEBUG(3, ("Could not create schannel bind: %s\n",
+				  nt_errstr(status)));
+			return status;
+		}
+
+		return NT_STATUS_MORE_PROCESSING_REQUIRED;
+	case GENSEC_SERVER:
+
+		if (state != NULL) {
+			/* no third leg on this protocol */
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		/* parse the schannel startup blob */
+		ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
+			(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
+		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+			status = ndr_map_error2ntstatus(ndr_err);
+			DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
+				  nt_errstr(status)));
+			return status;
+		}
+
+		if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
+			domain = bind_schannel.oem_netbios_domain.a;
+			if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
+				DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+					  domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
+				return NT_STATUS_LOGON_FAILURE;
+			}
+		} else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
+			domain = bind_schannel.utf8_dns_domain.u;
+			if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
+				DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
+					  domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
+				return NT_STATUS_LOGON_FAILURE;
+			}
+		} else {
+			DEBUG(3, ("Request for schannel to without domain\n"));
+			return NT_STATUS_LOGON_FAILURE;
+		}
+
+		if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
+			workstation = bind_schannel.oem_netbios_computer.a;
+		} else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
+			workstation = bind_schannel.utf8_netbios_computer.u;
+		} else {
+			DEBUG(3, ("Request for schannel to without netbios workstation\n"));
+			return NT_STATUS_LOGON_FAILURE;
+		}
+
+		status = schannel_get_creds_state(out_mem_ctx,
+						  gensec_security->settings->lp_ctx,
+						  workstation, &creds);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
+				  workstation, nt_errstr(status)));
+			if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+				return NT_STATUS_LOGON_FAILURE;
+			}
+			return status;
+		}
+
+		state = netsec_create_state(gensec_security,
+					    creds, false /* not initiator */);
+		if (state == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		gensec_security->private_data = state;
+
+		bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
+		bind_schannel_ack.Flags = 0;
+		bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
+							    * this does not have
+							    * any meaning here
+							    * - gd */
+
+		ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
+					       (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
+		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+			status = ndr_map_error2ntstatus(ndr_err);
+			DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
+				  workstation, nt_errstr(status)));
+			return status;
+		}
+
+		return NT_STATUS_OK;
+	}
+	return NT_STATUS_INVALID_PARAMETER;
+}
+
+/**
+ * Returns anonymous credentials for schannel, matching Win2k3.
+ *
+ */
+
+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
+				      TALLOC_CTX *mem_ctx,
+				      struct auth_session_info **_session_info)
+{
+	return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
+}
+
+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+{
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
+{
+	return NT_STATUS_OK;
+}
+
+static bool schannel_have_feature(struct gensec_security *gensec_security,
+					 uint32_t feature)
+{
+	if (feature & (GENSEC_FEATURE_SIGN |
+		       GENSEC_FEATURE_SEAL)) {
+		return true;
+	}
+	if (feature & GENSEC_FEATURE_DCE_STYLE) {
+		return true;
+	}
+	return false;
+}
+
+/*
+  unseal a packet
+*/
+static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
+				       uint8_t *data, size_t length,
+				       const uint8_t *whole_pdu, size_t pdu_length,
+				       const DATA_BLOB *sig)
+{
+	struct schannel_state *state =
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
+
+	return netsec_incoming_packet(state, true,
+				      discard_const_p(uint8_t, data),
+				      length, sig);
+}
+
+/*
+  check the signature on a packet
+*/
+static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
+				      const uint8_t *data, size_t length,
+				      const uint8_t *whole_pdu, size_t pdu_length,
+				      const DATA_BLOB *sig)
+{
+	struct schannel_state *state =
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
+
+	return netsec_incoming_packet(state, false,
+				      discard_const_p(uint8_t, data),
+				      length, sig);
+}
+/*
+  seal a packet
+*/
+static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
+				     TALLOC_CTX *mem_ctx,
+				     uint8_t *data, size_t length,
+				     const uint8_t *whole_pdu, size_t pdu_length,
+				     DATA_BLOB *sig)
+{
+	struct schannel_state *state =
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
+
+	return netsec_outgoing_packet(state, mem_ctx, true,
+				      data, length, sig);
+}
+
+/*
+  sign a packet
+*/
+static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
+				     TALLOC_CTX *mem_ctx,
+				     const uint8_t *data, size_t length,
+				     const uint8_t *whole_pdu, size_t pdu_length,
+				     DATA_BLOB *sig)
+{
+	struct schannel_state *state =
+		talloc_get_type_abort(gensec_security->private_data,
+		struct schannel_state);
+
+	return netsec_outgoing_packet(state, mem_ctx, false,
+				      discard_const_p(uint8_t, data),
+				      length, sig);
+}
+
+static const struct gensec_security_ops gensec_schannel_security_ops = {
+	.name		= "schannel",
+	.auth_type	= DCERPC_AUTH_TYPE_SCHANNEL,
+	.client_start   = schannel_client_start,
+	.server_start   = schannel_server_start,
+	.update 	= schannel_update,
+	.seal_packet 	= schannel_seal_packet,
+	.sign_packet   	= schannel_sign_packet,
+	.check_packet	= schannel_check_packet,
+	.unseal_packet 	= schannel_unseal_packet,
+	.session_info	= schannel_session_info,
+	.sig_size	= schannel_sig_size,
+	.have_feature   = schannel_have_feature,
+	.enabled        = true,
+	.priority       = GENSEC_SCHANNEL
+};
+
+_PUBLIC_ NTSTATUS gensec_schannel_init(void)
+{
+	NTSTATUS ret;
+	ret = gensec_register(&gensec_schannel_security_ops);
+	if (!NT_STATUS_IS_OK(ret)) {
+		DEBUG(0,("Failed to register '%s' gensec backend!\n",
+			gensec_schannel_security_ops.name));
+		return ret;
+	}
+
+	return ret;
+}
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index 71222f7..7329eec 100755
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -17,6 +17,14 @@ bld.SAMBA_MODULE('gensec_spnego',
 	deps='asn1util samba-credentials SPNEGO_PARSE'
 	)
 
+bld.SAMBA_MODULE('gensec_schannel',
+	source='schannel.c',
+	autoproto='schannel_proto.h',
+	subsystem='gensec',
+	init_function='gensec_schannel_init',
+	deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
+	)
+
 bld.SAMBA_MODULE('gensec_external',
 	source='external.c',
 	autoproto='external_proto.h',
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
deleted file mode 100644
index eb2e100..0000000
--- a/source4/auth/gensec/schannel.c
+++ /dev/null
@@ -1,330 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-
-   dcerpc schannel operations
-
-   Copyright (C) Andrew Tridgell 2004
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "librpc/gen_ndr/ndr_schannel.h"
-#include "auth/auth.h"
-#include "auth/credentials/credentials.h"
-#include "auth/gensec/gensec.h"
-#include "auth/gensec/gensec_internal.h"
-#include "auth/gensec/gensec_proto.h"
-#include "../libcli/auth/schannel.h"
-#include "librpc/gen_ndr/dcerpc.h"
-#include "param/param.h"
-#include "auth/gensec/gensec_toplevel_proto.h"
-
-_PUBLIC_ NTSTATUS gensec_schannel_init(void);
-
-static size_t schannel_sig_size(struct gensec_security *gensec_security, size_t data_size)
-{
-	struct schannel_state *state =
-		talloc_get_type_abort(gensec_security->private_data,
-		struct schannel_state);
-
-	return netsec_outgoing_sig_size(state);
-}
-
-static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
-				struct tevent_context *ev,
-				const DATA_BLOB in, DATA_BLOB *out)
-{
-	struct schannel_state *state =
-		talloc_get_type(gensec_security->private_data,
-		struct schannel_state);
-	NTSTATUS status;
-	enum ndr_err_code ndr_err;
-	struct NL_AUTH_MESSAGE bind_schannel;
-	struct NL_AUTH_MESSAGE bind_schannel_ack;
-	struct netlogon_creds_CredentialState *creds;
-	const char *workstation;
-	const char *domain;
-
-	*out = data_blob(NULL, 0);
-
-	switch (gensec_security->gensec_role) {
-	case GENSEC_CLIENT:
-		if (state != NULL) {
-			/* we could parse the bind ack, but we don't know what it is yet */
-			return NT_STATUS_OK;
-		}
-
-		creds = cli_credentials_get_netlogon_creds(gensec_security->credentials);
-		if (creds == NULL) {
-			return NT_STATUS_INVALID_PARAMETER_MIX;
-		}
-
-		state = netsec_create_state(gensec_security,
-					    creds, true /* initiator */);
-		if (state == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		gensec_security->private_data = state;
-
-		bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
-#if 0
-		/* to support this we'd need to have access to the full domain name */
-		/* 0x17, 23 */
-		bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-				      NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
-				      NL_FLAG_UTF8_DNS_DOMAIN_NAME |
-				      NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
-		bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-		bind_schannel.oem_netbios_computer.a = creds->computer_name;
-		bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
-		/* w2k3 refuses us if we use the full DNS workstation?
-		 why? perhaps because we don't fill in the dNSHostName
-		 attribute in the machine account? */
-		bind_schannel.utf8_netbios_computer = creds->computer_name;
-#else
-		bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-				      NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
-		bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-		bind_schannel.oem_netbios_computer.a = creds->computer_name;
-#endif
-
-		ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
-					       (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-			status = ndr_map_error2ntstatus(ndr_err);
-			DEBUG(3, ("Could not create schannel bind: %s\n",
-				  nt_errstr(status)));
-			return status;
-		}
-
-		return NT_STATUS_MORE_PROCESSING_REQUIRED;
-	case GENSEC_SERVER:
-
-		if (state != NULL) {
-			/* no third leg on this protocol */
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-
-		/* parse the schannel startup blob */
-		ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
-			(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
-		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-			status = ndr_map_error2ntstatus(ndr_err);
-			DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
-				  nt_errstr(status)));
-			return status;
-		}
-
-		if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_DOMAIN_NAME) {
-			domain = bind_schannel.oem_netbios_domain.a;
-			if (strcasecmp_m(domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)) != 0) {
-				DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
-					  domain, lpcfg_workgroup(gensec_security->settings->lp_ctx)));
-				return NT_STATUS_LOGON_FAILURE;
-			}
-		} else if (bind_schannel.Flags & NL_FLAG_UTF8_DNS_DOMAIN_NAME) {
-			domain = bind_schannel.utf8_dns_domain.u;
-			if (strcasecmp_m(domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)) != 0) {
-				DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n",
-					  domain, lpcfg_dnsdomain(gensec_security->settings->lp_ctx)));
-				return NT_STATUS_LOGON_FAILURE;
-			}
-		} else {
-			DEBUG(3, ("Request for schannel to without domain\n"));
-			return NT_STATUS_LOGON_FAILURE;
-		}
-
-		if (bind_schannel.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME) {
-			workstation = bind_schannel.oem_netbios_computer.a;
-		} else if (bind_schannel.Flags & NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME) {
-			workstation = bind_schannel.utf8_netbios_computer.u;
-		} else {
-			DEBUG(3, ("Request for schannel to without netbios workstation\n"));
-			return NT_STATUS_LOGON_FAILURE;
-		}
-
-		status = schannel_get_creds_state(out_mem_ctx,
-						  gensec_security->settings->lp_ctx,
-						  workstation, &creds);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
-				  workstation, nt_errstr(status)));
-			if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
-				return NT_STATUS_LOGON_FAILURE;
-			}
-			return status;
-		}
-
-		state = netsec_create_state(gensec_security,
-					    creds, false /* not initiator */);
-		if (state == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		gensec_security->private_data = state;
-
-		bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
-		bind_schannel_ack.Flags = 0;
-		bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
-							    * this does not have
-							    * any meaning here
-							    * - gd */
-
-		ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
-					       (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-		if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-			status = ndr_map_error2ntstatus(ndr_err);
-			DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
-				  workstation, nt_errstr(status)));
-			return status;
-		}
-
-		return NT_STATUS_OK;
-	}
-	return NT_STATUS_INVALID_PARAMETER;
-}
-
-/**
- * Returns anonymous credentials for schannel, matching Win2k3.
- *
- */
-
-static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
-				      TALLOC_CTX *mem_ctx,
-				      struct auth_session_info **_session_info)
-{
-	return auth_anonymous_session_info(mem_ctx, gensec_security->settings->lp_ctx, _session_info);
-}
-
-static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
-{
-	return NT_STATUS_OK;
-}
-
-static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
-{
-	return NT_STATUS_OK;
-}
-
-static bool schannel_have_feature(struct gensec_security *gensec_security,
-					 uint32_t feature)
-{
-	if (feature & (GENSEC_FEATURE_SIGN |
-		       GENSEC_FEATURE_SEAL)) {
-		return true;
-	}
-	if (feature & GENSEC_FEATURE_DCE_STYLE) {
-		return true;
-	}
-	return false;
-}
-
-/*
-  unseal a packet
-*/
-static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
-				       uint8_t *data, size_t length,
-				       const uint8_t *whole_pdu, size_t pdu_length,
-				       const DATA_BLOB *sig)
-{
-	struct schannel_state *state =
-		talloc_get_type_abort(gensec_security->private_data,
-		struct schannel_state);
-
-	return netsec_incoming_packet(state, true,
-				      discard_const_p(uint8_t, data),
-				      length, sig);
-}
-
-/*
-  check the signature on a packet
-*/
-static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
-				      const uint8_t *data, size_t length,
-				      const uint8_t *whole_pdu, size_t pdu_length,
-				      const DATA_BLOB *sig)
-{
-	struct schannel_state *state =
-		talloc_get_type_abort(gensec_security->private_data,
-		struct schannel_state);
-
-	return netsec_incoming_packet(state, false,
-				      discard_const_p(uint8_t, data),
-				      length, sig);
-}
-/*
-  seal a packet
-*/
-static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
-				     TALLOC_CTX *mem_ctx,
-				     uint8_t *data, size_t length,
-				     const uint8_t *whole_pdu, size_t pdu_length,
-				     DATA_BLOB *sig)
-{
-	struct schannel_state *state =
-		talloc_get_type_abort(gensec_security->private_data,
-		struct schannel_state);
-
-	return netsec_outgoing_packet(state, mem_ctx, true,
-				      data, length, sig);
-}
-
-/*
-  sign a packet
-*/
-static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
-				     TALLOC_CTX *mem_ctx,
-				     const uint8_t *data, size_t length,
-				     const uint8_t *whole_pdu, size_t pdu_length,
-				     DATA_BLOB *sig)
-{
-	struct schannel_state *state =
-		talloc_get_type_abort(gensec_security->private_data,
-		struct schannel_state);
-
-	return netsec_outgoing_packet(state, mem_ctx, false,
-				      discard_const_p(uint8_t, data),
-				      length, sig);
-}
-
-static const struct gensec_security_ops gensec_schannel_security_ops = {
-	.name		= "schannel",
-	.auth_type	= DCERPC_AUTH_TYPE_SCHANNEL,
-	.client_start   = schannel_client_start,
-	.server_start   = schannel_server_start,
-	.update 	= schannel_update,
-	.seal_packet 	= schannel_seal_packet,
-	.sign_packet   	= schannel_sign_packet,
-	.check_packet	= schannel_check_packet,
-	.unseal_packet 	= schannel_unseal_packet,
-	.session_info	= schannel_session_info,
-	.sig_size	= schannel_sig_size,
-	.have_feature   = schannel_have_feature,
-	.enabled        = true,
-	.priority       = GENSEC_SCHANNEL
-};
-
-_PUBLIC_ NTSTATUS gensec_schannel_init(void)
-{
-	NTSTATUS ret;
-	ret = gensec_register(&gensec_schannel_security_ops);
-	if (!NT_STATUS_IS_OK(ret)) {
-		DEBUG(0,("Failed to register '%s' gensec backend!\n",
-			gensec_schannel_security_ops.name));
-		return ret;
-	}
-
-	return ret;
-}
diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build
index 04fccc5..a3eff97 100755
--- a/source4/auth/gensec/wscript_build
+++ b/source4/auth/gensec/wscript_build
@@ -32,16 +32,6 @@ bld.SAMBA_MODULE('cyrus_sasl',
 	)
 
 
-bld.SAMBA_MODULE('gensec_schannel',
-	source='schannel.c',
-	subsystem='gensec',
-	deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials ndr auth_session',
-	internal_module=True,
-	autoproto='schannel_proto.h',
-	init_function='gensec_schannel_init'
-	)
-
-
 bld.SAMBA_PYTHON('pygensec',
 	source='pygensec.c',
 	deps='gensec pytalloc-util pyparam_util',
-- 
1.9.3


From c4829848f45db27d6c145b35a20bea2f33bcb4d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 17:24:49 +0200
Subject: [PATCH 094/249] gensec: remove duplicate
 gensec_security_by_authtype() call.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We should use the equivalent gensec_security_by_auth_type() call which is
exposed in the public header.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d433ad077f354de4fc1d5a155d991f417ae9967c)
---
 auth/gensec/gensec_start.c | 29 ++---------------------------
 1 file changed, 2 insertions(+), 27 deletions(-)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 3ae64d5..906ef67 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -157,31 +157,6 @@ _PUBLIC_ const struct gensec_security_ops **gensec_security_mechs(
 
 }
 
-static const struct gensec_security_ops *gensec_security_by_authtype(struct gensec_security *gensec_security,
-								     uint8_t auth_type)
-{
-	int i;
-	const struct gensec_security_ops **backends;
-	const struct gensec_security_ops *backend;
-	TALLOC_CTX *mem_ctx = talloc_new(gensec_security);
-	if (!mem_ctx) {
-		return NULL;
-	}
-	backends = gensec_security_mechs(gensec_security, mem_ctx);
-	for (i=0; backends && backends[i]; i++) {
-		if (!gensec_security_ops_enabled(backends[i], gensec_security))
-				continue;
-		if (backends[i]->auth_type == auth_type) {
-			backend = backends[i];
-			talloc_free(mem_ctx);
-			return backend;
-		}
-	}
-	talloc_free(mem_ctx);
-
-	return NULL;
-}
-
 _PUBLIC_ const struct gensec_security_ops *gensec_security_by_oid(
 				struct gensec_security *gensec_security,
 				const char *oid_string)
@@ -719,7 +694,7 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
 _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
 				       uint8_t auth_type, uint8_t auth_level)
 {
-	gensec_security->ops = gensec_security_by_authtype(gensec_security, auth_type);
+	gensec_security->ops = gensec_security_by_auth_type(gensec_security, auth_type);
 	if (!gensec_security->ops) {
 		DEBUG(3, ("Could not find GENSEC backend for auth_type=%d\n", (int)auth_type));
 		return NT_STATUS_INVALID_PARAMETER;
@@ -746,7 +721,7 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
 _PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
 {
 	const struct gensec_security_ops *ops;
-	ops = gensec_security_by_authtype(gensec_security, authtype);
+	ops = gensec_security_by_auth_type(gensec_security, authtype);
 	if (ops) {
 		return ops->name;
 	}
-- 
1.9.3


From 8c54d2ee4861a35def7cce29b900a68112356f6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 17:25:55 +0200
Subject: [PATCH 095/249] gensec: check for NULL gensec_security in
 gensec_security_by_auth_type().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We have equivalent checks in other gensec_security_by_X calls already.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 4f979525e4137c536118a9c2b2b4ef798c270e27)
---
 auth/gensec/gensec_start.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c
index 906ef67..476134a 100644
--- a/auth/gensec/gensec_start.c
+++ b/auth/gensec/gensec_start.c
@@ -230,8 +230,10 @@ _PUBLIC_ const struct gensec_security_ops *gensec_security_by_auth_type(
 	}
 	backends = gensec_security_mechs(gensec_security, mem_ctx);
 	for (i=0; backends && backends[i]; i++) {
-		if (!gensec_security_ops_enabled(backends[i], gensec_security))
-		    continue;
+		if (gensec_security != NULL &&
+		    !gensec_security_ops_enabled(backends[i], gensec_security)) {
+			continue;
+		}
 		if (backends[i]->auth_type == auth_type) {
 			backend = backends[i];
 			talloc_free(mem_ctx);
-- 
1.9.3


From 5b941811c7ebd51bf2c8d421517fd92b3065ba47 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 17:27:28 +0200
Subject: [PATCH 096/249] s3-auth: also load schannel module from
 auth_generic_client_prepare().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 8fce75aa58ec70547ad218bde154e141f2d17303)
---
 source3/libsmb/auth_generic.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c
index e30c1b7..3130dec 100644
--- a/source3/libsmb/auth_generic.c
+++ b/source3/libsmb/auth_generic.c
@@ -78,7 +78,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
 	}
 
 	backends = talloc_zero_array(gensec_settings,
-				     const struct gensec_security_ops *, 4);
+				     const struct gensec_security_ops *, 5);
 	if (backends == NULL) {
 		TALLOC_FREE(ans);
 		return NT_STATUS_NO_MEMORY;
@@ -95,6 +95,7 @@ NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_st
 	backends[idx++] = &gensec_ntlmssp3_client_ops;
 
 	backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
+	backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
 
 	nt_status = gensec_client_start(ans, &ans->gensec_security, gensec_settings);
 
-- 
1.9.3


From 28b5f156bcc03b88f8c0f3e52cd051a0b069334e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 17:44:10 +0200
Subject: [PATCH 097/249] s3-rpc_cli: allow to pass down a netlogon
 CredentialState struct to gensec.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 7b570b4128f9af212048ce56abd841a1f6fdc259)
---
 source3/rpc_client/cli_pipe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 470469f..2acbad6 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2178,6 +2178,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
 					 const char *username,
 					 const char *password,
 					 enum credentials_use_kerberos use_kerberos,
+					 struct netlogon_creds_CredentialState *creds,
 					 struct pipe_auth_data **presult)
 {
 	struct auth_generic_state *auth_generic_ctx;
@@ -2231,6 +2232,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
 	}
 
 	cli_credentials_set_kerberos_state(auth_generic_ctx->credentials, use_kerberos);
+	cli_credentials_set_netlogon_creds(auth_generic_ctx->credentials, creds);
 
 	status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2830,6 +2832,7 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
 					  server, target_service,
 					  domain, username, password, 
 					  CRED_AUTO_USE_KERBEROS,
+					  NULL,
 					  &auth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
@@ -3057,7 +3060,7 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
 					  DCERPC_AUTH_TYPE_SPNEGO, auth_level,
 					  server, target_service,
 					  domain, username, password, 
-					  use_kerberos,
+					  use_kerberos, NULL,
 					  &auth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
-- 
1.9.3


From 4775b3fd2905e54b2c824d901fd8a99fb8caae04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 18:23:40 +0200
Subject: [PATCH 098/249] s3-auth: register schannel gensec module in
 auth_generic_prepare() as well.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 090671aca5234f47f390054de771198e3c177060)
---
 source3/auth/auth_generic.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index e15c87e..e07d3b7 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -32,6 +32,7 @@
 #include "librpc/crypto/gse.h"
 #include "auth/credentials/credentials.h"
 #include "lib/param/loadparm.h"
+#include "librpc/gen_ndr/dcerpc.h"
 
 static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 						TALLOC_CTX *mem_ctx,
@@ -261,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 		}
 
 		backends = talloc_zero_array(gensec_settings,
-					     const struct gensec_security_ops *, 4);
+					     const struct gensec_security_ops *, 5);
 		if (backends == NULL) {
 			TALLOC_FREE(tmp_ctx);
 			return NT_STATUS_NO_MEMORY;
@@ -279,6 +280,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
 
 		backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
 
+		backends[idx++] = gensec_security_by_auth_type(NULL, DCERPC_AUTH_TYPE_SCHANNEL);
+
 		/*
 		 * This is anonymous for now, because we just use it
 		 * to set the kerberos state at the moment
-- 
1.9.3


From 080c2ac3cbd28318bc6c682dff0aea17fad07a2c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 18:33:14 +0200
Subject: [PATCH 099/249] s3-rpc_cli: use gensec for schannel bind.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 89d0b89b5d58ceef13bc10036d396b10f8a102ae)
---
 source3/rpc_client/cli_pipe.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 2acbad6..8a642e2 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1120,12 +1120,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
 
 	switch (auth->auth_type) {
 	case DCERPC_AUTH_TYPE_SCHANNEL:
-		ret = create_schannel_auth_rpc_bind_req(cli, &auth_token);
-		if (!NT_STATUS_IS_OK(ret)) {
-			return ret;
-		}
-		break;
-
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_KRB5:
 	case DCERPC_AUTH_TYPE_SPNEGO:
@@ -2884,16 +2878,26 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	struct netr_Authenticator auth;
 	struct netr_Authenticator return_auth;
 	union netr_Capabilities capabilities;
+	const char *target_service = table->authservices->names[0];
 
 	status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
-	status = rpccli_schannel_bind_data(rpccli, domain, auth_level,
-					   *pdc, &rpcauth);
+	status = rpccli_generic_bind_data(rpccli,
+					  DCERPC_AUTH_TYPE_SCHANNEL,
+					  auth_level,
+					  NULL,
+					  target_service,
+					  domain,
+					  (*pdc)->computer_name,
+					  NULL,
+					  CRED_AUTO_USE_KERBEROS,
+					  *pdc,
+					  &rpcauth);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
+		DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
 			  nt_errstr(status)));
 		TALLOC_FREE(rpccli);
 		return status;
-- 
1.9.3


From 40ffd89f975e06821379fbd240187f5e268da5fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 18:34:58 +0200
Subject: [PATCH 100/249] s3-rpc_srv: use gensec for schannel bind.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a32a83ba9d6c7b5bbe9077973e5402ba65c068e7)
---
 source3/rpc_server/srv_pipe.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 9043a14..fd7a90a 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -808,10 +808,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 			break;
 
 		case DCERPC_AUTH_TYPE_SCHANNEL:
-			if (!pipe_schannel_auth_bind(p, pkt,
-						&auth_info, &auth_resp)) {
+			if (!pipe_auth_generic_bind(p, pkt,
+						    &auth_info, &auth_resp)) {
+				goto err_exit;
+			}
+			if (!session_info_set_session_key(p->session_info, generic_session_key())) {
+				DEBUG(0, ("session_info_set_session_key failed\n"));
 				goto err_exit;
 			}
+			p->pipe_bound = true;
 			break;
 
 		case DCERPC_AUTH_TYPE_SPNEGO:
-- 
1.9.3


From 285de020b6e284ad5074492d62740ba8a370826a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 18:36:19 +0200
Subject: [PATCH 101/249] s3-rpc: use gensec for schannel footer processing.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 5a628490e46f428432cd9b32c2b4b3a34a3736ae)
---
 source3/librpc/rpc/dcerpc_helpers.c | 35 +++--------------------------------
 1 file changed, 3 insertions(+), 32 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index 97999d7..b9e05cb 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -273,7 +273,6 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 	size_t max_len;
 	size_t mod_len;
 	struct gensec_security *gensec_security;
-	struct schannel_state *schannel_auth;
 
 	/* no auth token cases first */
 	switch (auth->auth_level) {
@@ -307,16 +306,11 @@ NTSTATUS dcerpc_guess_sizes(struct pipe_auth_data *auth,
 	case DCERPC_AUTH_TYPE_SPNEGO:
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_KRB5:
+	case DCERPC_AUTH_TYPE_SCHANNEL:
 		gensec_security = talloc_get_type_abort(auth->auth_ctx,
 							struct gensec_security);
 		*auth_len = gensec_sig_size(gensec_security, max_len);
 		break;
-
-	case DCERPC_AUTH_TYPE_SCHANNEL:
-		schannel_auth = talloc_get_type_abort(auth->auth_ctx,
-						      struct schannel_state);
-		*auth_len = netsec_outgoing_sig_size(schannel_auth);
-		break;
 	default:
 		return NT_STATUS_INVALID_PARAMETER;
 	}
@@ -548,7 +542,6 @@ static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
 NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 				size_t pad_len, DATA_BLOB *rpc_out)
 {
-	struct schannel_state *schannel_auth;
 	struct gensec_security *gensec_security;
 	char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
 	DATA_BLOB auth_info;
@@ -600,19 +593,13 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
 	case DCERPC_AUTH_TYPE_SPNEGO:
 	case DCERPC_AUTH_TYPE_KRB5:
 	case DCERPC_AUTH_TYPE_NTLMSSP:
+	case DCERPC_AUTH_TYPE_SCHANNEL:
 		gensec_security = talloc_get_type_abort(auth->auth_ctx,
 						struct gensec_security);
 		status = add_generic_auth_footer(gensec_security,
 						 auth->auth_level,
 						 rpc_out);
 		break;
-	case DCERPC_AUTH_TYPE_SCHANNEL:
-		schannel_auth = talloc_get_type_abort(auth->auth_ctx,
-						      struct schannel_state);
-		status = add_schannel_auth_footer(schannel_auth,
-						  auth->auth_level,
-						  rpc_out);
-		break;
 	default:
 		status = NT_STATUS_INVALID_PARAMETER;
 		break;
@@ -640,7 +627,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 			   DATA_BLOB *raw_pkt,
 			   size_t *pad_len)
 {
-	struct schannel_state *schannel_auth;
 	struct gensec_security *gensec_security;
 	NTSTATUS status;
 	struct dcerpc_auth auth_info;
@@ -710,6 +696,7 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 	case DCERPC_AUTH_TYPE_SPNEGO:
 	case DCERPC_AUTH_TYPE_KRB5:
 	case DCERPC_AUTH_TYPE_NTLMSSP:
+	case DCERPC_AUTH_TYPE_SCHANNEL:
 
 		DEBUG(10, ("GENSEC auth\n"));
 
@@ -723,22 +710,6 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 			return status;
 		}
 		break;
-
-	case DCERPC_AUTH_TYPE_SCHANNEL:
-
-		DEBUG(10, ("SCHANNEL auth\n"));
-
-		schannel_auth = talloc_get_type_abort(auth->auth_ctx,
-						      struct schannel_state);
-		status = get_schannel_auth_footer(pkt, schannel_auth,
-						  auth->auth_level,
-						  &data, &full_pkt,
-						  &auth_info.credentials);
-		if (!NT_STATUS_IS_OK(status)) {
-			return status;
-		}
-		break;
-
 	default:
 		DEBUG(0, ("process_request_pdu: "
 			  "unknown auth type %u set.\n",
-- 
1.9.3


From cfa396d153cedb9b10356540a479ff299c480cae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 19 Sep 2013 11:03:31 +0200
Subject: [PATCH 102/249] s3-rpc_cli: remove unused schannel calls from
 dcerpc_helpers.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 639f60b1513a8c877d307ed86b7748250821fb3f)
---
 source3/librpc/rpc/dcerpc.h         |   3 -
 source3/librpc/rpc/dcerpc_helpers.c | 124 ------------------------------------
 2 files changed, 127 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index b3ae3b4..38d59cd 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -60,9 +60,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
 				  const DATA_BLOB *blob,
 				  struct ncacn_packet *r,
 				  bool bigendian);
-NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
-				   struct NL_AUTH_MESSAGE *r,
-				   DATA_BLOB *blob);
 NTSTATUS dcerpc_push_dcerpc_auth(TALLOC_CTX *mem_ctx,
 				 enum dcerpc_AuthType auth_type,
 				 enum dcerpc_AuthLevel auth_level,
diff --git a/source3/librpc/rpc/dcerpc_helpers.c b/source3/librpc/rpc/dcerpc_helpers.c
index b9e05cb..2400bfd 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -21,9 +21,6 @@
 #include "includes.h"
 #include "librpc/rpc/dcerpc.h"
 #include "librpc/gen_ndr/ndr_dcerpc.h"
-#include "librpc/gen_ndr/ndr_schannel.h"
-#include "../libcli/auth/schannel.h"
-#include "../libcli/auth/spnego.h"
 #include "librpc/crypto/gse.h"
 #include "auth/gensec/gensec.h"
 
@@ -135,34 +132,6 @@ NTSTATUS dcerpc_pull_ncacn_packet(TALLOC_CTX *mem_ctx,
 }
 
 /**
-* @brief NDR Encodes a NL_AUTH_MESSAGE
-*
-* @param mem_ctx	The memory context the blob will be allocated on
-* @param r		The NL_AUTH_MESSAGE to encode
-* @param blob [out]	The encoded blob if successful
-*
-* @return a NTSTATUS error code
-*/
-NTSTATUS dcerpc_push_schannel_bind(TALLOC_CTX *mem_ctx,
-				   struct NL_AUTH_MESSAGE *r,
-				   DATA_BLOB *blob)
-{
-	enum ndr_err_code ndr_err;
-
-	ndr_err = ndr_push_struct_blob(blob, mem_ctx, r,
-		(ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		return ndr_map_error2ntstatus(ndr_err);
-	}
-
-	if (DEBUGLEVEL >= 10) {
-		NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, r);
-	}
-
-	return NT_STATUS_OK;
-}
-
-/**
 * @brief NDR Encodes a dcerpc_auth structure
 *
 * @param mem_ctx	  The memory context the blob will be allocated on
@@ -437,99 +406,6 @@ static NTSTATUS get_generic_auth_footer(struct gensec_security *gensec_security,
 	}
 }
 
-/*******************************************************************
- Create and add the schannel sign/seal auth data.
- ********************************************************************/
-
-static NTSTATUS add_schannel_auth_footer(struct schannel_state *sas,
-					enum dcerpc_AuthLevel auth_level,
-					DATA_BLOB *rpc_out)
-{
-	uint8_t *data_p = rpc_out->data + DCERPC_RESPONSE_LENGTH;
-	size_t data_and_pad_len = rpc_out->length
-					- DCERPC_RESPONSE_LENGTH
-					- DCERPC_AUTH_TRAILER_LENGTH;
-	DATA_BLOB auth_blob;
-	NTSTATUS status;
-
-	if (!sas) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	switch (auth_level) {
-	case DCERPC_AUTH_LEVEL_PRIVACY:
-		status = netsec_outgoing_packet(sas,
-						rpc_out->data,
-						true,
-						data_p,
-						data_and_pad_len,
-						&auth_blob);
-		break;
-	case DCERPC_AUTH_LEVEL_INTEGRITY:
-		status = netsec_outgoing_packet(sas,
-						rpc_out->data,
-						false,
-						data_p,
-						data_and_pad_len,
-						&auth_blob);
-		break;
-	default:
-		status = NT_STATUS_INTERNAL_ERROR;
-		break;
-	}
-
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(1,("add_schannel_auth_footer: failed to process packet: %s\n",
-			nt_errstr(status)));
-		return status;
-	}
-
-	if (DEBUGLEVEL >= 10) {
-		dump_NL_AUTH_SIGNATURE(talloc_tos(), &auth_blob);
-	}
-
-	/* Finally attach the blob. */
-	if (!data_blob_append(NULL, rpc_out,
-				auth_blob.data, auth_blob.length)) {
-		return NT_STATUS_NO_MEMORY;
-	}
-	data_blob_free(&auth_blob);
-
-	return NT_STATUS_OK;
-}
-
-/*******************************************************************
- Check/unseal the Schannel auth data. (Unseal in place).
- ********************************************************************/
-
-static NTSTATUS get_schannel_auth_footer(TALLOC_CTX *mem_ctx,
-					 struct schannel_state *auth_state,
-					 enum dcerpc_AuthLevel auth_level,
-					 DATA_BLOB *data, DATA_BLOB *full_pkt,
-					 DATA_BLOB *auth_token)
-{
-	switch (auth_level) {
-	case DCERPC_AUTH_LEVEL_PRIVACY:
-		/* Data portion is encrypted. */
-		return netsec_incoming_packet(auth_state,
-						true,
-						data->data,
-						data->length,
-						auth_token);
-
-	case DCERPC_AUTH_LEVEL_INTEGRITY:
-		/* Data is signed. */
-		return netsec_incoming_packet(auth_state,
-						false,
-						data->data,
-						data->length,
-						auth_token);
-
-	default:
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-}
-
 /**
 * @brief   Append an auth footer according to what is the current mechanism
 *
-- 
1.9.3


From 3c10a3501c04e1f5f9bd2bb1418b95b4b17248a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 19 Sep 2013 11:04:19 +0200
Subject: [PATCH 103/249] s3-rpc_cli: remove unused schannel calls from
 cli_pipe.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 45949d721892a0e8a6b1a76e221c6b3bfd6a872f)
---
 source3/rpc_client/cli_pipe.c | 76 -------------------------------------------
 1 file changed, 76 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 8a642e2..b73f2f2 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -22,11 +22,8 @@
 #include "includes.h"
 #include "../lib/util/tevent_ntstatus.h"
 #include "librpc/gen_ndr/ndr_epmapper_c.h"
-#include "../librpc/gen_ndr/ndr_schannel.h"
 #include "../librpc/gen_ndr/ndr_dssetup.h"
 #include "../libcli/auth/schannel.h"
-#include "../libcli/auth/spnego.h"
-#include "../auth/ntlmssp/ntlmssp.h"
 #include "auth_generic.h"
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "librpc/gen_ndr/ndr_netlogon_c.h"
@@ -1018,42 +1015,6 @@ static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 }
 
 /*******************************************************************
- Creates schannel auth bind.
- ********************************************************************/
-
-static NTSTATUS create_schannel_auth_rpc_bind_req(struct rpc_pipe_client *cli,
-						  DATA_BLOB *auth_token)
-{
-	NTSTATUS status;
-	struct NL_AUTH_MESSAGE r;
-
-	if (!cli->auth->user_name || !cli->auth->user_name[0]) {
-		return NT_STATUS_INVALID_PARAMETER_MIX;
-	}
-
-	if (!cli->auth->domain || !cli->auth->domain[0]) {
-		return NT_STATUS_INVALID_PARAMETER_MIX;
-	}
-
-	/*
-	 * Now marshall the data into the auth parse_struct.
-	 */
-
-	r.MessageType			= NL_NEGOTIATE_REQUEST;
-	r.Flags				= NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-					  NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
-	r.oem_netbios_domain.a		= cli->auth->domain;
-	r.oem_netbios_computer.a	= cli->auth->user_name;
-
-	status = dcerpc_push_schannel_bind(cli, &r, auth_token);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	return NT_STATUS_OK;
-}
-
-/*******************************************************************
  Creates the internals of a DCE/RPC bind request or alter context PDU.
  ********************************************************************/
 
@@ -2243,43 +2204,6 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
 	return status;
 }
 
-static NTSTATUS rpccli_schannel_bind_data(TALLOC_CTX *mem_ctx,
-				const char *domain,
-				enum dcerpc_AuthLevel auth_level,
-				struct netlogon_creds_CredentialState *creds,
-				struct pipe_auth_data **presult)
-{
-	struct schannel_state *schannel_auth;
-	struct pipe_auth_data *result;
-
-	result = talloc(mem_ctx, struct pipe_auth_data);
-	if (result == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
-	result->auth_level = auth_level;
-
-	result->user_name = talloc_strdup(result, creds->computer_name);
-	result->domain = talloc_strdup(result, domain);
-	if ((result->user_name == NULL) || (result->domain == NULL)) {
-		goto fail;
-	}
-
-	schannel_auth = netsec_create_state(result, creds, true /* initiator */);
-	if (schannel_auth == NULL) {
-		goto fail;
-	}
-
-	result->auth_ctx = schannel_auth;
-	*presult = result;
-	return NT_STATUS_OK;
-
- fail:
-	TALLOC_FREE(result);
-	return NT_STATUS_NO_MEMORY;
-}
-
 /**
  * Create an rpc pipe client struct, connecting to a tcp port.
  */
-- 
1.9.3


From e4b33d6311e051501815199bd6c6dbba33f1bc55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 19 Sep 2013 11:05:21 +0200
Subject: [PATCH 104/249] s3-rpc_srv: remove unused schannel calls from
 srv_pipe.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Sep 19 12:59:04 CEST 2013 on sn-devel-104
(cherry picked from commit 6965f918c04328535c55a0ef9b7fe6392fba193a)
---
 source3/rpc_server/srv_pipe.c | 116 ------------------------------------------
 1 file changed, 116 deletions(-)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index fd7a90a..06752a8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -30,11 +30,8 @@
 #include "includes.h"
 #include "system/filesys.h"
 #include "srv_pipe_internal.h"
-#include "../librpc/gen_ndr/ndr_schannel.h"
 #include "../librpc/gen_ndr/dcerpc.h"
 #include "../librpc/rpc/rpc_common.h"
-#include "../libcli/auth/schannel.h"
-#include "../libcli/auth/spnego.h"
 #include "dcesrv_auth_generic.h"
 #include "rpc_server.h"
 #include "rpc_dce.h"
@@ -415,119 +412,6 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
 }
 
 /*******************************************************************
- Handle an schannel bind auth.
-*******************************************************************/
-
-static bool pipe_schannel_auth_bind(struct pipes_struct *p,
-				    TALLOC_CTX *mem_ctx,
-				    struct dcerpc_auth *auth_info,
-				    DATA_BLOB *response)
-{
-	struct NL_AUTH_MESSAGE neg;
-	struct NL_AUTH_MESSAGE reply;
-	bool ret;
-	NTSTATUS status;
-	struct netlogon_creds_CredentialState *creds;
-	enum ndr_err_code ndr_err;
-	struct schannel_state *schannel_auth;
-	struct loadparm_context *lp_ctx;
-
-	ndr_err = ndr_pull_struct_blob(
-			&auth_info->credentials, mem_ctx, &neg,
-			(ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
-		return false;
-	}
-
-	if (DEBUGLEVEL >= 10) {
-		NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
-	}
-
-	if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
-		DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
-		return false;
-	}
-
-	lp_ctx = loadparm_init_s3(p, loadparm_s3_helpers());
-	if (!lp_ctx) {
-		DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
-		return false;
-	}
-
-	/*
-	 * The neg.oem_netbios_computer.a key here must match the remote computer name
-	 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
-	 * operations that use credentials.
-	 */
-
-	become_root();
-	status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
-					  neg.oem_netbios_computer.a, &creds);
-	unbecome_root();
-	
-	talloc_unlink(p, lp_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
-		return False;
-	}
-
-	schannel_auth = netsec_create_state(p, creds, false /* not initiator */);
-	TALLOC_FREE(creds);
-	if (!schannel_auth) {
-		return False;
-	}
-
-	/*
-	 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
-	 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
-	 * struct of the person who opened the pipe. I need to test this further. JRA.
-	 *
-	 * VL. As we are mapping this to guest set the generic key
-	 * "SystemLibraryDTC" key here. It's a bit difficult to test against
-	 * W2k3, as it does not allow schannel binds against SAMR and LSA
-	 * anymore.
-	 */
-
-	ret = session_info_set_session_key(p->session_info, generic_session_key());
-
-	if (!ret) {
-		DEBUG(0, ("session_info_set_session_key failed\n"));
-		return false;
-	}
-
-	/*** SCHANNEL verifier ***/
-
-	reply.MessageType			= NL_NEGOTIATE_RESPONSE;
-	reply.Flags				= 0;
-	reply.Buffer.dummy			= 5; /* ??? actually I don't think
-						      * this has any meaning
-						      * here - gd */
-
-	ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
-		       (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
-		return false;
-	}
-
-	if (DEBUGLEVEL >= 10) {
-		NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
-	}
-
-	DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
-		neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
-
-	/* We're finished with this bind - no more packets. */
-	p->auth.auth_ctx = schannel_auth;
-	p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
-
-	p->pipe_bound = True;
-
-	return True;
-}
-
-/*******************************************************************
  Handle an NTLMSSP bind auth.
 *******************************************************************/
 
-- 
1.9.3


From 68fbdf567cb7d0bc3550b826204c0708a771a4dc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 12 Aug 2013 17:22:15 +0200
Subject: [PATCH 105/249] librpc/ndr: call ndr_table_list() from all ndr_X
 functions.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 88c1dbf722889a2d7379cdcbac1ce9b140a42356)
---
 librpc/ndr/ndr_table.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
index 7ca0417..01d9094 100644
--- a/librpc/ndr/ndr_table.c
+++ b/librpc/ndr/ndr_table.c
@@ -73,7 +73,7 @@ const char *ndr_interface_name(const struct GUID *uuid, uint32_t if_version)
 int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
 {
 	const struct ndr_interface_list *l;
-	for (l=ndr_interfaces;l;l=l->next){
+	for (l=ndr_table_list();l;l=l->next){
 		if (GUID_equal(&l->table->syntax_id.uuid, uuid) &&
 		    l->table->syntax_id.if_version == if_version) {
 			return l->table->num_calls;
@@ -89,7 +89,7 @@ int ndr_interface_num_calls(const struct GUID *uuid, uint32_t if_version)
 const struct ndr_interface_table *ndr_table_by_name(const char *name)
 {
 	const struct ndr_interface_list *l;
-	for (l=ndr_interfaces;l;l=l->next) {
+	for (l=ndr_table_list();l;l=l->next) {
 		if (strcasecmp(l->table->name, name) == 0) {
 			return l->table;
 		}
@@ -103,7 +103,7 @@ const struct ndr_interface_table *ndr_table_by_name(const char *name)
 const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
 {
 	const struct ndr_interface_list *l;
-	for (l=ndr_interfaces;l;l=l->next) {
+	for (l=ndr_table_list();l;l=l->next) {
 		if (GUID_equal(&l->table->syntax_id.uuid, uuid)) {
 			return l->table;
 		}
-- 
1.9.3


From c936c80f7e567bab6fc749fb35e60176fca020af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 8 Aug 2013 17:34:56 +0200
Subject: [PATCH 106/249] librpc/ndr: make sure ndr_table_list() always calls
 ndr_init_table() first.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 21200b12dc14673f9a610c5798635b6052370dbe)
---
 librpc/ndr/ndr_table.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/librpc/ndr/ndr_table.c b/librpc/ndr/ndr_table.c
index 01d9094..f73b9fc 100644
--- a/librpc/ndr/ndr_table.c
+++ b/librpc/ndr/ndr_table.c
@@ -116,6 +116,7 @@ const struct ndr_interface_table *ndr_table_by_uuid(const struct GUID *uuid)
 */
 const struct ndr_interface_list *ndr_table_list(void)
 {
+	ndr_table_init();
 	return ndr_interfaces;
 }
 
-- 
1.9.3


From 2ced3243b3589b673967452a6401d665dd514525 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 8 Aug 2013 17:40:22 +0200
Subject: [PATCH 107/249] s3-rpc: use table->name directly in DEBUG contexts.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit a94e278883c58b35d383753e86135ff6a1d14ec7)
---
 source3/lib/netapi/cm.c       | 2 +-
 source3/rpc_client/cli_pipe.c | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/source3/lib/netapi/cm.c b/source3/lib/netapi/cm.c
index 1cfdccf..bb5d6b2 100644
--- a/source3/lib/netapi/cm.c
+++ b/source3/lib/netapi/cm.c
@@ -254,7 +254,7 @@ WERROR libnetapi_open_pipe(struct libnetapi_ctx *ctx,
 	status = pipe_cm_open(ctx, ipc, table, &result);
 	if (!NT_STATUS_IS_OK(status)) {
 		libnetapi_set_error_string(ctx, "failed to open PIPE %s: %s",
-			get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+			table->name,
 			get_friendly_nt_error_msg(status));
 		return WERR_DEST_NOT_FOUND;
 	}
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index b73f2f2..64e7f1c 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2692,8 +2692,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 		}
 		DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe "
 			    "%s failed with error %s\n",
-			    get_pipe_name_from_syntax(talloc_tos(),
-						      &table->syntax_id),
+			    table->name,
 			    nt_errstr(status) ));
 		TALLOC_FREE(result);
 		return status;
@@ -2701,7 +2700,7 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli,
 
 	DEBUG(10,("cli_rpc_pipe_open_noauth: opened pipe %s to machine "
 		  "%s and bound anonymously.\n",
-		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+		  table->name,
 		  result->desthost));
 
 	*presult = result;
@@ -2946,7 +2945,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 done:
 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
 		  "for domain %s and bound using schannel.\n",
-		  get_pipe_name_from_syntax(talloc_tos(), &table->syntax_id),
+		  table->name,
 		  rpccli->desthost, domain));
 
 	*_rpccli = rpccli;
-- 
1.9.3


From cd864f1a3748c219df78600fc826a6e1d81fa07d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 10:58:16 +0200
Subject: [PATCH 108/249] s3-rpc: use ndr_interface_name() instead of
 get_pipe_name_from_syntax() in DEBUG.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 3135533710b2a1b64aaf6b10d30b86f3c004657d)
---
 source3/rpc_server/rpc_handles.c  | 15 +++++++++------
 source3/rpc_server/srv_pipe.c     | 22 ++++++++++++++--------
 source3/rpc_server/srv_pipe_hnd.c | 16 +++++++++++-----
 source3/wscript_build             |  3 ++-
 4 files changed, 36 insertions(+), 20 deletions(-)

diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
index 70c3919..409299a 100644
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -27,6 +27,7 @@
 #include "rpc_server/rpc_pipes.h"
 #include "../libcli/security/security.h"
 #include "lib/tsocket/tsocket.h"
+#include "librpc/ndr/ndr_table.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -218,7 +219,8 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
 
 		DEBUG(10,("init_pipe_handle_list: created handle list for "
 			  "pipe %s\n",
-			  get_pipe_name_from_syntax(talloc_tos(), syntax)));
+			  ndr_interface_name(&syntax->uuid,
+					     syntax->if_version)));
 	}
 
 	/*
@@ -235,7 +237,7 @@ bool init_pipe_handles(struct pipes_struct *p, const struct ndr_syntax_id *synta
 
 	DEBUG(10,("init_pipe_handle_list: pipe_handles ref count = %lu for "
 		  "pipe %s\n", (unsigned long)p->pipe_handles->pipe_ref_count,
-		  get_pipe_name_from_syntax(talloc_tos(), syntax)));
+		  ndr_interface_name(&syntax->uuid, syntax->if_version)));
 
 	return True;
 }
@@ -412,8 +414,8 @@ void close_policy_by_pipe(struct pipes_struct *p)
 		TALLOC_FREE(p->pipe_handles);
 
 		DEBUG(10,("Deleted handle list for RPC connection %s\n",
-			  get_pipe_name_from_syntax(talloc_tos(),
-						    &p->contexts->syntax)));
+			  ndr_interface_name(&p->contexts->syntax.uuid,
+					     p->contexts->syntax.if_version)));
 	}
 }
 
@@ -456,8 +458,9 @@ void *_policy_handle_create(struct pipes_struct *p, struct policy_handle *hnd,
 	if (p->pipe_handles->count > MAX_OPEN_POLS) {
 		DEBUG(0, ("ERROR: Too many handles (%d) for RPC connection %s\n",
 			  (int) p->pipe_handles->count,
-			  get_pipe_name_from_syntax(talloc_tos(),
-						    &p->contexts->syntax)));
+			  ndr_interface_name(&p->contexts->syntax.uuid,
+					     p->contexts->syntax.if_version)));
+
 		*pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
 		return NULL;
 	}
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 06752a8..19dbc37 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -41,6 +41,7 @@
 #include "rpc_server/srv_pipe.h"
 #include "rpc_server/rpc_contexts.h"
 #include "lib/param/param.h"
+#include "librpc/ndr/ndr_table.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -336,7 +337,8 @@ static bool check_bind_req(struct pipes_struct *p,
 	bool ok;
 
 	DEBUG(3,("check_bind_req for %s\n",
-		 get_pipe_name_from_syntax(talloc_tos(), abstract)));
+		 ndr_interface_name(&abstract->uuid,
+				    abstract->if_version)));
 
 	/* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
 	if (rpc_srv_pipe_exists_by_id(abstract) &&
@@ -580,7 +582,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 		if (NT_STATUS_IS_ERR(status)) {
 			DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
                                  "%s in bind request.\n",
-				 get_pipe_name_from_syntax(talloc_tos(), &id)));
+				 ndr_interface_name(&id.uuid,
+						    id.if_version)));
 
 			return setup_bind_nak(p, pkt);
 		}
@@ -595,8 +598,10 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 		} else {
 			DEBUG(0, ("module %s doesn't provide functions for "
 				  "pipe %s!\n",
-				  get_pipe_name_from_syntax(talloc_tos(), &id),
-				  get_pipe_name_from_syntax(talloc_tos(), &id)));
+				  ndr_interface_name(&id.uuid,
+						     id.if_version),
+				  ndr_interface_name(&id.uuid,
+						     id.if_version)));
 			return setup_bind_nak(p, pkt);
 		}
 	}
@@ -1206,7 +1211,8 @@ static bool api_pipe_request(struct pipes_struct *p,
 		TALLOC_CTX *frame = talloc_stackframe();
 
 		DEBUG(5, ("Requested %s rpc service\n",
-			  get_pipe_name_from_syntax(talloc_tos(), &pipe_fns->syntax)));
+			  ndr_interface_name(&pipe_fns->syntax.uuid,
+					     pipe_fns->syntax.if_version)));
 
 		ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds,
 				 &pipe_fns->syntax);
@@ -1237,7 +1243,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
 
 	/* interpret the command */
 	DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
-		 get_pipe_name_from_syntax(talloc_tos(), syntax),
+		 ndr_interface_name(&syntax->uuid, syntax->if_version),
 		 pkt->u.request.opnum));
 
 	if (DEBUGLEVEL >= 50) {
@@ -1276,7 +1282,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
 	/* do the actual command */
 	if(!api_rpc_cmds[fn_num].fn(p)) {
 		DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
-			 get_pipe_name_from_syntax(talloc_tos(), syntax),
+			 ndr_interface_name(&syntax->uuid, syntax->if_version),
 			 api_rpc_cmds[fn_num].name));
 		data_blob_free(&p->out_data.rdata);
 		return False;
@@ -1299,7 +1305,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
 	}
 
 	DEBUG(5,("api_rpcTNP: called %s successfully\n",
-		 get_pipe_name_from_syntax(talloc_tos(), syntax)));
+		 ndr_interface_name(&syntax->uuid, syntax->if_version)));
 
 	/* Check for buffer underflow in rpc parsing */
 	if ((DEBUGLEVEL >= 10) &&
diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c
index 3f8ff44..fcbfa77 100644
--- a/source3/rpc_server/srv_pipe_hnd.c
+++ b/source3/rpc_server/srv_pipe_hnd.c
@@ -30,6 +30,7 @@
 #include "rpc_server/rpc_config.h"
 #include "../lib/tsocket/tsocket.h"
 #include "../lib/util/tevent_ntstatus.h"
+#include "librpc/ndr/ndr_table.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -281,7 +282,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
 	}
 
 	DEBUG(6,(" name: %s len: %u\n",
-		 get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
+		 ndr_interface_name(&p->contexts->syntax.uuid,
+				    p->contexts->syntax.if_version),
 		 (unsigned int)n));
 
 	/*
@@ -299,7 +301,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
                 DEBUG(5,("read_from_pipe: too large read (%u) requested on "
 			 "pipe %s. We can only service %d sized reads.\n",
 			 (unsigned int)n,
-			 get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
+			 ndr_interface_name(&p->contexts->syntax.uuid,
+					    p->contexts->syntax.if_version),
 			 RPC_MAX_PDU_FRAG_LEN ));
 		n = RPC_MAX_PDU_FRAG_LEN;
 	}
@@ -320,7 +323,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
 
 		DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, "
 			  "current_pdu_sent = %u returning %d bytes.\n",
-			  get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
+			  ndr_interface_name(&p->contexts->syntax.uuid,
+					     p->contexts->syntax.if_version),
 			  (unsigned int)p->out_data.frag.length,
 			  (unsigned int)p->out_data.current_pdu_sent,
 			  (int)data_returned));
@@ -341,7 +345,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
 
 	DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length "
 		  "= %u, p->out_data.rdata.length = %u.\n",
-		  get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax),
+		  ndr_interface_name(&p->contexts->syntax.uuid,
+				     p->contexts->syntax.if_version),
 		  (int)p->fault_state,
 		  (unsigned int)p->out_data.data_sent_length,
 		  (unsigned int)p->out_data.rdata.length));
@@ -363,7 +368,8 @@ static ssize_t read_from_internal_pipe(struct pipes_struct *p, char *data,
 
 	if(!create_next_pdu(p)) {
 		DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n",
-			 get_pipe_name_from_syntax(talloc_tos(), &p->contexts->syntax)));
+			 ndr_interface_name(&p->contexts->syntax.uuid,
+					    p->contexts->syntax.if_version)));
 		return -1;
 	}
 
diff --git a/source3/wscript_build b/source3/wscript_build
index 0bf84e2..bb2e928 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -672,7 +672,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
                    deps='''ndr ndr-standard
                     RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
                     LIBTSOCKET gse dcerpc-binding
-                    libsmb''',
+                    libsmb
+                    ndr-table''',
                    vars=locals(),
                    private_library=True)
 
-- 
1.9.3


From 6e6ba9bb34ac4e1d55056ef82e4bad8ab2d65b0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Thu, 8 Aug 2013 17:33:29 +0200
Subject: [PATCH 109/249] librpc: add dcerpc_default_transport_endpoint()
 function.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 40ee3d8a5f7439b90f1ebf5e40535fad51038fe6)
---
 librpc/rpc/dcerpc_util.c | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
 librpc/rpc/rpc_common.h  |  3 +++
 2 files changed, 58 insertions(+)

diff --git a/librpc/rpc/dcerpc_util.c b/librpc/rpc/dcerpc_util.c
index 0b9cca3..4046f32 100644
--- a/librpc/rpc/dcerpc_util.c
+++ b/librpc/rpc/dcerpc_util.c
@@ -332,3 +332,58 @@ NTSTATUS dcerpc_read_ncacn_packet_recv(struct tevent_req *req,
 	tevent_req_received(req);
 	return NT_STATUS_OK;
 }
+
+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
+					      enum dcerpc_transport_t transport,
+					      const struct ndr_interface_table *table)
+{
+	NTSTATUS status;
+	const char *p = NULL;
+	const char *endpoint = NULL;
+	int i;
+	struct dcerpc_binding *default_binding = NULL;
+	TALLOC_CTX *frame = talloc_stackframe();
+
+	/* Find one of the default pipes for this interface */
+
+	for (i = 0; i < table->endpoints->count; i++) {
+
+		status = dcerpc_parse_binding(frame, table->endpoints->names[i],
+					      &default_binding);
+		if (NT_STATUS_IS_OK(status)) {
+			if (transport == NCA_UNKNOWN &&
+			    default_binding->endpoint != NULL) {
+				p = default_binding->endpoint;
+				break;
+			}
+			if (default_binding->transport == transport &&
+			    default_binding->endpoint != NULL) {
+				p = default_binding->endpoint;
+				break;
+			}
+		}
+	}
+
+	if (i == table->endpoints->count || p == NULL) {
+		goto done;
+	}
+
+	/*
+	 * extract the pipe name without \\pipe from for example
+	 * ncacn_np:[\\pipe\\epmapper]
+	 */
+	if (default_binding->transport == NCACN_NP) {
+		if (strncasecmp(p, "\\pipe\\", 6) == 0) {
+			p += 6;
+		}
+		if (strncmp(p, "\\", 1) == 0) {
+			p += 1;
+		}
+	}
+
+	endpoint = talloc_strdup(mem_ctx, p);
+
+ done:
+	talloc_free(frame);
+	return endpoint;
+}
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index e2b3755..d2816f5 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -143,6 +143,9 @@ void dcerpc_set_frag_length(DATA_BLOB *blob, uint16_t v);
 uint16_t dcerpc_get_frag_length(const DATA_BLOB *blob);
 void dcerpc_set_auth_length(DATA_BLOB *blob, uint16_t v);
 uint8_t dcerpc_get_endian_flag(DATA_BLOB *blob);
+const char *dcerpc_default_transport_endpoint(TALLOC_CTX *mem_ctx,
+					      enum dcerpc_transport_t transport,
+					      const struct ndr_interface_table *table);
 
 /**
 * @brief	Pull a dcerpc_auth structure, taking account of any auth
-- 
1.9.3


From a71f6912117ef5054cba4346f8bfd555d70d7837 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 18 Sep 2013 10:59:14 +0200
Subject: [PATCH 110/249] s3-rpc: use dcerpc_default_transport_endpoint
 function.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit b73e2d927b2221cb3fde8776789c8ca085cf2b8f)
---
 source3/rpc_client/rpc_transport_np.c |  4 +++-
 source3/rpc_server/rpc_ncacn_np.c     | 12 ++++++++++--
 source3/rpc_server/srv_pipe.c         | 28 +++++++++++++++++++++-------
 3 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/source3/rpc_client/rpc_transport_np.c b/source3/rpc_client/rpc_transport_np.c
index c0f313e..91943f4 100644
--- a/source3/rpc_client/rpc_transport_np.c
+++ b/source3/rpc_client/rpc_transport_np.c
@@ -22,6 +22,7 @@
 #include "rpc_client/rpc_transport.h"
 #include "libsmb/cli_np_tstream.h"
 #include "client.h"
+#include "librpc/ndr/ndr_table.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_CLI
@@ -55,7 +56,8 @@ struct tevent_req *rpc_transport_np_init_send(TALLOC_CTX *mem_ctx,
 	state->ev = ev;
 	state->cli = cli;
 	state->abs_timeout = timeval_current_ofs_msec(cli->timeout);
-	state->pipe_name = get_pipe_name_from_syntax(state, &table->syntax_id);
+	state->pipe_name = dcerpc_default_transport_endpoint(state, NCACN_NP,
+							     table);
 	if (tevent_req_nomem(state->pipe_name, req)) {
 		return tevent_req_post(req, ev);
 	}
diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index 7389b3e..46b77fd 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -36,6 +36,7 @@
 #include "../lib/util/tevent_ntstatus.h"
 #include "rpc_contexts.h"
 #include "rpc_server/rpc_config.h"
+#include "librpc/ndr/ndr_table.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -54,8 +55,15 @@ struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
 	struct pipe_rpc_fns *context_fns;
 	const char *pipe_name;
 	int ret;
+	const struct ndr_interface_table *table;
 
-	pipe_name = get_pipe_name_from_syntax(talloc_tos(), syntax);
+	table = ndr_table_by_uuid(&syntax->uuid);
+	if (table == NULL) {
+		DEBUG(0,("unknown interface\n"));
+		return NULL;
+	}
+
+	pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
 
 	DEBUG(4,("Create pipe requested %s\n", pipe_name));
 
@@ -783,7 +791,7 @@ NTSTATUS rpc_pipe_open_interface(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	pipe_name = get_pipe_name_from_syntax(tmp_ctx, &table->syntax_id);
+	pipe_name = dcerpc_default_transport_endpoint(mem_ctx, NCACN_NP, table);
 	if (pipe_name == NULL) {
 		status = NT_STATUS_INVALID_PARAMETER;
 		goto done;
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 19dbc37..5f834fb 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -552,6 +552,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	struct dcerpc_ack_ctx bind_ack_ctx;
 	DATA_BLOB auth_resp = data_blob_null;
 	DATA_BLOB auth_blob = data_blob_null;
+	const struct ndr_interface_table *table;
 
 	/* No rebinds on a bound pipe - use alter context. */
 	if (p->pipe_bound) {
@@ -569,15 +570,21 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	 * that this is a pipe name we support.
 	 */
 	id = pkt->u.bind.ctx_list[0].abstract_syntax;
+
+	table = ndr_table_by_uuid(&id.uuid);
+	if (table == NULL) {
+		DEBUG(0,("unknown interface\n"));
+		return false;
+	}
+
 	if (rpc_srv_pipe_exists_by_id(&id)) {
 		DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
 			  rpc_srv_get_pipe_cli_name(&id),
 			  rpc_srv_get_pipe_srv_name(&id)));
 	} else {
 		status = smb_probe_module(
-			"rpc", get_pipe_name_from_syntax(
-				talloc_tos(),
-				&id));
+			"rpc", dcerpc_default_transport_endpoint(pkt,
+				NCACN_NP, table));
 
 		if (NT_STATUS_IS_ERR(status)) {
 			DEBUG(3,("api_pipe_bind_req: Unknown rpc service name "
@@ -589,8 +596,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 		}
 
 		if (rpc_srv_get_pipe_interface_by_cli_name(
-				get_pipe_name_from_syntax(talloc_tos(),
-							  &id),
+				dcerpc_default_transport_endpoint(pkt,
+					NCACN_NP, table),
 				&id)) {
 			DEBUG(3, ("api_pipe_bind_req: %s -> %s rpc service\n",
 				  rpc_srv_get_pipe_cli_name(&id),
@@ -1240,16 +1247,23 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
 {
 	int fn_num;
 	uint32_t offset1;
+	const struct ndr_interface_table *table;
 
 	/* interpret the command */
 	DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
 		 ndr_interface_name(&syntax->uuid, syntax->if_version),
 		 pkt->u.request.opnum));
 
+	table = ndr_table_by_uuid(&syntax->uuid);
+	if (table == NULL) {
+		DEBUG(0,("unknown interface\n"));
+		return false;
+	}
+
 	if (DEBUGLEVEL >= 50) {
 		fstring name;
 		slprintf(name, sizeof(name)-1, "in_%s",
-			 get_pipe_name_from_syntax(talloc_tos(), syntax));
+			 dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
 		dump_pdu_region(name, pkt->u.request.opnum,
 				&p->in_data.data, 0,
 				p->in_data.data.length);
@@ -1298,7 +1312,7 @@ static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
 	if (DEBUGLEVEL >= 50) {
 		fstring name;
 		slprintf(name, sizeof(name)-1, "out_%s",
-			 get_pipe_name_from_syntax(talloc_tos(), syntax));
+			 dcerpc_default_transport_endpoint(pkt, NCACN_NP, table));
 		dump_pdu_region(name, pkt->u.request.opnum,
 				&p->out_data.rdata, offset1,
 				p->out_data.rdata.length);
-- 
1.9.3


From 8bb6f177b210159ea6317b20e2cc12732b4d273a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 7 Aug 2013 17:43:08 +0200
Subject: [PATCH 111/249] s3-rpc: remove unused source3/librpc/rpc/rpc_common.c
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Fri Sep 20 14:57:06 CEST 2013 on sn-devel-104
(cherry picked from commit 807628ecac445999e75ec9ea1abdc5f2fde356d6)
---
 source3/librpc/rpc/dcerpc.h     |   8 --
 source3/librpc/rpc/rpc_common.c | 209 ----------------------------------------
 source3/wscript_build           |   1 -
 3 files changed, 218 deletions(-)
 delete mode 100644 source3/librpc/rpc/rpc_common.c

diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index 38d59cd..b18b7ba 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -85,12 +85,4 @@ NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
 			   DATA_BLOB *raw_pkt,
 			   size_t *pad_len);
 
-/* The following definitions come from librpc/rpc/rpc_common.c  */
-
-bool smb_register_ndr_interface(const struct ndr_interface_table *interface);
-const struct ndr_interface_table *get_iface_from_syntax(
-	const struct ndr_syntax_id *syntax);
-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
-                                     const struct ndr_syntax_id *syntax);
-
 #endif /* __S3_DCERPC_H__ */
diff --git a/source3/librpc/rpc/rpc_common.c b/source3/librpc/rpc/rpc_common.c
deleted file mode 100644
index 1219b2d..0000000
--- a/source3/librpc/rpc/rpc_common.c
+++ /dev/null
@@ -1,209 +0,0 @@
-/* 
- *  Unix SMB/CIFS implementation.
- *  RPC Pipe client / server routines
- *  Largely rewritten by Jeremy Allison		    2005.
- *  
- *  This program is free software; you can redistribute it and/or modify
- *  it under the terms of the GNU General Public License as published by
- *  the Free Software Foundation; either version 3 of the License, or
- *  (at your option) any later version.
- *  
- *  This program is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- *  GNU General Public License for more details.
- *  
- *  You should have received a copy of the GNU General Public License
- *  along with this program; if not, see <http://www.gnu.org/licenses/>.
- */
-
-#include "includes.h"
-#include "librpc/rpc/dcerpc.h"
-#include "../librpc/gen_ndr/ndr_lsa.h"
-#include "../librpc/gen_ndr/ndr_dssetup.h"
-#include "../librpc/gen_ndr/ndr_samr.h"
-#include "../librpc/gen_ndr/ndr_netlogon.h"
-#include "../librpc/gen_ndr/ndr_srvsvc.h"
-#include "../librpc/gen_ndr/ndr_wkssvc.h"
-#include "../librpc/gen_ndr/ndr_winreg.h"
-#include "../librpc/gen_ndr/ndr_spoolss.h"
-#include "../librpc/gen_ndr/ndr_dfs.h"
-#include "../librpc/gen_ndr/ndr_echo.h"
-#include "../librpc/gen_ndr/ndr_initshutdown.h"
-#include "../librpc/gen_ndr/ndr_svcctl.h"
-#include "../librpc/gen_ndr/ndr_eventlog.h"
-#include "../librpc/gen_ndr/ndr_ntsvcs.h"
-#include "../librpc/gen_ndr/ndr_epmapper.h"
-#include "../librpc/gen_ndr/ndr_drsuapi.h"
-#include "../librpc/gen_ndr/ndr_fsrvp.h"
-
-static const char *get_pipe_name_from_iface(
-	TALLOC_CTX *mem_ctx, const struct ndr_interface_table *interface)
-{
-	int i;
-	const struct ndr_interface_string_array *ep = interface->endpoints;
-	char *p;
-
-	for (i=0; i<ep->count; i++) {
-		if (strncmp(ep->names[i], "ncacn_np:[\\pipe\\", 16) == 0) {
-			break;
-		}
-	}
-	if (i == ep->count) {
-		return NULL;
-	}
-
-	/*
-	 * extract the pipe name without \\pipe from for example
-	 * ncacn_np:[\\pipe\\epmapper]
-	 */
-	p = strchr(ep->names[i]+15, ']');
-	if (p == NULL) {
-		return "PIPE";
-	}
-	return talloc_strndup(mem_ctx, ep->names[i]+15, p - ep->names[i] - 15);
-}
-
-static const struct ndr_interface_table **interfaces;
-
-bool smb_register_ndr_interface(const struct ndr_interface_table *interface)
-{
-	int num_interfaces = talloc_array_length(interfaces);
-	const struct ndr_interface_table **tmp;
-	int i;
-
-	for (i=0; i<num_interfaces; i++) {
-		if (ndr_syntax_id_equal(&interfaces[i]->syntax_id,
-					&interface->syntax_id)) {
-			return true;
-		}
-	}
-
-	tmp = talloc_realloc(NULL, interfaces,
-			     const struct ndr_interface_table *,
-			     num_interfaces + 1);
-	if (tmp == NULL) {
-		DEBUG(1, ("smb_register_ndr_interface: talloc failed\n"));
-		return false;
-	}
-	interfaces = tmp;
-	interfaces[num_interfaces] = interface;
-	return true;
-}
-
-static bool initialize_interfaces(void)
-{
-	if (!smb_register_ndr_interface(&ndr_table_lsarpc)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_dssetup)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_samr)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_netlogon)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_srvsvc)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_wkssvc)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_winreg)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_spoolss)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_netdfs)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_rpcecho)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_initshutdown)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_svcctl)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_eventlog)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_ntsvcs)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_epmapper)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_drsuapi)) {
-		return false;
-	}
-	if (!smb_register_ndr_interface(&ndr_table_FileServerVssAgent)) {
-		return false;
-	}
-	return true;
-}
-
-const struct ndr_interface_table *get_iface_from_syntax(
-	const struct ndr_syntax_id *syntax)
-{
-	int num_interfaces;
-	int i;
-
-	if (interfaces == NULL) {
-		if (!initialize_interfaces()) {
-			return NULL;
-		}
-	}
-	num_interfaces = talloc_array_length(interfaces);
-
-	for (i=0; i<num_interfaces; i++) {
-		if (ndr_syntax_id_equal(&interfaces[i]->syntax_id, syntax)) {
-			return interfaces[i];
-		}
-	}
-
-	return NULL;
-}
-
-/****************************************************************************
- Return the pipe name from the interface.
- ****************************************************************************/
-
-const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
-				      const struct ndr_syntax_id *syntax)
-{
-	const struct ndr_interface_table *interface;
-	char *guid_str;
-	const char *result;
-
-	interface = get_iface_from_syntax(syntax);
-	if (interface != NULL) {
-		result = get_pipe_name_from_iface(mem_ctx, interface);
-		if (result != NULL) {
-			return result;
-		}
-	}
-
-	/*
-	 * Here we should ask \\epmapper, but for now our code is only
-	 * interested in the known pipes mentioned in pipe_names[]
-	 */
-
-	guid_str = GUID_string(talloc_tos(), &syntax->uuid);
-	if (guid_str == NULL) {
-		return NULL;
-	}
-	result = talloc_asprintf(mem_ctx, "Interface %s.%d", guid_str,
-				 (int)syntax->if_version);
-	TALLOC_FREE(guid_str);
-
-	if (result == NULL) {
-		return "PIPE";
-	}
-	return result;
-}
-
diff --git a/source3/wscript_build b/source3/wscript_build
index bb2e928..8126cf6 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -141,7 +141,6 @@ LIBSMB_SRC = '''libsmb/clientgen.c libsmb/cliconnect.c libsmb/clifile.c
 
 LIBMSRPC_SRC = '''
                rpc_client/cli_pipe.c
-               librpc/rpc/rpc_common.c
                rpc_client/rpc_transport_np.c
                rpc_client/rpc_transport_sock.c
                rpc_client/rpc_transport_tstream.c
-- 
1.9.3


From 2b2d978bd97299371a1fd7798d69ab377a76d389 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 14 Aug 2013 09:27:59 +0000
Subject: [PATCH 112/249] winbind3: Fix an invalid free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This fixes a warning I've never seen before :-)

../source3/winbindd/winbindd_cm.c:781:59: warning: attempt to free a non-heap object ‘machine_krb5_principal’ [-Wfree-nonheap-object]

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Aug 14 14:04:16 CEST 2013 on sn-devel-104
(cherry picked from commit 5f75814586f2d6f7c2dc8fd9342cb045c1f7e68c)
---
 source3/winbindd/winbindd_cm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index facef64..d868826 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -840,7 +840,7 @@ static NTSTATUS get_trust_creds(const struct winbindd_domain *domain,
 		}
 
 		if (!strupper_m(*machine_krb5_principal)) {
-			SAFE_FREE(machine_krb5_principal);
+			SAFE_FREE(*machine_krb5_principal);
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}
-- 
1.9.3


From 1b88903c4f5931397e22874b3751dd05a03a2dea Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 11 Oct 2013 13:34:13 +1300
Subject: [PATCH 113/249] s3-winbindd: Remove undocumented winbindd:socket dir
 parameter

This uses the documeted "winbindd socket directory" parameter instead.

This came about due to the merge of the two smb.conf tables in s3 and
s4 for the Samba 4.0 release.  The s4 code used a real parameter,
which caused this to be documented, whereas no automatic procedure
existed to notice the parametric option and the need to document that.
The fact that this was not used consistently in both codebases is one
of the many areas of technical debt we still need to pay off here.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit e512491552d9ed0dc1005a23ffc8f77ba237f863)
---
 selftest/target/Samba3.pm         | 2 +-
 source3/include/proto.h           | 1 +
 source3/param/loadparm.c          | 1 +
 source3/winbindd/winbindd.c       | 9 ++-------
 source3/winbindd/winbindd_proto.h | 1 -
 5 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index ba01154..d8f0c27 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -972,7 +972,7 @@ sub provision($$$$$$)
 	printing = bsd
 	printcap name = /dev/null
 
-	winbindd:socket dir = $wbsockdir
+	winbindd socket directory = $wbsockdir
 	nmbd:socket dir = $nmbdsockdir
 	idmap config * : range = 100000-200000
 	winbind enum users = yes
diff --git a/source3/include/proto.h b/source3/include/proto.h
index cbad7ac..53cd59d 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1069,6 +1069,7 @@ char *lp_wins_hook(TALLOC_CTX *ctx);
 const char *lp_template_homedir(void);
 const char *lp_template_shell(void);
 const char *lp_winbind_separator(void);
+const char *lp_winbindd_socket_directory(void);
 bool lp_winbind_enum_users(void);
 bool lp_winbind_enum_groups(void);
 bool lp_winbind_use_default_domain(void);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 4b31023..b2804ae 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -961,6 +961,7 @@ static void init_globals(bool reinit_globals)
 	string_set(&Globals.szTemplateShell, "/bin/false");
 	string_set(&Globals.szTemplateHomedir, "/home/%D/%U");
 	string_set(&Globals.szWinbindSeparator, "\\");
+	string_set(&Globals.szWinbinddSocketDirectory, dyn_WINBINDD_SOCKET_DIR);
 
 	string_set(&Globals.szCupsServer, "");
 	string_set(&Globals.szIPrintServer, "");
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index f101e52..69a17bf 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -189,7 +189,7 @@ static void terminate(bool is_parent)
 		char *path = NULL;
 
 		if (asprintf(&path, "%s/%s",
-			get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME) > 0) {
+			lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME) > 0) {
 			unlink(path);
 			SAFE_FREE(path);
 		}
@@ -1067,11 +1067,6 @@ static void winbindd_listen_fde_handler(struct tevent_context *ev,
  * Winbindd socket accessor functions
  */
 
-const char *get_winbind_pipe_dir(void)
-{
-	return lp_parm_const_string(-1, "winbindd", "socket dir", get_dyn_WINBINDD_SOCKET_DIR());
-}
-
 char *get_winbind_priv_pipe_dir(void)
 {
 	return state_path(WINBINDD_PRIV_SOCKET_SUBDIR);
@@ -1092,7 +1087,7 @@ static bool winbindd_setup_listeners(void)
 
 	pub_state->privileged = false;
 	pub_state->fd = create_pipe_sock(
-		get_winbind_pipe_dir(), WINBINDD_SOCKET_NAME, 0755);
+		lp_winbindd_socket_directory(), WINBINDD_SOCKET_NAME, 0755);
 	if (pub_state->fd == -1) {
 		goto failed;
 	}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 3df7d7c..cfc19d0 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -34,7 +34,6 @@ bool winbindd_setup_stdin_handler(bool parent, bool foreground);
 bool winbindd_setup_sig_hup_handler(const char *lfile);
 bool winbindd_use_idmap_cache(void);
 bool winbindd_use_cache(void);
-const char *get_winbind_pipe_dir(void);
 char *get_winbind_priv_pipe_dir(void);
 struct tevent_context *winbind_event_context(void);
 int main(int argc, char **argv, char **envp);
-- 
1.9.3


From d0ae2d10385dea4b8fae3d8932d40f546ff8905b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 15:33:20 +1300
Subject: [PATCH 114/249] lib/param: lp_magicchar takes a const struct
 share_params *p so should be FN_LOCAL_PARM_CHAR

This was found when trying to autogenerate prototypes for lp_ functions again.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 lib/param/loadparm.c        | 2 +-
 lib/param/param_functions.c | 2 +-
 source3/param/loadparm.c    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 455c5e6..4497dbf 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -314,7 +314,7 @@ static struct loadparm_context *global_loadparm_context;
 
 #define FN_LOCAL_PARM_INTEGER(fn_name, val) FN_LOCAL_INTEGER(fn_name, val)
 
-#define FN_LOCAL_CHAR(fn_name,val) \
+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
  _PUBLIC_ char lpcfg_ ## fn_name(struct loadparm_service *service, \
 				struct loadparm_service *sDefault) {	\
 	 return((service != NULL)? service->val : sDefault->val); \
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index d9d5df6..60f9c07 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -147,7 +147,7 @@ FN_LOCAL_INTEGER(aio_write_size, iAioWriteSize)
 FN_LOCAL_INTEGER(map_readonly, iMap_readonly)
 FN_LOCAL_INTEGER(directory_name_cache_size, iDirectoryNameCacheSize)
 FN_LOCAL_INTEGER(smb_encrypt, ismb_encrypt)
-FN_LOCAL_CHAR(magicchar, magic_char)
+FN_LOCAL_PARM_CHAR(magicchar, magic_char)
 FN_LOCAL_STRING(cups_options, szCupsOptions)
 FN_LOCAL_PARM_BOOL(change_notify, bChangeNotify)
 FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index b2804ae..40f3242 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1116,7 +1116,7 @@ char *lp_ ## fn_name(TALLOC_CTX *ctx,int i) {return(lp_string((ctx), (LP_SNUM_OK
  bool lp_ ## fn_name(const struct share_params *p) {return(bool)(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
 #define FN_LOCAL_PARM_INTEGER(fn_name,val) \
  int lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
-#define FN_LOCAL_CHAR(fn_name,val) \
+#define FN_LOCAL_PARM_CHAR(fn_name,val) \
  char lp_ ## fn_name(const struct share_params *p) {return(LP_SNUM_OK(p->service)? ServicePtrs[(p->service)]->val : sDefault.val);}
 
 
-- 
1.9.3


From bf5cb3b6c6e2d3171b70fff5deb9a7767d6609a8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 13:47:27 +1300
Subject: [PATCH 115/249] build: Move loadparm-related build rules to
 source3/param/wscript_build

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/param/wscript_build | 32 ++++++++++++++++++++++++++++++++
 source3/wscript_build       | 36 ++----------------------------------
 2 files changed, 34 insertions(+), 34 deletions(-)
 create mode 100644 source3/param/wscript_build

diff --git a/source3/param/wscript_build b/source3/param/wscript_build
new file mode 100644
index 0000000..278d5f5
--- /dev/null
+++ b/source3/param/wscript_build
@@ -0,0 +1,32 @@
+#!/usr/bin/env python
+
+bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
+                     source='util.c',
+                     deps='talloc')
+
+bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
+                     source='loadparm_ctx.c',
+                     deps='''talloc s3_param_h param''')
+
+bld.SAMBA_GENERATOR('s3_param_global_h',
+                    source= '../../script/mkparamdefs.pl loadparm.c ../../lib/param/param_functions.c',
+                    target='param_global.h',
+                    rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
+
+bld.SAMBA3_PYTHON('pys3param',
+                  source='pyparam.c',
+                  deps='param',
+                  public_deps='samba-hostconfig pytalloc-util talloc',
+                  realname='samba/samba3/param.so')
+
+bld.SAMBA3_SUBSYSTEM('param_service',
+                     source='service.c',
+                     deps = 'USER_UTIL param PRINTING')
+
+bld.SAMBA3_BINARY('test_lp_load',
+                 source='test_lp_load.c',
+                 deps='''
+                 talloc
+                 param
+                 popt_samba3''',
+                 install=False)
diff --git a/source3/wscript_build b/source3/wscript_build
index 8126cf6..13d15c3 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -751,33 +751,9 @@ bld.SAMBA3_SUBSYSTEM('SERVER_MUTEX',
                      source=SERVER_MUTEX_SRC,
 		     deps='talloc')
 
-bld.SAMBA3_SUBSYSTEM('PARAM_UTIL',
-                    source=PARAM_UTIL_SRC,
-		    deps='talloc')
-
-bld.SAMBA3_SUBSYSTEM('LOADPARM_CTX',
-                     source='param/loadparm_ctx.c',
-                     deps='''talloc s3_param_h param''',
-                     vars=locals())
-
-bld.SAMBA_GENERATOR('param/param_global_h',
-                    source= '../script/mkparamdefs.pl param/loadparm.c ../lib/param/param_functions.c',
-                    target='param/param_global.h',
-                    rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
-
 bld.SAMBA3_SUBSYSTEM('param',
                    source=PARAM_WITHOUT_REG_SRC,
-                   deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h param/param_global_h cups''')
-
-bld.SAMBA3_PYTHON('pys3param',
-                  source='param/pyparam.c',
-                  deps='param',
-                  public_deps='samba-hostconfig pytalloc-util talloc',
-                  realname='samba/samba3/param.so')
-    
-bld.SAMBA3_SUBSYSTEM('param_service',
-                     source='param/service.c',
-                     deps = 'USER_UTIL param PRINTING')
+                   deps='samba-util PARAM_UTIL ldap lber LOADPARM_CTX samba3core smbconf param_local_h s3_param_global_h cups''')
 
 bld.SAMBA3_SUBSYSTEM('REGFIO',
                     source=REGFIO_SRC,
@@ -1566,15 +1542,6 @@ bld.SAMBA3_BINARY('rpc_open_tcp',
                  install=False,
                  vars=locals())
 
-bld.SAMBA3_BINARY('test_lp_load',
-                 source=TEST_LP_LOAD_SRC,
-                 deps='''
-                 talloc
-                 param
-                 popt_samba3''',
-                 install=False,
-                 vars=locals())
-
 bld.SAMBA3_BINARY('dbwrap_tool',
                  source=DBWRAP_TOOL_SRC,
                  deps='''
@@ -1638,6 +1605,7 @@ bld.RECURSE('librpc/idl')
 bld.RECURSE('libsmb')
 bld.RECURSE('modules')
 bld.RECURSE('pam_smbpass')
+bld.RECURSE('param')
 bld.RECURSE('passdb')
 bld.RECURSE('rpc_server')
 bld.RECURSE('script')
-- 
1.9.3


From 281cb415404f7044a4bdbc93a21b2f755cbc74ee Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 15:34:40 +1300
Subject: [PATCH 116/249] lib/param: Do not attempt to access the s3 function
 for allocated and subbed string parameters

This allows us not to generate array entries for these, which in turn allows
us to avoid initialising them.  The issue is that we do not have the
% macro sub context nor a talloc context handy (yet).

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 lib/param/loadparm.c | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 4497dbf..23b45e2 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -232,7 +232,16 @@ static struct loadparm_context *global_loadparm_context;
 #define lpcfg_default_service global_loadparm_context->sDefault
 #define lpcfg_global_service(i) global_loadparm_context->services[i]
 
-#define FN_GLOBAL_STRING(fn_name,var_name)				\
+#define FN_GLOBAL_STRING(fn_name,var_name) \
+ _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
+	 if (lp_ctx == NULL) return NULL;				\
+	 if (lp_ctx->s3_fns) {						\
+	         smb_panic( __location__ ": " #fn_name " not implemented because it is an allocated and substiuted string"); \
+	 }								\
+	 return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
+}
+
+#define FN_GLOBAL_CONST_STRING(fn_name,var_name)				\
  _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
 	if (lp_ctx == NULL) return NULL;				\
 	if (lp_ctx->s3_fns) {						\
@@ -242,16 +251,6 @@ static struct loadparm_context *global_loadparm_context;
 	return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
 }
 
-#define FN_GLOBAL_CONST_STRING(fn_name,var_name) \
- _PUBLIC_ const char *lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) {\
-	 if (lp_ctx == NULL) return NULL;				\
-	 if (lp_ctx->s3_fns) {						\
-		 SMB_ASSERT(lp_ctx->s3_fns->fn_name);			\
-		 return lp_ctx->s3_fns->fn_name();			\
-	 }								\
-	 return lp_ctx->globals->var_name ? lp_string(lp_ctx->globals->var_name) : ""; \
- }
-
 #define FN_GLOBAL_LIST(fn_name,var_name)				\
  _PUBLIC_ const char **lpcfg_ ## fn_name(struct loadparm_context *lp_ctx) { \
 	 if (lp_ctx == NULL) return NULL;				\
-- 
1.9.3


From e610d185d26910e6cb96ddf8507c31c5f1503271 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 15:36:18 +1300
Subject: [PATCH 117/249] param: Skip generating hooks for local and string
 parameters

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 script/mks3param.pl | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/script/mks3param.pl b/script/mks3param.pl
index 4222ca5..799958c 100644
--- a/script/mks3param.pl
+++ b/script/mks3param.pl
@@ -108,7 +108,14 @@ sub handle_loadparm($$)
 {
 	my ($file,$line) = @_;
 
-	if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
+	# Local parameters don't need the ->s3_fns because the struct
+	# loadparm_service is shared and lpcfg_service() checks the ->s3_fns
+	# hook
+	#
+	# STRING isn't handled as we do not yet have a way to pass in a memory context nor
+	# do we have a good way of dealing with the % macros yet.
+
+	if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
 		my $scope = $1;
 		my $type = $2;
 		my $name = $3;
-- 
1.9.3


From 970290dc75404ab366617210edfca718fe21864b Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 15:39:10 +1300
Subject: [PATCH 118/249] s3/param: Autogenerate parameters prototypes again
 after proto.h was frozen

This autogenerates the parameters so that we can keep everything in sync easier,
particularly when adding new parameters.  This will also make it easier to move
to a fully autogenerated system in the future, as it reduces special cases.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 script/mks3param_proto.pl   | 199 ++++++++++++++++++++++++++++++++++++++++++++
 source3/include/proto.h     |   2 +
 source3/param/wscript_build |   5 ++
 3 files changed, 206 insertions(+)
 create mode 100644 script/mks3param_proto.pl

diff --git a/script/mks3param_proto.pl b/script/mks3param_proto.pl
new file mode 100644
index 0000000..446e343
--- /dev/null
+++ b/script/mks3param_proto.pl
@@ -0,0 +1,199 @@
+#!/usr/bin/perl
+# Generate loadparm interfaces tables for Samba3/Samba4 integration
+# by Andrew Bartlett
+# based on mkproto.pl Written by Jelmer Vernooij
+# based on the original mkproto.sh by Andrew Tridgell
+
+use strict;
+
+# don't use warnings module as it is not portable enough
+# use warnings;
+
+use Getopt::Long;
+use File::Basename;
+use File::Path;
+
+#####################################################################
+# read a file into a string
+
+my $file = undef;
+my $public_define = undef;
+my $_public = "";
+my $_private = "";
+my $public_data = \$_public;
+my $builddir = ".";
+my $srcdir = ".";
+
+sub public($)
+{
+	my ($d) = @_;
+	$$public_data .= $d;
+}
+
+sub usage()
+{
+	print "Usage: mks3param.pl [options] [c files]\n";
+	print "OPTIONS:\n";
+	print "  --srcdir=path          Read files relative to this directory\n";
+	print "  --builddir=path        Write file relative to this directory\n";
+	print "  --help                 Print this help message\n\n";
+	exit 0;
+}
+
+GetOptions(
+	'file=s' => sub { my ($f,$v) = @_; $file = $v; },
+	'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
+	'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
+	'help' => \&usage
+) or exit(1);
+
+sub normalize_define($$)
+{
+	my ($define, $file) = @_;
+
+	if (not defined($define) and defined($file)) {
+		$define = "__" . uc($file) . "__";
+		$define =~ tr{./}{__};
+		$define =~ tr{\-}{_};
+	} elsif (not defined($define)) {
+		$define = '_S3_PARAM_PROTO_H_';
+	}
+
+	return $define;
+}
+
+$public_define = normalize_define($public_define, $file);
+
+sub file_load($)
+{
+    my($filename) = @_;
+    local(*INPUTFILE);
+    open(INPUTFILE, $filename) or return undef;
+    my($saved_delim) = $/;
+    undef $/;
+    my($data) = <INPUTFILE>;
+    close(INPUTFILE);
+    $/ = $saved_delim;
+    return $data;
+}
+
+sub print_header($$)
+{
+	my ($file, $header_name) = @_;
+	$file->("#ifndef $header_name\n");
+	$file->("#define $header_name\n\n");
+	$file->("/* This file was automatically generated by mks3param_proto.pl. DO NOT EDIT */\n\n");
+}
+
+sub print_footer($$)
+{
+	my ($file, $header_name) = @_;
+	$file->("\n#endif /* $header_name */\n\n");
+}
+
+sub handle_loadparm($$)
+{
+	my ($file,$line) = @_;
+
+	my $scope;
+	my $type;
+	my $name;
+	my $var;
+	my $param;
+
+	if ($line =~ /^FN_(GLOBAL|LOCAL)_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
+		$scope = $1;
+		$type = $2;
+		$name = $3;
+		$var = $4;
+		$param = "int";
+	} elsif ($line =~ /^FN_(GLOBAL|LOCAL)_PARM_(CONST_STRING|STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),(.*)\)/o) {
+		$scope = $1;
+		$type = $2;
+		$name = $3;
+		$var = $4;
+		$param = "const struct share_params *p";
+	} else {
+	        return;
+	}
+
+	my %tmap = (
+	        "BOOL" => "bool ",
+	        "CONST_STRING" => "const char *",
+	        "STRING" => "char *",
+	        "INTEGER" => "int ",
+	        "CHAR" => "char ",
+	        "LIST" => "const char **",
+	);
+
+	my %smap = (
+	        "GLOBAL" => "void",
+	        "LOCAL" => "$param"
+	        );
+
+	if (($type eq "STRING") and ($scope eq "GLOBAL")) {
+	    $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx);\n");
+	} elsif (($type eq "STRING") and ($scope eq "LOCAL")) {
+	    $file->("$tmap{$type}lp_$name(TALLOC_CTX *ctx, $smap{$scope});\n");
+	} else {
+	    $file->("$tmap{$type}lp_$name($smap{$scope});\n");
+	}
+}
+
+sub process_file($$)
+{
+	my ($file, $filename) = @_;
+
+	$filename =~ s/\.o$/\.c/g;
+
+	if ($filename =~ /^\//) {
+		open(FH, "<$filename") or die("Failed to open $filename");
+	} elsif (!open(FH, "< $builddir/$filename")) {
+	    open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
+	}
+
+	my $comment = undef;
+	my $incomment = 0;
+	while (my $line = <FH>) {
+		if ($line =~ /^\/\*\*/) {
+			$comment = "";
+			$incomment = 1;
+		}
+
+		if ($incomment) {
+			$comment .= $line;
+			if ($line =~ /\*\//) {
+				$incomment = 0;
+			}
+		}
+
+		# these are ordered for maximum speed
+		next if ($line =~ /^\s/);
+
+		next unless ($line =~ /\(/);
+
+		next if ($line =~ /^\/|[;]/);
+
+		if ($line =~ /^FN_/) {
+			handle_loadparm($file, $line);
+		}
+		next;
+	}
+
+	close(FH);
+}
+
+
+print_header(\&public, $public_define);
+
+process_file(\&public, $_) foreach (@ARGV);
+print_footer(\&public, $public_define);
+
+if (not defined($file)) {
+	print STDOUT $$public_data;
+}
+
+mkpath(dirname($file), 0, 0755);
+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
+print PUBLIC "$$public_data";
+close(PUBLIC);
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 53cd59d..614baa4 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -993,6 +993,8 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
 
 /* The following definitions come from param/loadparm.c  */
 
+#include "source3/param/param_proto.h"
+
 const char **lp_smb_ports(void);
 const char *lp_dos_charset(void);
 const char *lp_unix_charset(void);
diff --git a/source3/param/wscript_build b/source3/param/wscript_build
index 278d5f5..643c27e 100644
--- a/source3/param/wscript_build
+++ b/source3/param/wscript_build
@@ -13,6 +13,11 @@ bld.SAMBA_GENERATOR('s3_param_global_h',
                     target='param_global.h',
                     rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT} --generate-scope=GLOBAL')
 
+bld.SAMBA_GENERATOR('s3_param_proto_h',
+                    source= '../../script/mks3param_proto.pl loadparm.c ../../lib/param/param_functions.c',
+                    target='param_proto.h',
+                    rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
+
 bld.SAMBA3_PYTHON('pys3param',
                   source='pyparam.c',
                   deps='param',
-- 
1.9.3


From 4f87a4ca65b386e90cca479aabdf9051de2c67e3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 15:46:43 +1300
Subject: [PATCH 119/249] param: Autogenerate s3 lp_ctx glue table

This allows us to use more lpcfg_ functions without adding them
manually.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 lib/param/wscript_build       |   1 +
 script/mks3param_ctx_table.pl | 139 ++++++++++++++++++++++++++++++++++++++++++
 source3/param/loadparm_ctx.c  |  64 +------------------
 source3/param/wscript_build   |   5 ++
 4 files changed, 146 insertions(+), 63 deletions(-)
 create mode 100644 script/mks3param_ctx_table.pl

diff --git a/lib/param/wscript_build b/lib/param/wscript_build
index 10e05a3..0e1a2e0 100644
--- a/lib/param/wscript_build
+++ b/lib/param/wscript_build
@@ -11,6 +11,7 @@ bld.SAMBA_GENERATOR('s3_param_h',
                     target='s3_param.h',
                     rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
 
+
 bld.SAMBA_GENERATOR('param_global_h',
                     source= '../../script/mkparamdefs.pl loadparm.c param_functions.c',
                     target='param_global.h',
diff --git a/script/mks3param_ctx_table.pl b/script/mks3param_ctx_table.pl
new file mode 100644
index 0000000..cfd6e02
--- /dev/null
+++ b/script/mks3param_ctx_table.pl
@@ -0,0 +1,139 @@
+#!/usr/bin/perl
+# Generate loadparm interfaces tables for Samba3/Samba4 integration
+# by Andrew Bartlett
+# based on mkproto.pl Written by Jelmer Vernooij
+# based on the original mkproto.sh by Andrew Tridgell
+
+use strict;
+
+# don't use warnings module as it is not portable enough
+# use warnings;
+
+use Getopt::Long;
+use File::Basename;
+use File::Path;
+
+#####################################################################
+# read a file into a string
+
+my $file = undef;
+my $public_define = undef;
+my $_public = "";
+my $_private = "";
+my $public_data = \$_public;
+my $builddir = ".";
+my $srcdir = ".";
+
+sub public($)
+{
+	my ($d) = @_;
+	$$public_data .= $d;
+}
+
+sub usage()
+{
+	print "Usage: mks3param.pl [options] [c files]\n";
+	print "OPTIONS:\n";
+	print "  --srcdir=path          Read files relative to this directory\n";
+	print "  --builddir=path        Write file relative to this directory\n";
+	print "  --help                 Print this help message\n\n";
+	exit 0;
+}
+
+GetOptions(
+	'file=s' => sub { my ($f,$v) = @_; $file = $v; },
+	'srcdir=s' => sub { my ($f,$v) = @_; $srcdir = $v; },
+	'builddir=s' => sub { my ($f,$v) = @_; $builddir = $v; },
+	'help' => \&usage
+) or exit(1);
+
+sub file_load($)
+{
+    my($filename) = @_;
+    local(*INPUTFILE);
+    open(INPUTFILE, $filename) or return undef;
+    my($saved_delim) = $/;
+    undef $/;
+    my($data) = <INPUTFILE>;
+    close(INPUTFILE);
+    $/ = $saved_delim;
+    return $data;
+}
+
+sub print_header($)
+{
+	my ($file) = @_;
+	$file->("/* This file was automatically generated by mks3param_ctx.pl. DO NOT EDIT */\n\n");
+	$file->("static const struct loadparm_s3_helpers s3_fns = \n");
+	$file->("{\n");
+	$file->("\t.get_parametric = lp_parm_const_string_service,\n");
+	$file->("\t.get_parm_struct = lp_get_parameter,\n");
+	$file->("\t.get_parm_ptr = lp_parm_ptr,\n");
+	$file->("\t.get_service = lp_service_for_s4_ctx,\n");
+	$file->("\t.get_servicebynum = lp_servicebynum_for_s4_ctx,\n");
+	$file->("\t.get_default_loadparm_service = lp_default_loadparm_service,\n");
+	$file->("\t.get_numservices = lp_numservices,\n");
+	$file->("\t.load = lp_load_for_s4_ctx,\n");
+	$file->("\t.set_cmdline = lp_set_cmdline,\n");
+	$file->("\t.dump = lp_dump,\n");
+}
+
+sub print_footer($)
+{
+	my ($file) = @_;
+	$file->("};");
+}
+
+sub handle_loadparm($$)
+{
+	my ($file,$line) = @_;
+
+	# STRING isn't handled here, as we still don't know what to do with the substituted vars */
+	# LOCAL also isn't handled here
+	if ($line =~ /^FN_(GLOBAL)_(CONST_STRING|BOOL|bool|CHAR|INTEGER|LIST)\((\w+),.*\)/o) {
+		my $scope = $1;
+		my $type = $2;
+		my $name = $3;
+
+		$file->(".$name = lp_$name,\n");
+	}
+}
+
+sub process_file($$)
+{
+	my ($file, $filename) = @_;
+
+	$filename =~ s/\.o$/\.c/g;
+
+	if ($filename =~ /^\//) {
+		open(FH, "<$filename") or die("Failed to open $filename");
+	} elsif (!open(FH, "< $builddir/$filename")) {
+	    open(FH, "< $srcdir/$filename") || die "Failed to open $filename";
+	}
+
+	my $comment = undef;
+	my $incomment = 0;
+	while (my $line = <FH>) {
+		if ($line =~ /^FN_/) {
+			handle_loadparm($file, $line);
+		}
+		next;
+	}
+
+	close(FH);
+}
+
+
+print_header(\&public);
+
+process_file(\&public, $_) foreach (@ARGV);
+print_footer(\&public);
+
+if (not defined($file)) {
+	print STDOUT $$public_data;
+}
+
+mkpath(dirname($file), 0, 0755);
+open(PUBLIC, ">$file") or die("Can't open `$file': $!");
+print PUBLIC "$$public_data";
+close(PUBLIC);
diff --git a/source3/param/loadparm_ctx.c b/source3/param/loadparm_ctx.c
index 63ead53..5cbc920 100644
--- a/source3/param/loadparm_ctx.c
+++ b/source3/param/loadparm_ctx.c
@@ -56,69 +56,7 @@ static bool lp_load_for_s4_ctx(const char *filename)
 	return status;
 }
 
-/* These are in the order that they appear in the s4 loadparm file.
- * All of the s4 loadparm functions should be here eventually, once
- * they are implemented in the s3 loadparm, have the same format (enum
- * values in particular) and defaults. */
-static const struct loadparm_s3_helpers s3_fns =
-{
-	.get_parametric = lp_parm_const_string_service,
-	.get_parm_struct = lp_get_parameter,
-	.get_parm_ptr = lp_parm_ptr,
-	.get_service = lp_service_for_s4_ctx,
-	.get_servicebynum = lp_servicebynum_for_s4_ctx,
-	.get_default_loadparm_service = lp_default_loadparm_service,
-	.get_numservices = lp_numservices,
-	.load = lp_load_for_s4_ctx,
-	.set_cmdline = lp_set_cmdline,
-	.dump = lp_dump,
-
-	._server_role = lp__server_role,
-	._security = lp__security,
-	._domain_master = lp__domain_master,
-	._domain_logons = lp__domain_logons,
-
-	.winbind_separator = lp_winbind_separator,
-	.template_homedir = lp_template_homedir,
-	.template_shell = lp_template_shell,
-
-	.dos_charset = lp_dos_charset,
-	.unix_charset = lp_unix_charset,
-
-	.realm = lp_realm,
-	.dnsdomain = lp_dnsdomain,
-	.socket_options = lp_socket_options,
-	.workgroup = lp_workgroup,
-
-	.netbios_name = lp_netbios_name,
-	.netbios_scope = lp_netbios_scope,
-	.netbios_aliases = lp_netbios_aliases,
-
-	.lanman_auth = lp_lanman_auth,
-	.ntlm_auth = lp_ntlm_auth,
-
-	.client_plaintext_auth = lp_client_plaintext_auth,
-	.client_lanman_auth = lp_client_lanman_auth,
-	.client_ntlmv2_auth = lp_client_ntlmv2_auth,
-	.client_use_spnego_principal = lp_client_use_spnego_principal,
-
-	.private_dir = lp_private_dir,
-	.ncalrpc_dir = lp_ncalrpc_dir,
-	.lockdir = lp_lockdir,
-
-	.passdb_backend = lp_passdb_backend,
-
-	.host_msdfs = lp_host_msdfs,
-	.unix_extensions = lp_unix_extensions,
-	.use_spnego = lp_use_spnego,
-	.use_mmap = lp_use_mmap,
-	.use_ntdb = lp_use_ntdb,
-
-	.srv_minprotocol = lp_srv_minprotocol,
-	.srv_maxprotocol = lp_srv_maxprotocol,
-
-	.passwordserver = lp_passwordserver
-};
+#include "loadparm_ctx_table.c"
 
 const struct loadparm_s3_helpers *loadparm_s3_helpers(void)
 {
diff --git a/source3/param/wscript_build b/source3/param/wscript_build
index 643c27e..673cb4d 100644
--- a/source3/param/wscript_build
+++ b/source3/param/wscript_build
@@ -18,6 +18,11 @@ bld.SAMBA_GENERATOR('s3_param_proto_h',
                     target='param_proto.h',
                     rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
 
+bld.SAMBA_GENERATOR('s3_loadparm_ctx_table_c',
+                    source= ' ../../script/mks3param_ctx_table.pl ../../lib/param/loadparm.c ../../lib/param/param_functions.c',
+                    target='loadparm_ctx_table.c',
+                    rule='${PERL} ${SRC[0].abspath(env)} ${SRC[1].abspath(env)} ${SRC[2].abspath(env)} --file ${TGT}')
+
 bld.SAMBA3_PYTHON('pys3param',
                   source='pyparam.c',
                   deps='param',
-- 
1.9.3


From 0046f49e1c690cf5b119859650f06559697fd103 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 14 Oct 2013 15:49:25 +1300
Subject: [PATCH 120/249] proto: Remove manually written lp_ prototypes

This also ensures we remove prototypes from parameters we remove or
rename, and easily see how many special cases we have left.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/include/proto.h | 361 +-----------------------------------------------
 1 file changed, 1 insertion(+), 360 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 614baa4..5e068d2 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -995,379 +995,20 @@ NTSTATUS change_trust_account_password( const char *domain, const char *remote_m
 
 #include "source3/param/param_proto.h"
 
-const char **lp_smb_ports(void);
-const char *lp_dos_charset(void);
-const char *lp_unix_charset(void);
-char *lp_logfile(TALLOC_CTX *ctx);
-char *lp_configfile(TALLOC_CTX *ctx);
-const char *lp_smb_passwd_file(void);
-const char *lp_private_dir(void);
-char *lp_serverstring(TALLOC_CTX *ctx);
-int lp_printcap_cache_time(void);
-char *lp_addport_cmd(TALLOC_CTX *ctx);
-char *lp_enumports_cmd(TALLOC_CTX *ctx);
-char *lp_addprinter_cmd(TALLOC_CTX *ctx);
-char *lp_deleteprinter_cmd(TALLOC_CTX *ctx);
-char *lp_os2_driver_map(TALLOC_CTX *ctx);
-const char *lp_lockdir(void);
 const char *lp_statedir(void);
 const char *lp_cachedir(void);
-const char *lp_piddir(void);
-char *lp_mangling_method(TALLOC_CTX *ctx);
-int lp_mangle_prefix(void);
-const char *lp_utmpdir(void);
-const char *lp_wtmpdir(void);
-bool lp_utmp(void);
-char *lp_rootdir(TALLOC_CTX *ctx);
-char *lp_defaultservice(TALLOC_CTX *ctx);
-char *lp_msg_command(TALLOC_CTX *ctx);
-char *lp_get_quota_command(TALLOC_CTX *ctx);
-char *lp_set_quota_command(TALLOC_CTX *ctx);
-char *lp_auto_services(TALLOC_CTX *ctx);
-char *lp_passwd_program(TALLOC_CTX *ctx);
-char *lp_passwd_chat(TALLOC_CTX *ctx);
-const char *lp_passwordserver(void);
-const char **lp_name_resolve_order(void);
-const char *lp_netbios_scope(void);
-const char *lp_netbios_name(void);
-const char *lp_workgroup(void);
-const char *lp_realm(void);
-const char *lp_dnsdomain(void);
-const char *lp_afs_username_map(void);
-int lp_afs_token_lifetime(void);
-char *lp_log_nt_token_command(TALLOC_CTX *ctx);
-char *lp_username_map(TALLOC_CTX *ctx);
-const char *lp_logon_script(void);
-const char *lp_logon_path(void);
-const char *lp_logon_drive(void);
-const char *lp_logon_home(void);
-char *lp_remote_announce(TALLOC_CTX *ctx);
-char *lp_remote_browse_sync(TALLOC_CTX *ctx);
-bool lp_nmbd_bind_explicit_broadcast(void);
-const char **lp_wins_server_list(void);
-const char **lp_interfaces(void);
-const char *lp_nbt_client_socket_address(void);
-char *lp_nis_home_map_name(TALLOC_CTX *ctx);
-const char **lp_netbios_aliases(void);
-const char *lp_passdb_backend(void);
-const char **lp_preload_modules(void);
-char *lp_panic_action(TALLOC_CTX *ctx);
-char *lp_adduser_script(TALLOC_CTX *ctx);
-char *lp_renameuser_script(TALLOC_CTX *ctx);
-char *lp_deluser_script(TALLOC_CTX *ctx);
-const char *lp_guestaccount(void);
-char *lp_addgroup_script(TALLOC_CTX *ctx);
-char *lp_delgroup_script(TALLOC_CTX *ctx);
-char *lp_addusertogroup_script(TALLOC_CTX *ctx);
-char *lp_deluserfromgroup_script(TALLOC_CTX *ctx);
-char *lp_setprimarygroup_script(TALLOC_CTX *ctx);
-char *lp_addmachine_script(TALLOC_CTX *ctx);
-char *lp_shutdown_script(TALLOC_CTX *ctx);
-char *lp_abort_shutdown_script(TALLOC_CTX *ctx);
-char *lp_username_map_script(TALLOC_CTX *ctx);
-int lp_username_map_cache_time(void);
-char *lp_check_password_script(TALLOC_CTX *ctx);
-char *lp_wins_hook(TALLOC_CTX *ctx);
-const char *lp_template_homedir(void);
-const char *lp_template_shell(void);
-const char *lp_winbind_separator(void);
-const char *lp_winbindd_socket_directory(void);
-bool lp_winbind_enum_users(void);
-bool lp_winbind_enum_groups(void);
-bool lp_winbind_use_default_domain(void);
-bool lp_winbind_trusted_domains_only(void);
-bool lp_winbind_nested_groups(void);
-int lp_winbind_expand_groups(void);
-bool lp_winbind_refresh_tickets(void);
-bool lp_winbind_offline_logon(void);
-bool lp_winbind_normalize_names(void);
-bool lp_winbind_rpc_only(void);
-bool lp_create_krb5_conf(void);
 int lp_winbind_max_domain_connections(void);
-int lp_idmap_cache_time(void);
-int lp_idmap_negative_cache_time(void);
 bool lp_idmap_range(const char *domain_name, uint32_t *low, uint32_t *high);
 bool lp_idmap_default_range(uint32_t *low, uint32_t *high);
 const char *lp_idmap_backend(const char *domain_name);
 const char *lp_idmap_default_backend (void);
-int lp_keepalive(void);
-bool lp_passdb_expand_explicit(void);
-char *lp_ldap_suffix(TALLOC_CTX *ctx);
-char *lp_ldap_admin_dn(TALLOC_CTX *ctx);
-int lp_ldap_ssl(void);
-bool lp_ldap_ssl_ads(void);
-int lp_ldap_deref(void);
-int lp_ldap_follow_referral(void);
-int lp_ldap_passwd_sync(void);
-bool lp_ldap_delete_dn(void);
-int lp_ldap_replication_sleep(void);
-int lp_ldap_timeout(void);
-int lp_ldap_connection_timeout(void);
-int lp_ldap_page_size(void);
-int lp_ldap_debug_level(void);
-int lp_ldap_debug_threshold(void);
-char *lp_add_share_cmd(TALLOC_CTX *ctx);
-char *lp_change_share_cmd(TALLOC_CTX *ctx);
-char *lp_delete_share_cmd(TALLOC_CTX *ctx);
-char *lp_usershare_path(TALLOC_CTX *ctx);
-const char **lp_usershare_prefix_allow_list(void);
-const char **lp_usershare_prefix_deny_list(void);
-const char **lp_eventlog_list(void);
-bool lp_registry_shares(void);
-bool lp_usershare_allow_guests(void);
-bool lp_usershare_owner_only(void);
-bool lp_disable_netbios(void);
-bool lp_reset_on_zero_vc(void);
-bool lp_log_writeable_files_on_exit(void);
-bool lp_ms_add_printer_wizard(void);
-bool lp_wins_dns_proxy(void);
-bool lp_we_are_a_wins_server(void);
-bool lp_wins_proxy(void);
-bool lp_local_master(void);
-const char **lp_init_logon_delayed_hosts(void);
-int lp_init_logon_delay(void);
-bool lp_load_printers(void);
 bool lp_readraw(void);
-bool lp_large_readwrite(void);
 bool lp_writeraw(void);
-bool lp_null_passwords(void);
-bool lp_obey_pam_restrictions(void);
-bool lp_encrypted_passwords(void);
-int lp_client_schannel(void);
-int lp_server_schannel(void);
-bool lp_syslog_only(void);
-bool lp_timestamp_logs(void);
-bool lp_debug_prefix_timestamp(void);
-bool lp_debug_hires_timestamp(void);
-bool lp_debug_pid(void);
-bool lp_debug_uid(void);
-bool lp_debug_class(void);
-bool lp_enable_core_files(void);
-bool lp_browse_list(void);
-bool lp_nis_home_map(void);
-bool lp_bind_interfaces_only(void);
-bool lp_pam_password_change(void);
-bool lp_unix_password_sync(void);
-bool lp_passwd_chat_debug(void);
-int lp_passwd_chat_timeout(void);
-bool lp_nt_pipe_support(void);
-bool lp_nt_status_support(void);
-bool lp_stat_cache(void);
-int lp_max_stat_cache_size(void);
-bool lp_allow_trusted_domains(void);
-bool lp_map_untrusted_to_domain(void);
-int lp_restrict_anonymous(void);
-bool lp_lanman_auth(void);
-bool lp_ntlm_auth(void);
-bool lp_client_plaintext_auth(void);
-bool lp_client_lanman_auth(void);
-bool lp_client_ntlmv2_auth(void);
-bool lp_host_msdfs(void);
-bool lp_enhanced_browsing(void);
-bool lp_use_mmap(void);
-bool lp_use_ntdb(void);
-bool lp_unix_extensions(void);
-bool lp_unicode(void);
-bool lp_use_spnego(void);
-bool lp_client_use_spnego(void);
-bool lp_client_use_spnego_principal(void);
-bool lp_hostname_lookups(void);
-bool lp_change_notify(const struct share_params *p );
-bool lp_kernel_change_notify(const struct share_params *p );
-const char * lp_dedicated_keytab_file(void);
-int lp_kerberos_method(void);
-bool lp_defer_sharing_violations(void);
-bool lp_enable_privileges(void);
-bool lp_enable_asu_support(void);
-int lp_os_level(void);
-int lp_max_ttl(void);
-int lp_max_wins_ttl(void);
-int lp_min_wins_ttl(void);
-int lp_max_log_size(void);
-int lp_max_open_files(void);
-int lp_open_files_db_hash_size(void);
-int lp_max_xmit(void);
-int lp_maxmux(void);
-int lp_passwordlevel(void);
-int lp_usernamelevel(void);
-int lp_deadtime(void);
-bool lp_getwd_cache(void);
-int lp_srv_maxprotocol(void);
-int lp_srv_minprotocol(void);
-int lp_cli_maxprotocol(void);
-int lp_cli_minprotocol(void);
 int lp_security(void);
-int lp__server_role(void);
-int lp__security(void);
-int lp__domain_master(void);
-bool lp__domain_logons(void);
-const char **lp_auth_methods(void);
-bool lp_paranoid_server_security(void);
-int lp_maxdisksize(void);
-int lp_lpqcachetime(void);
-int lp_max_smbd_processes(void);
-bool lp__disable_spoolss(void);
-int lp_syslog(void);
-int lp_lm_announce(void);
-int lp_lm_interval(void);
-int lp_machine_password_timeout(void);
-int lp_map_to_guest(void);
-int lp_oplock_break_wait_time(void);
-int lp_lock_spin_time(void);
-int lp_usershare_max_shares(void);
-const char *lp_socket_options(void);
-int lp_config_backend(void);
-int lp_smb2_max_read(void);
-int lp_smb2_max_write(void);
-int lp_smb2_max_trans(void);
 int lp_smb2_max_credits(void);
-char *lp_preexec(TALLOC_CTX *ctx, int );
-char *lp_postexec(TALLOC_CTX *ctx, int );
-char *lp_rootpreexec(TALLOC_CTX *ctx, int );
-char *lp_rootpostexec(TALLOC_CTX *ctx, int );
-char *lp_servicename(TALLOC_CTX *ctx, int );
-const char *lp_const_servicename(int );
-char *lp_pathname(TALLOC_CTX *ctx, int );
-char *lp_dontdescend(TALLOC_CTX *ctx, int );
-char *lp_username(TALLOC_CTX *ctx, int );
-const char **lp_invalid_users(int );
-const char **lp_valid_users(int );
-const char **lp_admin_users(int );
-const char **lp_svcctl_list(void);
-char *lp_cups_options(TALLOC_CTX *ctx, int );
-char *lp_cups_server(TALLOC_CTX *ctx);
 int lp_cups_encrypt(void);
-char *lp_iprint_server(TALLOC_CTX *ctx);
-int lp_cups_connection_timeout(void);
-const char *lp_ctdbd_socket(void);
-const char *_lp_ctdbd_socket(void);
-const char **lp_cluster_addresses(void);
-bool lp_clustering(void);
-int lp_ctdb_timeout(void);
-int lp_ctdb_locktime_warn_threshold(void);
-char *lp_printcommand(TALLOC_CTX *ctx, int );
-char *lp_lpqcommand(TALLOC_CTX *ctx, int );
-char *lp_lprmcommand(TALLOC_CTX *ctx, int );
-char *lp_lppausecommand(TALLOC_CTX *ctx, int );
-char *lp_lpresumecommand(TALLOC_CTX *ctx, int );
-char *lp_queuepausecommand(TALLOC_CTX *ctx, int );
-char *lp_queueresumecommand(TALLOC_CTX *ctx, int );
-const char *lp_printjob_username(int );
-const char **lp_hostsallow(int );
-const char **lp_hostsdeny(int );
-char *lp_magicscript(TALLOC_CTX *ctx, int );
-char *lp_magicoutput(TALLOC_CTX *ctx, int );
-char *lp_comment(TALLOC_CTX *ctx, int );
-char *lp_force_user(TALLOC_CTX *ctx, int );
-char *lp_force_group(TALLOC_CTX *ctx, int );
-const char **lp_readlist(int );
-const char **lp_writelist(int );
-char *lp_fstype(TALLOC_CTX *ctx, int );
-const char **lp_vfs_objects(int );
-char *lp_msdfs_proxy(TALLOC_CTX *ctx, int );
-char *lp_veto_files(TALLOC_CTX *ctx, int );
-char *lp_hide_files(TALLOC_CTX *ctx, int );
-char *lp_veto_oplocks(TALLOC_CTX *ctx, int );
-bool lp_msdfs_root(int );
-char *lp_aio_write_behind(TALLOC_CTX *ctx, int );
-char *lp_dfree_command(TALLOC_CTX *ctx, int );
-bool lp_autoloaded(int );
-bool lp_preexec_close(int );
-bool lp_rootpreexec_close(int );
-int lp_casesensitive(int );
-bool lp_preservecase(int );
-bool lp_shortpreservecase(int );
-bool lp_hide_dot_files(int );
-bool lp_hide_special_files(int );
-bool lp_hideunreadable(int );
-bool lp_hideunwriteable_files(int );
-bool lp_browseable(int );
-bool lp_access_based_share_enum(int );
-bool lp_readonly(int );
-bool lp_guest_ok(int );
-bool lp_guest_only(int );
-bool lp_administrative_share(int );
-bool lp_print_ok(int );
-bool lp_print_notify_backchannel(int );
-bool lp_map_hidden(int );
-bool lp_map_archive(int );
-bool lp_store_dos_attributes(int );
-bool lp_dmapi_support(int );
-bool lp_locking(const struct share_params *p );
-int lp_strict_locking(const struct share_params *p );
-bool lp_posix_locking(const struct share_params *p );
-bool lp_oplocks(int );
-bool lp_kernel_oplocks(int );
-bool lp_level2_oplocks(int );
-bool lp_kernel_share_modes(int);
-bool lp_onlyuser(int );
-bool lp_manglednames(const struct share_params *p );
-bool lp_allow_insecure_widelinks(void);
 bool lp_widelinks(int );
-bool lp_symlinks(int );
-bool lp_syncalways(int );
-bool lp_strict_allocate(int );
-bool lp_strict_sync(int );
-bool lp_map_system(int );
-bool lp_delete_readonly(int );
-bool lp_fake_oplocks(int );
-bool lp_recursive_veto_delete(int );
-bool lp_dos_filemode(int );
-bool lp_dos_filetimes(int );
-bool lp_dos_filetime_resolution(int );
-bool lp_fake_dir_create_times(int);
-bool lp_async_smb_echo_handler(void);
-bool lp_multicast_dns_register(void);
-bool lp_blocking_locks(int );
-bool lp_inherit_perms(int );
-bool lp_inherit_acls(int );
-bool lp_inherit_owner(int );
-bool lp_use_client_driver(int );
-bool lp_default_devmode(int );
-bool lp_force_printername(int );
-bool lp_nt_acl_support(int );
-bool lp_force_unknown_acl_user(int );
-bool lp_ea_support(int );
-bool lp__use_sendfile(int );
-bool lp_profile_acls(int );
-bool lp_map_acl_inherit(int );
-bool lp_afs_share(int );
-bool lp_acl_check_permissions(int );
-bool lp_acl_group_control(int );
-bool lp_acl_map_full_control(int );
-bool lp_acl_allow_execute_always(int);
-bool lp_durable_handles(int);
-int lp_create_mask(int );
-int lp_force_create_mode(int );
-int lp_dir_mask(int );
-int lp_force_dir_mode(int );
-int lp_max_connections(int );
-int lp_defaultcase(int );
-int lp_minprintspace(int );
-int lp_printing(int );
-int lp_max_reported_jobs(int );
-int lp_oplock_contention_limit(int );
-int lp_csc_policy(int );
-int lp_write_cache_size(int );
-int lp_block_size(int );
-int lp_dfree_cache_time(int );
-int lp_allocation_roundup_size(int );
-int lp_aio_read_size(int );
-int lp_aio_write_size(int );
-int lp_map_readonly(int );
-int lp_directory_name_cache_size(int );
-int lp_smb_encrypt(int );
-char lp_magicchar(const struct share_params *p );
-int lp_winbind_cache_time(void);
-int lp_winbind_reconnect_delay(void);
-int lp_winbind_request_timeout(void);
-int lp_winbind_max_clients(void);
-const char **lp_winbind_nss_info(void);
-int lp_algorithmic_rid_base(void);
-int lp_name_cache_timeout(void);
-int lp_client_signing(void);
-int lp_server_signing(void);
-int lp_client_ldap_sasl_wrapping(void);
+
 char *lp_parm_talloc_string(TALLOC_CTX *ctx, int snum, const char *type, const char *option, const char *def);
 const char *lp_parm_const_string(int snum, const char *type, const char *option, const char *def);
 struct loadparm_service;
-- 
1.9.3


From 5d2278756b5a7372106cbdf9b8d66fb8a0cf5033 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 16 Oct 2013 14:45:31 +1300
Subject: [PATCH 121/249] lib/param: Add documentation on how loadparm works

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
 lib/param/README | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 69 insertions(+)

diff --git a/lib/param/README b/lib/param/README
index 403a217..b567d71 100644
--- a/lib/param/README
+++ b/lib/param/README
@@ -1,4 +1,73 @@
+libsamba-hostconfig
+-------------------
+
 This directory contains "libsamba-hostconfig". 
 
 The libsamba-hostconfig library provides access to all host-wide configuration
 such as the configured shares, default parameter values and host secret keys.
+
+
+Adding a parameter
+------------------
+
+To add or change an smb.conf option, you only have to modify
+lib/param/param_table.c and lib/param/param_functions.c.  The rest is
+generated for you.
+
+
+Using smb.conf parameters in the code
+-------------------------------------
+
+Call the lpcfg_*() function.  To get the lp_ctx, have the caller pass
+it to you.  To get a lp_ctx for the source3/param loadparm system, use:
+
+struct loadparm_context *lp_ctx = loadparm_init_s3(tmp_ctx, loadparm_s3_helpers());
+
+Remember to talloc_unlink(tmp_ctx, lp_ctx) the result when you are done!
+
+To get a lp_ctx for the lib/param loadparm system, typically the
+pointer is already set up by popt at startup, and is passed down from
+cmdline_lp_ctx.
+
+In pure source3/ code, you may use lp_*() functions, but are
+encouraged to use the lpcfg_*() functions so that code can be made
+common.
+
+
+How does loadparm_init_s3() work?
+---------------------------------
+
+loadparm_s3_helpers() returns a initialised table of function
+pointers, pointing at all global lp_*() functions, except for those
+that return substituted strings (% macros).  The lpcfg_*() function
+then calls this plugged in function, allowing the one function and
+pattern to use either loadparm system.
+
+
+There is a lot of generated code, here, what generates what?
+------------------------------------------------------------
+
+The regular format of the CPP macros in param_functions.c is used to
+generate up the prototypes (mkproto.pl, mks3param_proto.pl), the service
+and globals table (mkparamdefs.pl), the glue table (mmks3param.pl) and
+the initilisation of the glue table (mks3param_ctx_table.pl).
+
+I have tried combining some of these, but it just makes the scripts more
+complex.
+
+The CPP macros are defined in and expand in lib/param/loadparm.c and
+source3/param/loadparm.c to read the values from the generated
+stuctures.  They are CPP #included into these files so that the same
+macro has two definitions, depending on the system it is loading into.
+
+
+Why was this done, rather than a 'proper' fix, or just using one system or the other?
+-------------------------------------------------------------------------------------
+
+This was done to allow merging from both ends - merging more parts of
+the loadparm handling, and merging code that needs to read the
+smb.conf, without having to do it all at once.  Ideally
+param_functions.c would be generated from param_table.c or (even
+better) our XML manpage source, and the CPP macros would instead be
+generated expanded as generated C files, but this is a task nobody has
+taken on yet.
-- 
1.9.3


From 7734a867500f5b7415f818077229f74486101c51 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Aug 2013 08:19:08 +0200
Subject: [PATCH 122/249] librpc/rpc: add dcerpc_binding_handle_auth_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 librpc/rpc/binding_handle.c | 25 +++++++++++++++++++++++++
 librpc/rpc/rpc_common.h     |  8 ++++++++
 2 files changed, 33 insertions(+)

diff --git a/librpc/rpc/binding_handle.c b/librpc/rpc/binding_handle.c
index 9354bbd..714baa7 100644
--- a/librpc/rpc/binding_handle.c
+++ b/librpc/rpc/binding_handle.c
@@ -98,6 +98,31 @@ uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
 	return h->ops->set_timeout(h, timeout);
 }
 
+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
+				     enum dcerpc_AuthType *auth_type,
+				     enum dcerpc_AuthLevel *auth_level)
+{
+	enum dcerpc_AuthType _auth_type;
+	enum dcerpc_AuthLevel _auth_level;
+
+	if (auth_type == NULL) {
+		auth_type = &_auth_type;
+	}
+
+	if (auth_level == NULL) {
+		auth_level = &_auth_level;
+	}
+
+	*auth_type = DCERPC_AUTH_TYPE_NONE;
+	*auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+	if (h->ops->auth_info == NULL) {
+		return;
+	}
+
+	h->ops->auth_info(h, auth_type, auth_level);
+}
+
 struct dcerpc_binding_handle_raw_call_state {
 	const struct dcerpc_binding_handle_ops *ops;
 	uint8_t *out_data;
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index d2816f5..978229e 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -189,6 +189,10 @@ struct dcerpc_binding_handle_ops {
 	uint32_t (*set_timeout)(struct dcerpc_binding_handle *h,
 				uint32_t timeout);
 
+	void (*auth_info)(struct dcerpc_binding_handle *h,
+			  enum dcerpc_AuthType *auth_type,
+			  enum dcerpc_AuthLevel *auth_level);
+
 	struct tevent_req *(*raw_call_send)(TALLOC_CTX *mem_ctx,
 					    struct tevent_context *ev,
 					    struct dcerpc_binding_handle *h,
@@ -259,6 +263,10 @@ bool dcerpc_binding_handle_is_connected(struct dcerpc_binding_handle *h);
 uint32_t dcerpc_binding_handle_set_timeout(struct dcerpc_binding_handle *h,
 					   uint32_t timeout);
 
+void dcerpc_binding_handle_auth_info(struct dcerpc_binding_handle *h,
+				     enum dcerpc_AuthType *auth_type,
+				     enum dcerpc_AuthLevel *auth_level);
+
 struct tevent_req *dcerpc_binding_handle_raw_call_send(TALLOC_CTX *mem_ctx,
 						struct tevent_context *ev,
 						struct dcerpc_binding_handle *h,
-- 
1.9.3


From 04a9531474630c62c3f717e251d9f1469013f5ae Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Aug 2013 08:19:35 +0200
Subject: [PATCH 123/249] s3:rpc_client: implement
 dcerpc_binding_handle_auth_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_client/cli_pipe.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 64e7f1c..a343997 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1867,6 +1867,25 @@ static uint32_t rpccli_bh_set_timeout(struct dcerpc_binding_handle *h,
 	return rpccli_set_timeout(hs->rpc_cli, timeout);
 }
 
+static void rpccli_bh_auth_info(struct dcerpc_binding_handle *h,
+				enum dcerpc_AuthType *auth_type,
+				enum dcerpc_AuthLevel *auth_level)
+{
+	struct rpccli_bh_state *hs = dcerpc_binding_handle_data(h,
+				     struct rpccli_bh_state);
+
+	if (hs->rpc_cli == NULL) {
+		return;
+	}
+
+	if (hs->rpc_cli->auth == NULL) {
+		return;
+	}
+
+	*auth_type = hs->rpc_cli->auth->auth_type;
+	*auth_level = hs->rpc_cli->auth->auth_level;
+}
+
 struct rpccli_bh_raw_call_state {
 	DATA_BLOB in_data;
 	DATA_BLOB out_data;
@@ -2046,6 +2065,7 @@ static const struct dcerpc_binding_handle_ops rpccli_bh_ops = {
 	.name			= "rpccli",
 	.is_connected		= rpccli_bh_is_connected,
 	.set_timeout		= rpccli_bh_set_timeout,
+	.auth_info		= rpccli_bh_auth_info,
 	.raw_call_send		= rpccli_bh_raw_call_send,
 	.raw_call_recv		= rpccli_bh_raw_call_recv,
 	.disconnect_send	= rpccli_bh_disconnect_send,
-- 
1.9.3


From 1db891bac30bb6c3bb0a022c5d1529a9f001237d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Aug 2013 08:19:57 +0200
Subject: [PATCH 124/249] s4:librpc: implement
 dcerpc_binding_handle_auth_info()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/librpc/rpc/dcerpc.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 2826160..56b821e 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -200,6 +200,29 @@ static uint32_t dcerpc_bh_set_timeout(struct dcerpc_binding_handle *h,
 	return old;
 }
 
+static void dcerpc_bh_auth_info(struct dcerpc_binding_handle *h,
+				enum dcerpc_AuthType *auth_type,
+				enum dcerpc_AuthLevel *auth_level)
+{
+	struct dcerpc_bh_state *hs = dcerpc_binding_handle_data(h,
+				     struct dcerpc_bh_state);
+
+	if (hs->p == NULL) {
+		return;
+	}
+
+	if (hs->p->conn == NULL) {
+		return;
+	}
+
+	if (hs->p->conn->security_state.auth_info == NULL) {
+		return;
+	}
+
+	*auth_type = hs->p->conn->security_state.auth_info->auth_type;
+	*auth_level = hs->p->conn->security_state.auth_info->auth_level;
+}
+
 struct dcerpc_bh_raw_call_state {
 	struct tevent_context *ev;
 	struct dcerpc_binding_handle *h;
@@ -552,6 +575,7 @@ static const struct dcerpc_binding_handle_ops dcerpc_bh_ops = {
 	.name			= "dcerpc",
 	.is_connected		= dcerpc_bh_is_connected,
 	.set_timeout		= dcerpc_bh_set_timeout,
+	.auth_info		= dcerpc_bh_auth_info,
 	.raw_call_send		= dcerpc_bh_raw_call_send,
 	.raw_call_recv		= dcerpc_bh_raw_call_recv,
 	.disconnect_send	= dcerpc_bh_disconnect_send,
-- 
1.9.3


From 76304ed57d561eb89dceb3881236a78209dd592c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Sep 2013 04:25:39 +0200
Subject: [PATCH 125/249] s3:winbindd: don't hide the error in cm_connect_lsa()

We should not overwrite the error with NT_STATUS_PIPE_NOT_AVAILABLE.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/winbindd/winbindd_cm.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index d868826..c4f59d3 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2677,7 +2677,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 					  &ndr_table_lsarpc,
 					  &conn->lsa_pipe);
 	if (!NT_STATUS_IS_OK(result)) {
-		result = NT_STATUS_PIPE_NOT_AVAILABLE;
 		goto done;
 	}
 
-- 
1.9.3


From 9948366e88b1d11127317008c79a2f7182a34d65 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 2 Sep 2013 09:24:42 +0200
Subject: [PATCH 126/249] s3:include: add forward declaration for struct
 messaging_context; in g_lock.h

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/include/g_lock.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/include/g_lock.h b/source3/include/g_lock.h
index 004c452..f513349 100644
--- a/source3/include/g_lock.h
+++ b/source3/include/g_lock.h
@@ -23,6 +23,7 @@
 #include "dbwrap/dbwrap.h"
 
 struct g_lock_ctx;
+struct messaging_context;
 
 enum g_lock_type {
 	G_LOCK_READ = 0,
-- 
1.9.3


From 4c30267e3c26cb065b908ff396ca21937fc870c4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 2 Sep 2013 19:29:05 +0200
Subject: [PATCH 127/249] s3:include: fix messaging_send_buf() protype in
 messages.h

The function already used 'uint8_t' instead of 'uint8'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/include/messages.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/include/messages.h b/source3/include/messages.h
index 09c39cc..50b2a84 100644
--- a/source3/include/messages.h
+++ b/source3/include/messages.h
@@ -139,7 +139,7 @@ NTSTATUS messaging_send(struct messaging_context *msg_ctx,
 
 NTSTATUS messaging_send_buf(struct messaging_context *msg_ctx,
 			    struct server_id server, uint32_t msg_type,
-			    const uint8 *buf, size_t len);
+			    const uint8_t *buf, size_t len);
 void messaging_dispatch_rec(struct messaging_context *msg_ctx,
 			    struct messaging_rec *rec);
 
-- 
1.9.3


From ff45e4d1ca6cff9b2f329d18e98ebd4883639ed9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 12:09:51 +0200
Subject: [PATCH 128/249] s3:auth_domain: remove dead code in
 check_trustdomain_security()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/auth/auth_domain.c | 22 ----------------------
 1 file changed, 22 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 06078e2..9f88c4a 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -378,8 +378,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
 					   struct auth_serversupplied_info **server_info)
 {
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
-	unsigned char trust_md4_password[16];
-	char *trust_password;
 	fstring dc_name;
 	struct sockaddr_storage dc_ss;
 
@@ -408,26 +406,6 @@ static NTSTATUS check_trustdomain_security(const struct auth_context *auth_conte
 	if ( !is_trusted_domain( user_info->mapped.domain_name ) )
 		return NT_STATUS_NOT_IMPLEMENTED;
 
-	/*
-	 * Get the trusted account password for the trusted domain
-	 * No need to become_root() as secrets_init() is done at startup.
-	 */
-
-	if (!pdb_get_trusteddom_pw(user_info->mapped.domain_name, &trust_password,
-				   NULL, NULL)) {
-		DEBUG(0, ("check_trustdomain_security: could not fetch trust "
-			  "account password for domain %s\n",
-			  user_info->mapped.domain_name));
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
-#ifdef DEBUG_PASSWORD
-	DEBUG(100, ("Trust password for domain %s is %s\n", user_info->mapped.domain_name,
-		    trust_password));
-#endif
-	E_md4hash(trust_password, trust_md4_password);
-	SAFE_FREE(trust_password);
-
 	/* use get_dc_name() for consistency even through we know that it will be 
 	   a netbios name */
 
-- 
1.9.3


From d9160b0834f74508b711eeec0354aa43d5a1b215 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 2 Sep 2013 20:18:39 +0200
Subject: [PATCH 129/249] s3:libsmb: remove unused
 change_trust_account_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/include/proto.h      |  1 -
 source3/libsmb/trusts_util.c | 72 --------------------------------------------
 2 files changed, 73 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5e068d2..a40d3c1 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -989,7 +989,6 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
 					   TALLOC_CTX *mem_ctx, 
 					   const char *domain) ;
-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine);
 
 /* The following definitions come from param/loadparm.c  */
 
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 6156ba0..8a0e53d 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -135,75 +135,3 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 					    sec_channel_type);
 }
 
-NTSTATUS change_trust_account_password( const char *domain, const char *remote_machine)
-{
-	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
-	struct sockaddr_storage pdc_ss;
-	fstring dc_name;
-	struct cli_state *cli = NULL;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-
-	DEBUG(5,("change_trust_account_password: Attempting to change trust account password in domain %s....\n",
-		domain));
-
-	if (remote_machine == NULL || !strcmp(remote_machine, "*")) {
-		/* Use the PDC *only* for this */
-
-		if ( !get_pdc_ip(domain, &pdc_ss) ) {
-			DEBUG(0,("Can't get IP for PDC for domain %s\n", domain));
-			goto failed;
-		}
-
-		if ( !name_status_find( domain, 0x1b, 0x20, &pdc_ss, dc_name) )
-			goto failed;
-	} else {
-		/* supoport old deprecated "smbpasswd -j DOMAIN -r MACHINE" behavior */
-		fstrcpy( dc_name, remote_machine );
-	}
-
-	/* if this next call fails, then give up.  We can't do
-	   password changes on BDC's  --jerry */
-
-	if (!NT_STATUS_IS_OK(cli_full_connection(&cli, lp_netbios_name(), dc_name,
-					   NULL, 0,
-					   "IPC$", "IPC",
-					   "", "",
-					   "", 0, SMB_SIGNING_DEFAULT))) {
-		DEBUG(0,("modify_trust_password: Connection to %s failed!\n", dc_name));
-		nt_status = NT_STATUS_UNSUCCESSFUL;
-		goto failed;
-	}
-
-	/*
-	 * Ok - we have an anonymous connection to the IPC$ share.
-	 * Now start the NT Domain stuff :-).
-	 */
-
-	/* Shouldn't we open this with schannel ? JRA. */
-
-	nt_status = cli_rpc_pipe_open_noauth(
-		cli, &ndr_table_netlogon, &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(0,("modify_trust_password: unable to open the domain client session to machine %s. Error was : %s.\n",
-			dc_name, nt_errstr(nt_status)));
-		cli_shutdown(cli);
-		cli = NULL;
-		goto failed;
-	}
-
-	nt_status = trust_pw_find_change_and_store_it(
-		netlogon_pipe, netlogon_pipe, domain);
-
-	cli_shutdown(cli);
-	cli = NULL;
-
-failed:
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(0,("%s : change_trust_account_password: Failed to change password for domain %s.\n",
-			current_timestring(talloc_tos(), False), domain));
-	}
-	else
-		DEBUG(5,("change_trust_account_password: sucess!\n"));
-
-	return nt_status;
-}
-- 
1.9.3


From c6b50a3d8c382f19a8ae16428d557928438be464 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 2 Sep 2013 20:19:28 +0200
Subject: [PATCH 130/249] s3:libsmb: inline trust_pw_change_and_store_it() into
 trust_pw_find_change_and_store_it()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/include/proto.h      |  5 -----
 source3/libsmb/trusts_util.c | 50 +++++++++++++-------------------------------
 2 files changed, 15 insertions(+), 40 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index a40d3c1..216a377 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -981,11 +981,6 @@ void update_trustdom_cache( void );
 
 /* The following definitions come from libsmb/trusts_util.c  */
 
-NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
-				      const char *domain,
-				      const char *account_name,
-				      unsigned char orig_trust_passwd_hash[16],
-				      enum netr_SchannelType sec_channel_type);
 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
 					   TALLOC_CTX *mem_ctx, 
 					   const char *domain) ;
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 8a0e53d..428e0c1 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -29,20 +29,27 @@
 
 /*********************************************************
  Change the domain password on the PDC.
- Store the password ourselves, but use the supplied password
- Caller must have already setup the connection to the NETLOGON pipe
+ Do most of the legwork ourselfs.  Caller must have
+ already setup the connection to the NETLOGON pipe
 **********************************************************/
 
-NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, 
-				      const char *domain,
-				      const char *account_name,
-				      unsigned char orig_trust_passwd_hash[16],
-				      enum netr_SchannelType sec_channel_type)
+NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
+					   TALLOC_CTX *mem_ctx,
+					   const char *domain)
 {
+	unsigned char old_trust_passwd_hash[16];
 	unsigned char new_trust_passwd_hash[16];
+	enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
+	const char *account_name;
 	char *new_trust_passwd;
 	NTSTATUS nt_status;
 
+	if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
+			       &sec_channel_type)) {
+		DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
 	switch (sec_channel_type) {
 	case SEC_CHAN_WKSTA:
 	case SEC_CHAN_DOMAIN:
@@ -64,7 +71,7 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 
 	nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
 						       account_name,
-						       orig_trust_passwd_hash,
+						       old_trust_passwd_hash,
 						       new_trust_passwd,
 						       new_trust_passwd_hash,
 						       sec_channel_type);
@@ -108,30 +115,3 @@ NTSTATUS trust_pw_change_and_store_it(struct rpc_pipe_client *cli, TALLOC_CTX *m
 
 	return nt_status;
 }
-
-/*********************************************************
- Change the domain password on the PDC.
- Do most of the legwork ourselfs.  Caller must have
- already setup the connection to the NETLOGON pipe
-**********************************************************/
-
-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
-					   TALLOC_CTX *mem_ctx, 
-					   const char *domain) 
-{
-	unsigned char old_trust_passwd_hash[16];
-	enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
-	const char *account_name;
-
-	if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
-			       &sec_channel_type)) {
-		DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	return trust_pw_change_and_store_it(cli, mem_ctx, domain,
-					    account_name,
-					    old_trust_passwd_hash,
-					    sec_channel_type);
-}
-
-- 
1.9.3


From fdac5d6b0ed96f262830a3a923b9d2a42d7fd98d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 20 Sep 2013 04:14:00 +0200
Subject: [PATCH 131/249] s4:librpc: make dcerpc_schannel_key_send/recv static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/librpc/rpc/dcerpc_schannel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 130ebeb..cd62508 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -306,7 +306,7 @@ static void continue_srv_auth2(struct tevent_req *subreq)
   Initiate establishing a schannel key using netlogon challenge
   on a secondary pipe
 */
-struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
+static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 						   struct dcerpc_pipe *p,
 						   struct cli_credentials *credentials,
 						   struct loadparm_context *lp_ctx)
@@ -369,7 +369,7 @@ struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 /*
   Receive result of schannel key request
  */
-NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
 {
 	NTSTATUS status = composite_wait(c);
 	
-- 
1.9.3


From de42a3f8b1a69a5abd5fb1a95e1c5f80ee68430e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 20 Sep 2013 04:16:00 +0200
Subject: [PATCH 132/249] s4:librpc: let dcerpc_schannel_key_recv() return
 netlogon_creds_CredentialState

cli_credentials_set_netlogon_creds() should only be used directly before
a DCERPC bind in order to pass the session information to the
gensec layer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/librpc/rpc/dcerpc_schannel.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index cd62508..c4bedfa 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -296,9 +296,6 @@ static void continue_srv_auth2(struct tevent_req *subreq)
 		return;
 	}
 
-	/* setup current netlogon credentials */
-	cli_credentials_set_netlogon_creds(s->credentials, s->creds);
-
 	composite_done(c);
 }
 
@@ -369,10 +366,19 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx,
 /*
   Receive result of schannel key request
  */
-static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c)
+static NTSTATUS dcerpc_schannel_key_recv(struct composite_context *c,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_CredentialState **creds)
 {
 	NTSTATUS status = composite_wait(c);
-	
+
+	if (NT_STATUS_IS_OK(status)) {
+		struct schannel_key_state *s =
+			talloc_get_type_abort(c->private_data,
+			struct schannel_key_state);
+		*creds = talloc_move(mem_ctx, &s->creds);
+	}
+
 	talloc_free(c);
 	return status;
 }
@@ -410,13 +416,15 @@ static void continue_schannel_key(struct composite_context *ctx)
 	NTSTATUS status;
 
 	/* receive schannel key */
-	status = c->status = dcerpc_schannel_key_recv(ctx);
+	status = c->status = dcerpc_schannel_key_recv(ctx, s, &s->creds_state);
 	if (!composite_is_ok(c)) {
 		DEBUG(1, ("Failed to setup credentials: %s\n", nt_errstr(status)));
 		return;
 	}
 
 	/* send bind auth request with received creds */
+	cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
+
 	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials, 
 					 lpcfg_gensec_settings(c, s->lp_ctx),
 					 DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level,
@@ -447,9 +455,6 @@ static void continue_bind_auth(struct composite_context *ctx)
 				&ndr_table_netlogon.syntax_id)) {
 		ZERO_STRUCT(s->return_auth);
 
-		s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
-		if (composite_nomem(s->creds_state, c)) return;
-
 		s->save_creds_state = *s->creds_state;
 		netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
 
@@ -528,6 +533,7 @@ static void continue_get_capabilities(struct tevent_req *subreq)
 	}
 
 	*s->creds_state = s->save_creds_state;
+	cli_credentials_set_netlogon_creds(s->credentials, s->creds_state);
 
 	if (!NT_STATUS_IS_OK(s->c.out.result)) {
 		composite_error(c, s->c.out.result);
-- 
1.9.3


From f6a6e4e91b676461dc8b6dd5abca4120d9bf920a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 20 Sep 2013 04:33:07 +0200
Subject: [PATCH 133/249] auth:credentials: avoid talloc_reference in
 cli_credentials_set_netlogon_creds()

Typically cli_credentials_set_netlogon_creds() should be used directly
before the DCERPC bind. And cli_credentials_get_netlogon_creds()
should be only used by the gensec layer, which only needs a copy.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 auth/credentials/credentials.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 57a7c0b..9ce38d0 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -814,7 +814,11 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred,
 _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, 
 						 struct netlogon_creds_CredentialState *netlogon_creds)
 {
-	cred->netlogon_creds = talloc_reference(cred, netlogon_creds);
+	TALLOC_FREE(cred->netlogon_creds);
+	if (netlogon_creds == NULL) {
+		return;
+	}
+	cred->netlogon_creds = netlogon_creds_copy(cred, netlogon_creds);
 }
 
 /**
-- 
1.9.3


From 14b9bb276a798ad71776ebcb698afeeb44aa173a Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 9 Nov 2013 19:14:15 +0100
Subject: [PATCH 134/249] libsmb: Fix CID 1127343 Dead default in switch

We have checked sec_channel_type a few lines above already

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
(cherry picked from commit 1cae867f72b79995a02eed96265fe9f69ce945da)
---
 source3/libsmb/trusts_util.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 428e0c1..52fb481 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -108,8 +108,6 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 			}
 			break;
 		}
-		default:
-			break;
 		}
 	}
 
-- 
1.9.3


From efb32bbe25d534f69aca03e0945220cb5049c366 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 29 Nov 2013 09:46:01 +0100
Subject: [PATCH 135/249] s3:rpc_server: use make_session_info_guest() directly

This removes the useless static auth_anonymous_session_info() wrapper.

auth_anonymous_session_info() is also a public function in source4.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ae6720117ae5fb3c922486ce46e2b0d51e020301)
---
 source3/rpc_server/rpc_server.c | 22 ++++++----------------
 1 file changed, 6 insertions(+), 16 deletions(-)

diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index de54ddc..c3a7f28 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -37,19 +37,6 @@
 #define SERVER_TCP_LOW_PORT  1024
 #define SERVER_TCP_HIGH_PORT 1300
 
-static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
-					    struct auth_session_info **session_info)
-{
-	NTSTATUS status;
-
-	status = make_session_info_guest(mem_ctx, session_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	return NT_STATUS_OK;
-}
-
 /* Creates a pipes_struct and initializes it with the information
  * sent from the client */
 static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
@@ -1067,11 +1054,14 @@ void dcerpc_ncacn_accept(struct tevent_context *ev_ctx,
 	}
 
 	if (ncacn_conn->session_info == NULL) {
-		status = auth_anonymous_session_info(ncacn_conn,
-						     &ncacn_conn->session_info);
+		/*
+		 * TODO: use auth_anonymous_session_info() here?
+		 */
+		status = make_session_info_guest(ncacn_conn,
+						 &ncacn_conn->session_info);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(2, ("Failed to create "
-				  "auth_anonymous_session_info - %s\n",
+				  "make_session_info_guest - %s\n",
 				  nt_errstr(status)));
 			talloc_free(ncacn_conn);
 			return;
-- 
1.9.3


From 215d591403e63b785308ff5d6b2e3c87ad9ee408 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Fri, 29 Nov 2013 16:51:08 +1300
Subject: [PATCH 136/249] selftest: add new rpc client test

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0e46205ff83d137ca486868e4376b258b6dfa1a2)
---
 source3/script/tests/test_rpcclient_samlogon.sh | 27 +++++++++++++++++++++++++
 source3/selftest/tests.py                       |  2 ++
 2 files changed, 29 insertions(+)
 create mode 100755 source3/script/tests/test_rpcclient_samlogon.sh

diff --git a/source3/script/tests/test_rpcclient_samlogon.sh b/source3/script/tests/test_rpcclient_samlogon.sh
new file mode 100755
index 0000000..01af7f8
--- /dev/null
+++ b/source3/script/tests/test_rpcclient_samlogon.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+if [ $# -lt 3 ]; then
+cat <<EOF
+Usage: test_rpcclient_samlogon.sh USERNAME PASSWORD binding <rpcclient commands>
+EOF
+exit 1;
+fi
+
+USERNAME="$1"
+PASSWORD="$2"
+shift 2
+ADDARGS="$*"
+
+rpcclient_samlogon()
+{
+	$VALGRIND $BINDIR/rpcclient -U% -c "samlogon $USERNAME $PASSWORD;samlogon $USERNAME $PASSWORD" $@
+}
+
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+testit "rpcclient dsenumdomtrusts" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "dsenumdomtrusts" || failed=`expr $failed + 1`
+testit "rpcclient getdcsitecoverage" $VALGRIND $BINDIR/rpcclient $ADDARGS -U% -c "getdcsitecoverage" || failed=`expr $failed + 1`
+testit "rpcclient samlogon" rpcclient_samlogon $ADDARGS || failed=`expr $failed +1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 85d67d6..f9cc3d1 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -394,6 +394,8 @@ for s in signseal_options:
         plantestsuite("samba3.blackbox.rpcclient krb5 ncacn_np with [%s%s%s] " % (a, s, e), "ktest:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient.sh"),
                                                                                                                               "$PREFIX/ktest/krb5_ccache-3", binding_string, "-k", configuration])
 
+plantestsuite("samba3.blackbox.rpcclient_samlogon", "s3member:local", [os.path.join(samba3srcdir, "script/tests/test_rpcclient_samlogon.sh"),
+								       "$DC_USERNAME", "$DC_PASSWORD", "ncacn_np:$DC_SERVER", configuration])
 
 options_list = ["", "-e"]
 for options in options_list:
-- 
1.9.3


From 05251d449931c29a0bb0c0b8ad194253dc5b66cb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 29 Nov 2013 08:45:38 +0100
Subject: [PATCH 137/249] s3:rpcclient: close the connection if setting up the
 netlogon secure channel fails

This is based on a patch from  Garming Sam <garming@catalyst.net.nz>.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2fae806550f3355298541a344b217bf810bf92e4)
---
 source3/rpcclient/rpcclient.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index cb7b70f..0cbec20 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -768,6 +768,10 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 					       trust_password, &machine_account,
 					       &sec_channel_type))
 			{
+				DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
+					  get_cmdline_auth_info_domain(auth_info),
+					  cmd_entry->table->name));
+				TALLOC_FREE(cmd_entry->rpc_pipe);
 				talloc_free(mem_ctx);
 				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 			}
@@ -784,6 +788,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 			if (!NT_STATUS_IS_OK(ntresult)) {
 				DEBUG(0, ("Could not initialise credentials for %s.\n",
 					  cmd_entry->table->name));
+				TALLOC_FREE(cmd_entry->rpc_pipe);
 				talloc_free(mem_ctx);
 				return ntresult;
 			}
-- 
1.9.3


From 8d3336b9a61a185a4194313fec338321fed6b151 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Mon, 2 Dec 2013 13:20:39 +1300
Subject: [PATCH 138/249] selftest: add new credential change test

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 48820b95285f7dffd827143ba56f432f3e283a6f)
---
 source3/script/tests/test_net_cred_change.sh | 16 ++++++++++++++++
 source3/selftest/tests.py                    |  3 +++
 2 files changed, 19 insertions(+)
 create mode 100755 source3/script/tests/test_net_cred_change.sh

diff --git a/source3/script/tests/test_net_cred_change.sh b/source3/script/tests/test_net_cred_change.sh
new file mode 100755
index 0000000..9013d07
--- /dev/null
+++ b/source3/script/tests/test_net_cred_change.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: test_net_cred_change.sh CONFIGURATION
+EOF
+exit 1;
+fi
+
+incdir=`dirname $0`/../../../testprogs/blackbox
+. $incdir/subunit.sh
+testit "first change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
+testit "first join" $VALGRIND $BINDIR/net rpc testjoin $@ || failed =`expr $failed + 1`
+testit "second change" $VALGRIND $BINDIR/wbinfo -c || failed =`expr $failed + 1`
+
+testok $0 $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index f9cc3d1..aac1bbb 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -165,6 +165,9 @@ for env in ["s3dc", "member", "s3member"]:
 
     plantestsuite("samba3.ntlm_auth.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_ntlm_auth_s3.sh"), valgrindify(python), samba3srcdir, ntlm_auth3,  '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', configuration])
 
+for env in ["member", "s3member"]:
+    plantestsuite("samba3.blackbox.net_cred_change.(%s:local)" % env, "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_net_cred_change.sh"), configuration])
+
 env = "s3member"
 t = "--krb5auth=$DOMAIN\\\\$DC_USERNAME%$DC_PASSWORD"
 plantestsuite("samba3.wbinfo_s3.(%s:local).%s" % (env, t), "%s:local" % env, [os.path.join(samba3srcdir, "script/tests/test_wbinfo_s3.sh"), t])
-- 
1.9.3


From 4b97cece12602437f3a2c9a395f5ed62cc00c0c4 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Mon, 23 Dec 2013 17:12:39 +1300
Subject: [PATCH 139/249] selftest: add rodc and other env tests for wbinfo

Pair-programmed-with: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Dec 23 17:17:39 CET 2013 on sn-devel-104
(cherry picked from commit 819e1f561df5074ae21db77c6558b34f4b0e1351)
---
 source4/selftest/tests.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index e738d1d9..c3a33c7 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -309,8 +309,8 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
 plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
 plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
 plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
-plantestsuite("samba4.blackbox.wbinfo(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "dc"])
-plantestsuite("samba4.blackbox.wbinfo(s4member:local)", "s4member:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', "s4member"])
+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
+    plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
 plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
 plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
-- 
1.9.3


From 689deff949e8ce9b6aa900e7b0c714d5a025d516 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Dec 2013 19:35:37 +0100
Subject: [PATCH 140/249] libcli/auth: set the return_authenticator->timestamp
 = 0

This is what windows returns, the value is ignored by the client anyway.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 202bcf9096e53d94b294936d6144ae77f1536b72)
---
 libcli/auth/credentials.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 1f664d3..197db86 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -479,7 +479,7 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 	netlogon_creds_step(creds);
 	if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
 		return_authenticator->cred = creds->server;
-		return_authenticator->timestamp = creds->sequence;
+		return_authenticator->timestamp = 0;
 		return NT_STATUS_OK;
 	} else {
 		ZERO_STRUCTP(return_authenticator);
-- 
1.9.3


From fe8a979787c9528bb3b403272be3dc6a313bbebd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Dec 2013 19:40:15 +0100
Subject: [PATCH 141/249] libcli/auth: remove bogus comment regarding replay
 attacks

creds->sequence (timestamp) is the value that is used to increment the internal
state, it's not a real sequence number. The sequence comes
from adding all timestamps of the whole session.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 636daac3b7b08ccb8845dab060157918d296ef67)
---
 libcli/auth/credentials.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 197db86..afb4a04 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -473,8 +473,6 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	/* TODO: this may allow the a replay attack on a non-signed
-	   connection. Should we check that this is increasing? */
 	creds->sequence = received_authenticator->timestamp;
 	netlogon_creds_step(creds);
 	if (netlogon_creds_server_check_internal(creds, &received_authenticator->cred)) {
-- 
1.9.3


From 1f6a52bb1f756be05e28dc9e16725ac73b005d00 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Dec 2013 19:55:12 +0100
Subject: [PATCH 142/249] libcli/auth: try to use the current timestamp
 creds->sequence

If the last usage of netlogon_creds_client_authenticator()
is in the past try to use the current timestamp and increment
more than just 2.

If we use netlogon_creds_client_authenticator() a lot within a
second, we increment keep incrementing by 2.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 24 13:18:18 CET 2013 on sn-devel-104
(cherry picked from commit e6afeae69537f55ed187b28b60ad29b9e237ec6e)
---
 libcli/auth/credentials.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index afb4a04..f52538a 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -344,7 +344,29 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init_session_key(TA
 void netlogon_creds_client_authenticator(struct netlogon_creds_CredentialState *creds,
 				struct netr_Authenticator *next)
 {
+	uint32_t t32n = (uint32_t)time(NULL);
+
+	/*
+	 * we always increment and ignore an overflow here
+	 */
 	creds->sequence += 2;
+
+	if (t32n > creds->sequence) {
+		/*
+		 * we may increment more
+		 */
+		creds->sequence = t32n;
+	} else {
+		uint32_t d = creds->sequence - t32n;
+
+		if (d >= INT32_MAX) {
+			/*
+			 * got an overflow of time_t vs. uint32_t
+			 */
+			creds->sequence = t32n;
+		}
+	}
+
 	netlogon_creds_step(creds);
 
 	next->cred = creds->client;
-- 
1.9.3


From 1cc32f5bf176a6daba93603a5b9aa4fc4fe42479 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 12:56:38 +0100
Subject: [PATCH 143/249] s4:selftest: run wbinfo tests at the end...

This avoids flakey crashes in the promoted_dc environment.

See the examples below, we had up to 50% of the daily build failing...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

https://git.samba.org/autobuild.flakey/2013-12-23-1942/samba.stdout

  [1586/1594 in 1h39m20s] samba4.drs.fsmo.python(promoted_dc)
  Testing for schema role transfer from localdc.samba.example.com to PROMOTEDVDC.samba.example.com
  FSMO transfer of 'schema' role successful
  Testing for schema role transfer from PROMOTEDVDC.samba.example.com to localdc.samba.example.com
  ERROR: Failed to initiate transfer of 'schema' role: LDAP error 52 LDAP_UNAVAILABLE -  <Failed FSMO transfer: WERR_DS_DRA_INTERNAL_ERROR> <>
  UNEXPECTED(failure): samba4.drs.fsmo.python(promoted_dc).fsmo.DrsFsmoTestCase.test_SchemaMasterTransfer(promoted_dc)
  REASON: _StringException: _StringException: Content-Type: text/x-traceback;charset=utf8,language=python
  traceback
  380

https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stdout

  [1583/1594 in 1h36m4s] samba.tests.blackbox.samba_tool_drs
  ERROR: Testsuite[samba.tests.blackbox.samba_tool_drs]
  REASON: unable to set up environment promoted_dc - exiting

https://git.samba.org/autobuild.flakey/2013-12-24-1546/samba.stderr

  Unable to convert 1.2.840.86419.1.5.9939 to an attid, and can_change_pfm=false!
  Unable to convert governsID on CN=test-class30318,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com to DRS object - WERR_NOT_FOUND
  ../source4/rpc_server/drsuapi/getncchanges.c:1646: DsGetNCChanges 2nd replication on different DN CN=Configuration,DC=samba,DC=example,DC=com CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com (last_dn CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com)
  ===============================================================
  INTERNAL ERROR: Signal 11 in pid 884274 (4.2.0pre1-DEVELOPERBUILD)
  Please read the Trouble-Shooting section of the Samba HOWTO
  ===============================================================
  smb_panic(): calling panic action [/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274]
  [Thread debugging using libthread_db enabled]
  0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
      stat_loc=0x7fff67c7709c, options=<value optimized out>)
      at ../sysdeps/unix/sysv/linux/waitpid.c:32
  32	../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
  	in ../sysdeps/unix/sysv/linux/waitpid.c
  #0  0x00002af6b5c1977e in __libc_waitpid (pid=<value optimized out>,
      stat_loc=0x7fff67c7709c, options=<value optimized out>)
      at ../sysdeps/unix/sysv/linux/waitpid.c:32
          oldtype = <value optimized out>
          result = <value optimized out>
  #1  0x00002af6b5baeb39 in do_system (line=<value optimized out>)
      at ../sysdeps/posix/system.c:149
          __result = -512
          _buffer = {__routine = 0x2af6b5baee90 <cancel_handler>,
            __arg = 0x7fff67c77098, __canceltype = 0, __prev = 0x0}
          _avail = 1
          status = <value optimized out>
          save = <value optimized out>
          pid = 886733
          sa = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1},
            sa_mask = {__val = {65536, 0 <repeats 15 times>}}, sa_flags = 0,
            sa_restorer = 0x2af6b5b730f0}
          omask = {__val = {7808, 4294967295, 140734934511616, 1, 2195512, 0,
              0, 0, 47239032274944, 47239027992529, 140733193388033, 0, 0,
              47239099003120, 140734934511792, 47239558787328}}
  #2  0x00002af6b311821f in smb_panic_default (
      why=0x2af6b312a875 "internal error") at ../lib/util/fault.c:134
          result = 32767
          pidstr = "884274\000\000\001\375\376\320\366*\000\000\260\377\377\377"
          cmdstring = "/memdisk/autobuild/fl/b302436/samba/selftest/gdb_backtrace 884274\000\307g\377\177\000\000\001\000\000\000\000\000\000\000\320\301#", '\000' <repeats 30 times>"\240, \017\263\366*\000\000\321\247{\261\366*\000\000\001\000\000\000\005", '\000' <repeats 11 times>"\260, \016\v\321\366*\000\000X\351\017\263\366*\000\000\260q\307g\377\177\000\000\000\361\036\321\366*\000\000\020r\307g\377\177\000\000\240\301z\326\366*\000\000\000Z\304\320\366*\000"
          __FUNCTION__ = "smb_panic_default"
  #3  0x00002af6b31183b5 in smb_panic (why=0x2af6b312a875 "internal error")
      at ../lib/util/fault.c:162
  No locals.
  #4  0x00002af6b311809f in fault_report (sig=11) at ../lib/util/fault.c:77
          counter = 1
          __FUNCTION__ = "fault_report"
  #5  0x00002af6b31180b4 in sig_fault (sig=11) at ../lib/util/fault.c:88
  No locals.
  #6  <signal handler called>
  No symbol table info available.
  #7  0x00002af6cabef930 in replmd_check_urgent_objectclass (
      objectclass_el=0x0, situation=REPL_URGENT_ON_UPDATE)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:205
          i = 2
          j = 0
  #8  0x00002af6cabf29b6 in replmd_update_rpmd (module=0x2af6b17f2c20,
      schema=0x2af6d05e5570, req=0x2af6d05e8ad0, rename_attrs=0x0,
      msg=0x2af6d11ef100, seq_num=0x2af6d0c315b8, t=1387895162,
      is_urgent=0x7fff67c778bf, rodc=0x7fff67c778be)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1432
          omd_value = 0x7fff67c77810
          ndr_err = 3508465920
          omd = {version = 1741125552, reserved = 32767, ctr = {ctr1 = {
                count = 3008684740, reserved = 10998, array = 0x7fff67c777b0}}}
          i = 10998
          now = 130323687620000000
          our_invocation_id = 0x2af6d1796390
          ret = 0
          attrs = 0x7fff67c77750
          attrs1 = {0x2af6cabff775 "replPropertyMetaData", 0x2af6cabffc8b "*",
            0x0}
          attrs2 = {0x2af6cabff76a "uSNChanged", 0x2af6cabffa98 "objectClass",
            0x2af6cabffc8d "instanceType", 0x0}
          res = 0x2af6d10b0eb0
          ldb = 0x2af6b17f2470
          objectclass_el = 0x0
          situation = REPL_URGENT_ON_UPDATE
          rmd_is_provided = false
          __FUNCTION__ = "replmd_update_rpmd"
  #9  0x00002af6cabf5a06 in replmd_modify (module=0x2af6b17f2c20,
      req=0x2af6d05e8ad0)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:2455
          msds_intid_struct = 0x2af6d05e8ad0
          ldb = 0x2af6b17f2470
          ac = 0x2af6d0c31580
          down_req = 0x2af6d0e6a100
          msg = 0x2af6d11ef100
          t = 1387895162
          ret = 1741125936
          is_urgent = false
          rodc = false
          functional_level = 3
          guid_blob = 0x0
          sd_propagation_control = 0x0
  #10 0x00002af6bf69f94d in dsdb_module_modify (module=0x2af6b17f2c20,
      message=0x2af6d1183fe0, dsdb_flags=4194304, parent=0x2af6ce6ea980)
      at ../source4/dsdb/samdb/ldb_modules/util.c:460
          ops = 0x2af6cae06b40
          mod_req = 0x2af6d05e8ad0
          ret = 0
          ldb = 0x2af6b17f2470
          tmp_ctx = 0x2af6d0ed62f0
          res = 0x2af6d0e6a100
          __FUNCTION__ = "dsdb_module_modify"
  #11 0x00002af6cabf7ebc in replmd_delete_internals (module=0x2af6b17f2c20,
      req=0x2af6ce6ea980, re_delete=true)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3309
          ret = 0
          retb = true
          disallow_move_on_delete = false
          old_dn = 0x2af6d6a2a010
          new_dn = 0x2af6d0794a90
          rdn_name = 0x2af6d0885c10 "CN"
          rdn_value = 0x2af6d10d7368
          new_rdn_value = 0x2af6d0c45a00
          guid = {time_low = 48, time_mid = 0, time_hi_and_version = 0,
            clock_seq = "\200\251", node = "n\316\366*\000"}
          ldb = 0x2af6b17f2470
          schema = 0x2af6d05e5570
          msg = 0x2af6d1183fe0
          old_msg = 0x2af6d1902800
          el = 0x2af6d0874900
          tmp_ctx = 0x2af6d0b77560
          res = 0x2af6d0d57980
          parent_res = 0x30
          preserved_attrs = {0x2af6cac00fe1 "nTSecurityDescriptor",
            0x2af6cac055c3 "attributeID", 0x2af6cac055cf "attributeSyntax",
            0x2af6cac055df "dNReferenceUpdate", 0x2af6cac055f1 "dNSHostName",
            0x2af6cac055fd "flatName", 0x2af6cac05606 "governsID",
            0x2af6cac05610 "groupType", 0x2af6cabffc8d "instanceType",
            0x2af6cac0561a "lDAPDisplayName",
            0x2af6cac0562a "legacyExchangeDN", 0x2af6cabfe94d "isDeleted",
            0x2af6cabfe957 "isRecycled", 0x2af6cac020f8 "lastKnownParent",
            0x2af6cac021e8 "msDS-LastKnownRDN",
            0x2af6cac0563b "mS-DS-CreatorSID", 0x2af6cac0564c "mSMQOwnerID",
            0x2af6cac05658 "nCName", 0x2af6cabffa98 "objectClass",
            0x2af6cac0565f "distinguishedName", 0x2af6cabff5b5 "objectGUID",
            0x2af6cac05671 "objectSid", 0x2af6cac0567b "oMSyntax",
            0x2af6cac05684 "proxiedObjectName", 0x2af6cac014d8 "name",
            0x2af6cabff775 "replPropertyMetaData",
            0x2af6cac05696 "sAMAccountName",
            0x2af6cac056a5 "securityIdentifier", 0x2af6cac056b8 "sIDHistory",
            0x2af6cac056c3 "subClassOf", 0x2af6cac01ba8 "systemFlags",
            0x2af6cac056ce "trustPartner", 0x2af6cac056db "trustDirection",
            0x2af6cac056ea "trustType", 0x2af6cac056f4 "trustAttributes",
            0x2af6cabfe9b8 "userAccountControl", 0x2af6cabff76a "uSNChanged",
            0x2af6cabff75f "uSNCreated", 0x2af6cabff747 "whenCreated",
            0x2af6cabff753 "whenChanged", 0x0}
          i = 12
          el_count = 1
          deletion_state = OBJECT_TOMBSTONE
          next_deletion_state = OBJECT_TOMBSTONE
          __FUNCTION__ = "replmd_delete_internals"
  #12 0x00002af6cabfbbe3 in replmd_replicated_apply_isDeleted (
      ar=0x2af6d74c0b40)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4718
          del_req = 0x2af6ce6ea980
          res = 0x2af6d0cdebf0
          tmp_ctx = 0x2af6d0949230
          deleted_objects_dn = 0x2af6d1a49f00
          msg = 0x2af6d0a39620
          ret = 0
  #13 0x00002af6cabf0766 in replmd_op_callback (req=0x2af6d05a21e0,
      ares=0x2af6d0d715c0)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:526
          ret = 10998
          ac = 0x2af6d74c0b40
          replmd_private = 0x2af6b188c7c0
          modified_partition = 0x2af6d141b670
          partition_ctrl = 0x2af6d1905f40
          partition = 0x2af6ce6bdbe0
          controls = 0x0
          __FUNCTION__ = "replmd_op_callback"
  #14 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
      ctrls=0x2af6d1629aa0, response=0x0, error=0)
      at ../lib/ldb/common/ldb_modules.c:832
          ares = 0x2af6d0d715c0
  #15 0x00002af6cabf896b in replmd_op_possible_conflict_callback (
      req=0x2af6d05a21e0, ares=0x2af6b1883eb0,
      callback=0x2af6cabf0334 <replmd_op_callback>)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3606
          conflict_dn = 0x2af6cac03470
          ar = 0x2af6d74c0b40
          res = 0x2af6b354f89b
          attrs = {0x2af6cabff775 "replPropertyMetaData",
            0x2af6cabff5b5 "objectGUID", 0x0}
          ret = -682882240
          omd_value = 0x7fff67c77e20
          omd = {version = 1741127104, reserved = 32767, ctr = {ctr1 = {
                count = 0, reserved = 0, array = 0x28}}}
          rmd = 0x2af6d74c0ae0
          ndr_err = 10998
          rename_incoming_record = false
          rodc = false
          rmd_name = 0x7fff67c77e10
          omd_name = 0x2af6d74c0b40
          msg = 0x2af6b1883e50
          __FUNCTION__ = "replmd_op_possible_conflict_callback"
  #16 0x00002af6cabf93fb in replmd_op_add_callback (req=0x2af6d05a21e0,
      ares=0x2af6b1883eb0)
      at ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3802
          ar = 0x2af6d74c0b40
  #17 0x00002af6b1df7ca2 in ldb_module_done (req=0x2af6d05a21e0,
      ctrls=0x2af6d1629aa0, response=0x0, error=0)
      at ../lib/ldb/common/ldb_modules.c:832
          ares = 0x2af6b1883eb0
  #18 0x00002af6ca3c8b6a in partition_req_callback (req=0x2af6d087a1e0,
      ares=0x2af6d05a1fa0) at ../source4/dsdb/samdb/ldb_modules/partition.c:213
          ac = 0x2af6d0949370
          module = 0x2af6cd27bf12
          nreq = 0x2af6d05b67b0
          ret = 0
          partition_ctrl = 0x2af6d0d71740
  #19 0x00002af6cd2752ab in ltdb_request_done (ctx=0x2af6d1cd7ed0, error=0)
      at ../lib/ldb/ldb_tdb/ldb_tdb.c:1280
          ldb = 0x2af6b17f2470
          req = 0x2af6d087a1e0
          ares = 0x2af6d05a1fa0
  #20 0x00002af6cd275597 in ltdb_callback (ev=0x2af6b17ef8c0,
      te=0x2af6d17f75d0, t=..., private_data=0x2af6d1cd7ed0)
      at ../lib/ldb/ldb_tdb/ldb_tdb.c:1390
          ctx = 0x2af6d1cd7ed0
          ret = 0
  #21 0x00002af6b3343259 in tevent_common_loop_timer_delay (ev=0x2af6b17ef8c0)
      at ../lib/tevent/tevent_timed.c:341
          current_time = {tv_sec = 0, tv_usec = 0}
          te = 0x2af6d17f75d0
  #22 0x00002af6b334558a in epoll_event_loop_once (ev=0x2af6b17ef8c0,
      location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
      at ../lib/tevent/tevent_epoll.c:912
          epoll_ev = 0x2af6b17efb00
          tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
          panic_triggered = false
  #23 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
      location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
      at ../lib/tevent/tevent_standard.c:112
          glue_ptr = 0x2af6b17ef9b0
          glue = 0x2af6b17ef9b0
          ret = 10998
  #24 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
      location=0x2af6b1e1eef8 "../lib/ldb/common/ldb.c:621")
      at ../lib/tevent/tevent.c:530
          ret = 0
          nesting_stack_ptr = 0x0
  #25 0x00002af6b1e154c4 in ldb_wait (handle=0x2af6d67624c0, type=LDB_WAIT_ALL)
      at ../lib/ldb/common/ldb.c:621
          ev = 0x2af6b17ef8c0
          ret = 0
  #26 0x00002af6b1e1786b in ldb_extended (ldb=0x2af6b17f2470,
      oid=0x2af6b4c4f9ce "1.3.6.1.4.1.7165.4.4.1", data=0x2af6d0e2bc60,
      _res=0x7fff67c78240) at ../lib/ldb/common/ldb.c:1506
          req = 0x2af6d0c45a00
          ret = 0
          res = 0x2af6d69238f0
  #27 0x00002af6b4c4a0d6 in dsdb_replicated_objects_commit (ldb=0x2af6b17f2470,
      working_schema=0x0, objects=0x2af6d0e2bc60, notify_uSN=0x2af6d14a65f0)
      at ../source4/dsdb/repl/replicated_objects.c:773
          werr = {w = 0}
          ext_res = 0x0
          cur_schema = 0x0
          new_schema = 0x0
          ret = 0
          seq_num1 = 5554
          seq_num2 = 47239626746464
          used_global_schema = false
          tmp_ctx = 0x2af6d03c5860
          __FUNCTION__ = "dsdb_replicated_objects_commit"
  #28 0x00002af6c1c6babb in dreplsrv_op_pull_source_apply_changes_trigger (
      req=0x2af6d17daed0, r=0x2af6d17db0d0, ctr_level=6, ctr1=0x0,
      ctr6=0x2af6d1b02bb0) at ../source4/dsdb/repl/drepl_out_helpers.c:717
          state = 0x2af6d17db050
          rf1 = {blobsize = 274, consecutive_sync_failures = 0,
            last_success = 130323684670000000,
            last_attempt = 130323687610000000, result_last_attempt = {w = 0},
            other_info = 0x2af6d0949910, other_info_length = 66,
            replica_flags = 112, schedule = '\021' <repeats 84 times>,
            reserved = 0, highwatermark = {tmp_highest_usn = 12398,
              reserved_usn = 0, highest_usn = 12398}, source_dsa_obj_guid = {
              time_low = 984092159, time_mid = 850,
              time_hi_and_version = 18870, clock_seq = "\251X",
              node = "UF\324\223\205\241"}, source_dsa_invocation_id = {
              time_low = 1460694408, time_mid = 52035,
              time_hi_and_version = 18738, clock_seq = "\204}",
              node = "\264\365\276\372\256\303"}, transport_guid = {
              time_low = 0, time_mid = 0, time_hi_and_version = 0,
              clock_seq = "\000", node = "\000\000\000\000\000"}}
          service = 0x2af6d0ff6b00
          partition = 0x2af6d0b6f220
          drsuapi = 0x2af6d1c8d480
          schema = 0x2af6d05e5570
          working_schema = 0x0
          mapping_ctr = 0x2af6d1b02c10
          object_count = 50
          first_object = 0x2af6d0571800
          linked_attributes_count = 0
          linked_attributes = 0x2af6d5212140
          uptodateness_vector = 0x2af6d1a741c0
          objects = 0x2af6d0e2bc60
          more_data = false
          status = {w = 0}
          nt_status = {v = 3006553120}
          dsdb_repl_flags = 0
          __FUNCTION__ = "dreplsrv_op_pull_source_apply_changes_trigger"
  #29 0x00002af6c1c6b3e7 in dreplsrv_op_pull_source_get_changes_done (
      subreq=0x0) at ../source4/dsdb/repl/drepl_out_helpers.c:599
          req = 0x2af6d17daed0
          state = 0x2af6d17db050
          status = {v = 0}
          r = 0x2af6d17db0d0
          ctr_level = 6
          ctr1 = 0x0
          ctr6 = 0x2af6d1b02bb0
          extended_ret = DRSUAPI_EXOP_ERR_NONE
  #30 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d1a73f70,
      location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
      at ../lib/tevent/tevent_req.c:102
  No locals.
  #31 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d1a73f70,
      state=TEVENT_REQ_DONE,
      location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
      at ../lib/tevent/tevent_req.c:117
  No locals.
  #32 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d1a73f70,
      location=0x2af6c1c7d5f8 "default/librpc/gen_ndr/ndr_drsuapi_c.c:712")
      at ../lib/tevent/tevent_req.c:123
  No locals.
  #33 0x00002af6c1c708df in dcerpc_drsuapi_DsGetNCChanges_r_done (
      subreq=0x2af6d122f4c0) at default/librpc/gen_ndr/ndr_drsuapi_c.c:712
          req = 0x2af6d1a73f70
          status = {v = 0}
  #34 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d122f4c0,
      location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
      at ../lib/tevent/tevent_req.c:102
  No locals.
  #35 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d122f4c0,
      state=TEVENT_REQ_DONE,
      location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
      at ../lib/tevent/tevent_req.c:117
  No locals.
  #36 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d122f4c0,
      location=0x2af6b575b688 "../librpc/rpc/binding_handle.c:517")
      at ../lib/tevent/tevent_req.c:123
  No locals.
  #37 0x00002af6b5757ede in dcerpc_binding_handle_call_done (subreq=0x0)
      at ../librpc/rpc/binding_handle.c:517
          req = 0x2af6d122f4c0
          state = 0x2af6d122f640
          h = 0x2af6d0959d10
          error = {v = 0}
          out_flags = 0
          ndr_err = NDR_ERR_SUCCESS
  #38 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d522f7a0,
      location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
      at ../lib/tevent/tevent_req.c:102
  No locals.
  #39 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d522f7a0,
      state=TEVENT_REQ_DONE,
      location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
      at ../lib/tevent/tevent_req.c:117
  No locals.
  #40 0x00002af6b333e374 in _tevent_req_done (req=0x2af6d522f7a0,
      location=0x2af6b575b1d0 "../librpc/rpc/binding_handle.c:188")
      at ../lib/tevent/tevent_req.c:123
  No locals.
  #41 0x00002af6b5757398 in dcerpc_binding_handle_raw_call_done (subreq=0x0)
      at ../librpc/rpc/binding_handle.c:188
          req = 0x2af6d522f7a0
          state = 0x2af6d522f920
          error = {v = 0}
  #42 0x00002af6b333e2f8 in _tevent_req_notify_callback (req=0x2af6d0712430,
      location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
      at ../lib/tevent/tevent_req.c:102
  No locals.
  #43 0x00002af6b333e34d in tevent_req_finish (req=0x2af6d0712430,
      state=TEVENT_REQ_DONE,
      location=0x2af6b44b8810 "../source4/librpc/rpc/dcerpc.c:322")
      at ../lib/tevent/tevent_req.c:117
  No locals.
  #44 0x00002af6b333e472 in tevent_req_trigger (ev=0x2af6b17ef8c0,
      im=0x2af6d0712500, private_data=0x2af6d0712430)
      at ../lib/tevent/tevent_req.c:174
          req = 0x2af6d0712430
  #45 0x00002af6b333d6d4 in tevent_common_loop_immediate (ev=0x2af6b17ef8c0)
      at ../lib/tevent/tevent_immediate.c:135
          im = 0x2af6d0712500
          handler = 0x2af6b333e423 <tevent_req_trigger>
          private_data = 0x2af6d0712430
  #46 0x00002af6b3345570 in epoll_event_loop_once (ev=0x2af6b17ef8c0,
      location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
      at ../lib/tevent/tevent_epoll.c:907
          epoll_ev = 0x2af6b17efb00
          tval = {tv_sec = 47239056876603, tv_usec = 47239028210096}
          panic_triggered = false
  #47 0x00002af6b3342363 in std_event_loop_once (ev=0x2af6b17ef8c0,
      location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
      at ../lib/tevent/tevent_standard.c:112
          glue_ptr = 0x2af6b17ef9b0
          glue = 0x2af6b17ef9b0
          ret = 10998
  #48 0x00002af6b333c799 in _tevent_loop_once (ev=0x2af6b17ef8c0,
      location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
      at ../lib/tevent/tevent.c:530
          ret = 0
          nesting_stack_ptr = 0x0
  #49 0x00002af6b333ca11 in tevent_common_loop_wait (ev=0x2af6b17ef8c0,
      location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
      at ../lib/tevent/tevent.c:634
          ret = 0
  #50 0x00002af6b3342405 in std_event_loop_wait (ev=0x2af6b17ef8c0,
      location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
      at ../lib/tevent/tevent_standard.c:138
          glue_ptr = 0x2af6b17ef9b0
          glue = 0x2af6b17ef9b0
          ret = 10998
  #51 0x00002af6b333cadc in _tevent_loop_wait (ev=0x2af6b17ef8c0,
      location=0x2af6b15a7b9f "../source4/smbd/server.c:503")
      at ../lib/tevent/tevent.c:653
  No locals.
  #52 0x00002af6b15a37bc in binary_smbd_main (
      binary_name=0x2af6b15a737b "samba", argc=6, argv=0x7fff67c78de8)
      at ../source4/smbd/server.c:503
          opt_daemon = false
          opt_interactive = true
          opt = -1
          pc = 0x2af6b17d5040
          static_init = {0x2af6b2ac7d8c <server_service_auth_init>,
            0x2af6b2aca9e7 <server_service_echo_init>, 0}
          shared_init = 0x2af6b18143b0
          event_ctx = 0x2af6b17ef8c0
          stdin_event_flags = 1
          status = {v = 0}
          model = 0x2af6b17d5b90 "single"
          max_runtime = 7500

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Jan  6 01:16:13 CET 2014 on sn-devel-104
(cherry picked from commit 056008df62cb66090b3e30cb09c0edacfbdb5720)
---
 source4/selftest/tests.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index c3a33c7..9567a8e 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -309,8 +309,6 @@ plantestsuite("samba4.blackbox.locktest(dc)", "dc", [os.path.join(samba4srcdir,
 plantestsuite("samba4.blackbox.masktest", "dc", [os.path.join(samba4srcdir, "torture/tests/test_masktest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', '$PREFIX'])
 plantestsuite("samba4.blackbox.gentest(dc)", "dc", [os.path.join(samba4srcdir, "torture/tests/test_gentest.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$DOMAIN', "$PREFIX"])
 plantestsuite("samba4.blackbox.rfc2307_mapping(dc:local)", "dc:local", [os.path.join(samba4srcdir, "../nsswitch/tests/test_rfc2307_mapping.sh"), '$DOMAIN', '$USERNAME', '$PASSWORD', "$SERVER", "$UID_RFC2307TEST", "$GID_RFC2307TEST", configuration])
-for env in ["dc", "s4member", "rodc", "promoted_dc"]:
-    plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
 plantestsuite("samba4.blackbox.chgdcpass", "chgdcpass", [os.path.join(bbdir, "test_chgdcpass.sh"), '$SERVER', "CHGDCPASS\$", '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", '$SELFTEST_PREFIX/chgdcpass', smbclient4])
 plantestsuite("samba4.blackbox.samba_upgradedns(chgdcpass:local)", "chgdcpass:local", [os.path.join(bbdir, "test_samba_upgradedns.sh"), '$SERVER', '$REALM', '$PREFIX', '$SELFTEST_PREFIX/chgdcpass'])
 plantestsuite_loadlist("samba4.rpc.echo against NetBIOS alias", "dc", [valgrindify(smbtorture4), "$LISTOPT", 'ncacn_np:$NETBIOSALIAS', '-U$DOMAIN/$USERNAME%$PASSWORD', 'rpc.echo'])
@@ -502,6 +500,10 @@ for env in ['vampire_dc', 'promoted_dc']:
                            extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
 
     plantestsuite("samba4.blackbox.samba_tool_demote(%s)" % env, env, [os.path.join(samba4srcdir, "utils/tests/test_demote.sh"), '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$DOMAIN', '$DC_SERVER', '$PREFIX/%s' % env, smbclient4])
+
+for env in ["dc", "s4member", "rodc", "promoted_dc"]:
+    plantestsuite("samba4.blackbox.wbinfo(%s:local)" % env, "%s:local" % env, [os.path.join(samba4srcdir, "../nsswitch/tests/test_wbinfo.sh"), '$DOMAIN', '$DC_USERNAME', '$DC_PASSWORD', env])
+
 # TODO: Verifying the databases really should be a part of the
 # environment teardown.
 # check the databases are all OK. PLEASE LEAVE THIS AS THE LAST TEST
-- 
1.9.3


From 3e44e7485dbfea37cb84034c4d13c96059bd9687 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 08:35:27 +0100
Subject: [PATCH 144/249] s4:librpc: always try to negotiate
 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN

If the gensec backend supports it there's no reason not sign the header.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7db1dc13b0149441a2beebca65b75f6e11af13a3)
---
 librpc/rpc/binding.c             |  1 -
 librpc/rpc/rpc_common.h          |  5 ++++-
 source4/librpc/rpc/dcerpc.c      | 12 ++----------
 source4/librpc/rpc/dcerpc_auth.c | 14 ++++++++++----
 4 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/librpc/rpc/binding.c b/librpc/rpc/binding.c
index 49651e8..52122cf 100644
--- a/librpc/rpc/binding.c
+++ b/librpc/rpc/binding.c
@@ -88,7 +88,6 @@ static const struct {
 	{"padcheck", DCERPC_DEBUG_PAD_CHECK},
 	{"bigendian", DCERPC_PUSH_BIGENDIAN},
 	{"smb2", DCERPC_SMB2},
-	{"hdrsign", DCERPC_HEADER_SIGNING},
 	{"ndr64", DCERPC_NDR64},
 	{"localaddress", DCERPC_LOCALADDRESS}
 };
diff --git a/librpc/rpc/rpc_common.h b/librpc/rpc/rpc_common.h
index 978229e..93d3bb4 100644
--- a/librpc/rpc/rpc_common.h
+++ b/librpc/rpc/rpc_common.h
@@ -98,7 +98,7 @@ struct dcerpc_binding {
 /* this triggers the DCERPC_PFC_FLAG_CONC_MPX flag in the bind request */
 #define DCERPC_CONCURRENT_MULTIPLEX     (1<<19)
 
-/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
+/* this indicates DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag was negotiated */
 #define DCERPC_HEADER_SIGNING          (1<<20)
 
 /* use NDR64 transport */
@@ -113,6 +113,9 @@ struct dcerpc_binding {
 /* use aes schannel with hmac-sh256 session key */
 #define DCERPC_SCHANNEL_AES            (1<<24)
 
+/* this triggers the DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN flag in the bind request */
+#define DCERPC_PROPOSE_HEADER_SIGNING          (1<<25)
+
 /* The following definitions come from ../librpc/rpc/dcerpc_error.c  */
 
 const char *dcerpc_errstr(TALLOC_CTX *mem_ctx, uint32_t fault_code);
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index 56b821e..2f6c8dd 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -1162,7 +1162,7 @@ struct tevent_req *dcerpc_bind_send(TALLOC_CTX *mem_ctx,
 		pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
 	}
 
-	if (p->binding->flags & DCERPC_HEADER_SIGNING) {
+	if (p->conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) {
 		pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
 	}
 
@@ -1304,7 +1304,7 @@ static void dcerpc_bind_recv_handler(struct rpc_request *subreq,
 		conn->flags |= DCERPC_CONCURRENT_MULTIPLEX;
 	}
 
-	if ((state->p->binding->flags & DCERPC_HEADER_SIGNING) &&
+	if ((conn->flags & DCERPC_PROPOSE_HEADER_SIGNING) &&
 	    (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN)) {
 		conn->flags |= DCERPC_HEADER_SIGNING;
 	}
@@ -1352,10 +1352,6 @@ NTSTATUS dcerpc_auth3(struct dcerpc_pipe *p,
 		pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
 	}
 
-	if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-		pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-	}
-
 	/* construct the NDR form of the packet */
 	status = ncacn_push_auth(&blob, mem_ctx,
 				 &pkt,
@@ -2046,10 +2042,6 @@ struct tevent_req *dcerpc_alter_context_send(TALLOC_CTX *mem_ctx,
 		pkt.pfc_flags |= DCERPC_PFC_FLAG_CONC_MPX;
 	}
 
-	if (p->binding->flags & DCERPC_HEADER_SIGNING) {
-		pkt.pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-	}
-
 	pkt.u.alter.max_xmit_frag = 5840;
 	pkt.u.alter.max_recv_frag = 5840;
 	pkt.u.alter.assoc_group_id = p->binding->assoc_group_id;
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index d5e5620..9a5d04d 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -173,10 +173,6 @@ static void bind_auth_next_step(struct composite_context *c)
 
 	if (!composite_is_ok(c)) return;
 
-	if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
-		gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
-	}
-
 	if (state->credentials.length == 0) {
 		composite_done(c);
 		return;
@@ -234,6 +230,12 @@ static void bind_auth_recv_bindreply(struct tevent_req *subreq)
 	TALLOC_FREE(subreq);
 	if (!composite_is_ok(c)) return;
 
+	if (state->pipe->conn->flags & DCERPC_HEADER_SIGNING) {
+		struct dcecli_security *sec = &state->pipe->conn->security_state;
+
+		gensec_want_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER);
+	}
+
 	if (!state->more_processing) {
 		/* The first gensec_update has not requested a second run, so
 		 * we're done here. */
@@ -395,6 +397,10 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 
 	sec->auth_info->credentials = state->credentials;
 
+	if (gensec_have_feature(sec->generic_state, GENSEC_FEATURE_SIGN_PKT_HEADER)) {
+		state->pipe->conn->flags |= DCERPC_PROPOSE_HEADER_SIGNING;
+	}
+
 	/* The first request always is a dcerpc_bind. The subsequent ones
 	 * depend on gensec results */
 	subreq = dcerpc_bind_send(state, p->conn->event_ctx, p,
-- 
1.9.3


From 6bdc135a63647fbbc31c7b2e673396231541641d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 08:39:12 +0100
Subject: [PATCH 145/249] s4:rpc_server: support
 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN by default

If the gensec backend supports it there's no reason to disable it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 661fe3cf890b91f8750872b0f5a09da536f76ae2)
---
 source4/rpc_server/dcerpc_server.c |  6 ------
 source4/rpc_server/dcesrv_auth.c   | 37 ++++++++++++++++++++++++++++++++-----
 2 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index ad53685..3b35703 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -610,12 +610,6 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
 		call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
 	}
 
-	if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
-	    lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
-		call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
-		extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
-	}
-
 	/* handle any authentication that is being requested */
 	if (!dcesrv_auth_bind(call)) {
 		talloc_free(call->context);
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index c891cc6..152715b 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -92,10 +92,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
 		return false;
 	}
 
-	if (call->conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
-		gensec_want_feature(auth->gensec_security, GENSEC_FEATURE_SIGN_PKT_HEADER);
-	}
-
 	return true;
 }
 
@@ -107,11 +103,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
 {
 	struct dcesrv_connection *dce_conn = call->conn;
 	NTSTATUS status;
+	bool want_header_signing = false;
 
 	if (!call->conn->auth_state.gensec_security) {
 		return NT_STATUS_OK;
 	}
 
+	if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
+		want_header_signing = true;
+	}
+
+	if (!lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", true)) {
+		want_header_signing = false;
+	}
+
 	status = gensec_update(dce_conn->auth_state.gensec_security,
 			       call, call->event_ctx,
 			       dce_conn->auth_state.auth_info->credentials, 
@@ -126,9 +131,17 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
 			return status;
 		}
 
-		if (dce_conn->state_flags & DCESRV_CALL_STATE_FLAG_HEADER_SIGNING) {
+		if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
+					 GENSEC_FEATURE_SIGN_PKT_HEADER))
+		{
+			want_header_signing = false;
+		}
+
+		if (want_header_signing) {
 			gensec_want_feature(dce_conn->auth_state.gensec_security,
 					    GENSEC_FEATURE_SIGN_PKT_HEADER);
+			call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
+			pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
 		}
 
 		/* Now that we are authenticated, go back to the generic session key... */
@@ -137,6 +150,20 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
 	} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
 		dce_conn->auth_state.auth_info->auth_pad_length = 0;
 		dce_conn->auth_state.auth_info->auth_reserved = 0;
+
+		if (!gensec_have_feature(dce_conn->auth_state.gensec_security,
+					 GENSEC_FEATURE_SIGN_PKT_HEADER))
+		{
+			want_header_signing = false;
+		}
+
+		if (want_header_signing) {
+			gensec_want_feature(dce_conn->auth_state.gensec_security,
+					    GENSEC_FEATURE_SIGN_PKT_HEADER);
+			call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
+			pkt->pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+		}
+
 		return NT_STATUS_OK;
 	} else {
 		DEBUG(4, ("GENSEC mech rejected the incoming authentication at bind_ack: %s\n",
-- 
1.9.3


From 868676160bb3bcfb4145a5c4b47fbb513c0bfac4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 31 Dec 2013 09:53:55 +0100
Subject: [PATCH 146/249] auth/ntlmssp: GENSEC_FEATURE_SIGN_PKT_HEADER is
 always supported

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 64fc015a85f9b5ed74f3dabe05dbdff185093278)
---
 auth/ntlmssp/gensec_ntlmssp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/auth/ntlmssp/gensec_ntlmssp.c b/auth/ntlmssp/gensec_ntlmssp.c
index 654c0e3..5672589 100644
--- a/auth/ntlmssp/gensec_ntlmssp.c
+++ b/auth/ntlmssp/gensec_ntlmssp.c
@@ -102,6 +102,10 @@ bool gensec_ntlmssp_have_feature(struct gensec_security *gensec_security,
 			return true;
 		}
 	}
+	if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		return true;
+	}
+
 	return false;
 }
 
-- 
1.9.3


From e486316c74d3781413e66e451b51737fc194bdc2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 31 Dec 2013 09:54:54 +0100
Subject: [PATCH 147/249] s4:auth/gensec_gssapi: handle
 GENSEC_FEATURE_SIGN_PKT_HEADER in have_feature()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 14f6c41754960d73f46aca1bade2266b7e934d03)
---
 source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 63a53bf..ffdefcf 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1275,6 +1275,18 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
 	if (feature & GENSEC_FEATURE_ASYNC_REPLIES) {
 		return true;
 	}
+	if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
+			/* TODO: implement this using gss_wrap_iov() */
+			return false;
+		}
+
+		if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
+			return true;
+		}
+
+		return false;
+	}
 	return false;
 }
 
-- 
1.9.3


From fa8d0a7726240f8fc6648424d9724bcd65949bfd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 15:30:46 +0100
Subject: [PATCH 148/249] s4:gensec_gssapi: make sure
 gensec_gssapi_[un]seal_packet() rejects header signing

If header signing is requested we should error out instead of
silently ignoring it, our peer would hopefully reject it,
but we should also do that.

TODO: we should implement header signing using gss_wrap_iov().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 54b5b3067f5b7a0eb6dd9f1326c903f9fe4a5592)
---
 source4/auth/gensec/gensec_gssapi.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index ffdefcf..b8f007d 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1028,6 +1028,12 @@ static NTSTATUS gensec_gssapi_seal_packet(struct gensec_security *gensec_securit
 	int conf_state;
 	ssize_t sig_length;
 
+	if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		DEBUG(1, ("gensec_gssapi_seal_packet: "
+			  "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	input_token.length = length;
 	input_token.value = data;
 	
@@ -1082,6 +1088,12 @@ static NTSTATUS gensec_gssapi_unseal_packet(struct gensec_security *gensec_secur
 
 	dump_data_pw("gensec_gssapi_unseal_packet: sig\n", sig->data, sig->length);
 
+	if (gensec_security->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		DEBUG(1, ("gensec_gssapi_unseal_packet: "
+			  "GENSEC_FEATURE_SIGN_PKT_HEADER not supported\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	in = data_blob_talloc(gensec_security, NULL, sig->length + length);
 
 	memcpy(in.data, sig->data, sig->length);
-- 
1.9.3


From 2b1f62e3d99047e2981dcdd32c6820346917dc04 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 31 Dec 2013 09:42:36 +0100
Subject: [PATCH 149/249] auth/gensec: move libcli/auth/schannel_sign.c into
 schannel.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 616cd009955b1722e6749019e2c1cac8bbb94e52)
---
 auth/gensec/schannel.c       | 380 ++++++++++++++++++++++++++++++++++++++++
 libcli/auth/schannel_proto.h |  14 --
 libcli/auth/schannel_sign.c  | 404 -------------------------------------------
 libcli/auth/wscript_build    |   2 +-
 4 files changed, 381 insertions(+), 419 deletions(-)
 delete mode 100644 libcli/auth/schannel_sign.c

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index eb2e100..c60ab4f 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -31,6 +31,386 @@
 #include "librpc/gen_ndr/dcerpc.h"
 #include "param/param.h"
 #include "auth/gensec/gensec_toplevel_proto.h"
+#include "lib/crypto/crypto.h"
+
+struct schannel_state {
+	uint64_t seq_num;
+	bool initiator;
+	struct netlogon_creds_CredentialState *creds;
+};
+
+#define SETUP_SEQNUM(state, buf, initiator) do { \
+	uint8_t *_buf = buf; \
+	uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
+	uint32_t _seq_num_high = (state)->seq_num >> 32; \
+	if (initiator) { \
+		_seq_num_high |= 0x80000000; \
+	} \
+	RSIVAL(_buf, 0, _seq_num_low); \
+	RSIVAL(_buf, 4, _seq_num_high); \
+} while(0)
+
+static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_CredentialState *creds,
+				bool initiator)
+{
+	struct schannel_state *state;
+
+	state = talloc(mem_ctx, struct schannel_state);
+	if (state == NULL) {
+		return NULL;
+	}
+
+	state->initiator = initiator;
+	state->seq_num = 0;
+	state->creds = netlogon_creds_copy(state, creds);
+	if (state->creds == NULL) {
+		talloc_free(state);
+		return NULL;
+	}
+
+	return state;
+}
+
+static void netsec_offset_and_sizes(struct schannel_state *state,
+				    bool do_seal,
+				    uint32_t *_min_sig_size,
+				    uint32_t *_used_sig_size,
+				    uint32_t *_checksum_length,
+				    uint32_t *_confounder_ofs)
+{
+	uint32_t min_sig_size;
+	uint32_t used_sig_size;
+	uint32_t checksum_length;
+	uint32_t confounder_ofs;
+
+	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		min_sig_size = 48;
+		used_sig_size = 56;
+		/*
+		 * Note: windows has a bug here and uses the old values...
+		 *
+		 * checksum_length = 32;
+		 * confounder_ofs = 48;
+		 */
+		checksum_length = 8;
+		confounder_ofs = 24;
+	} else {
+		min_sig_size = 24;
+		used_sig_size = 32;
+		checksum_length = 8;
+		confounder_ofs = 24;
+	}
+
+	if (do_seal) {
+		min_sig_size += 8;
+	}
+
+	if (_min_sig_size) {
+		*_min_sig_size = min_sig_size;
+	}
+
+	if (_used_sig_size) {
+		*_used_sig_size = used_sig_size;
+	}
+
+	if (_checksum_length) {
+		*_checksum_length = checksum_length;
+	}
+
+	if (_confounder_ofs) {
+		*_confounder_ofs = confounder_ofs;
+	}
+}
+
+/*******************************************************************
+ Encode or Decode the sequence number (which is symmetric)
+ ********************************************************************/
+static void netsec_do_seq_num(struct schannel_state *state,
+			      const uint8_t *checksum,
+			      uint32_t checksum_length,
+			      uint8_t seq_num[8])
+{
+	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		AES_KEY key;
+		uint8_t iv[AES_BLOCK_SIZE];
+
+		AES_set_encrypt_key(state->creds->session_key, 128, &key);
+		ZERO_STRUCT(iv);
+		memcpy(iv+0, checksum, 8);
+		memcpy(iv+8, checksum, 8);
+
+		aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
+	} else {
+		static const uint8_t zeros[4];
+		uint8_t sequence_key[16];
+		uint8_t digest1[16];
+
+		hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
+		hmac_md5(digest1, checksum, checksum_length, sequence_key);
+		arcfour_crypt(seq_num, sequence_key, 8);
+	}
+
+	state->seq_num++;
+}
+
+static void netsec_do_seal(struct schannel_state *state,
+			   const uint8_t seq_num[8],
+			   uint8_t confounder[8],
+			   uint8_t *data, uint32_t length,
+			   bool forward)
+{
+	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		AES_KEY key;
+		uint8_t iv[AES_BLOCK_SIZE];
+		uint8_t sess_kf0[16];
+		int i;
+
+		for (i = 0; i < 16; i++) {
+			sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
+		}
+
+		AES_set_encrypt_key(sess_kf0, 128, &key);
+		ZERO_STRUCT(iv);
+		memcpy(iv+0, seq_num, 8);
+		memcpy(iv+8, seq_num, 8);
+
+		if (forward) {
+			aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
+			aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
+		} else {
+			aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
+			aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
+		}
+	} else {
+		uint8_t sealing_key[16];
+		static const uint8_t zeros[4];
+		uint8_t digest2[16];
+		uint8_t sess_kf0[16];
+		int i;
+
+		for (i = 0; i < 16; i++) {
+			sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
+		}
+
+		hmac_md5(sess_kf0, zeros, 4, digest2);
+		hmac_md5(digest2, seq_num, 8, sealing_key);
+
+		arcfour_crypt(confounder, sealing_key, 8);
+		arcfour_crypt(data, sealing_key, length);
+	}
+}
+
+/*******************************************************************
+ Create a digest over the entire packet (including the data), and
+ MD5 it with the session key.
+ ********************************************************************/
+static void netsec_do_sign(struct schannel_state *state,
+			   const uint8_t *confounder,
+			   const uint8_t *data, size_t length,
+			   uint8_t header[8],
+			   uint8_t *checksum)
+{
+	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		struct HMACSHA256Context ctx;
+
+		hmac_sha256_init(state->creds->session_key,
+				 sizeof(state->creds->session_key),
+				 &ctx);
+
+		if (confounder) {
+			SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
+			SSVAL(header, 2, NL_SEAL_AES128);
+			SSVAL(header, 4, 0xFFFF);
+			SSVAL(header, 6, 0x0000);
+
+			hmac_sha256_update(header, 8, &ctx);
+			hmac_sha256_update(confounder, 8, &ctx);
+		} else {
+			SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
+			SSVAL(header, 2, NL_SEAL_NONE);
+			SSVAL(header, 4, 0xFFFF);
+			SSVAL(header, 6, 0x0000);
+
+			hmac_sha256_update(header, 8, &ctx);
+		}
+
+		hmac_sha256_update(data, length, &ctx);
+
+		hmac_sha256_final(checksum, &ctx);
+	} else {
+		uint8_t packet_digest[16];
+		static const uint8_t zeros[4];
+		MD5_CTX ctx;
+
+		MD5Init(&ctx);
+		MD5Update(&ctx, zeros, 4);
+		if (confounder) {
+			SSVAL(header, 0, NL_SIGN_HMAC_MD5);
+			SSVAL(header, 2, NL_SEAL_RC4);
+			SSVAL(header, 4, 0xFFFF);
+			SSVAL(header, 6, 0x0000);
+
+			MD5Update(&ctx, header, 8);
+			MD5Update(&ctx, confounder, 8);
+		} else {
+			SSVAL(header, 0, NL_SIGN_HMAC_MD5);
+			SSVAL(header, 2, NL_SEAL_NONE);
+			SSVAL(header, 4, 0xFFFF);
+			SSVAL(header, 6, 0x0000);
+
+			MD5Update(&ctx, header, 8);
+		}
+		MD5Update(&ctx, data, length);
+		MD5Final(packet_digest, &ctx);
+
+		hmac_md5(state->creds->session_key,
+			 packet_digest, sizeof(packet_digest),
+			 checksum);
+	}
+}
+
+static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
+				bool do_unseal,
+				uint8_t *data, size_t length,
+				const DATA_BLOB *sig)
+{
+	uint32_t min_sig_size = 0;
+	uint8_t header[8];
+	uint8_t checksum[32];
+	uint32_t checksum_length = sizeof(checksum_length);
+	uint8_t _confounder[8];
+	uint8_t *confounder = NULL;
+	uint32_t confounder_ofs = 0;
+	uint8_t seq_num[8];
+	int ret;
+
+	netsec_offset_and_sizes(state,
+				do_unseal,
+				&min_sig_size,
+				NULL,
+				&checksum_length,
+				&confounder_ofs);
+
+	if (sig->length < min_sig_size) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	if (do_unseal) {
+		confounder = _confounder;
+		memcpy(confounder, sig->data+confounder_ofs, 8);
+	} else {
+		confounder = NULL;
+	}
+
+	SETUP_SEQNUM(state, seq_num, !state->initiator);
+
+	if (do_unseal) {
+		netsec_do_seal(state, seq_num,
+			       confounder,
+			       data, length,
+			       false);
+	}
+
+	netsec_do_sign(state, confounder,
+		       data, length,
+		       header, checksum);
+
+	ret = memcmp(checksum, sig->data+16, checksum_length);
+	if (ret != 0) {
+		dump_data_pw("calc digest:", checksum, checksum_length);
+		dump_data_pw("wire digest:", sig->data+16, checksum_length);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	netsec_do_seq_num(state, checksum, checksum_length, seq_num);
+
+	ret = memcmp(seq_num, sig->data+8, 8);
+	if (ret != 0) {
+		dump_data_pw("calc seq num:", seq_num, 8);
+		dump_data_pw("wire seq num:", sig->data+8, 8);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return NT_STATUS_OK;
+}
+
+static uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
+{
+	uint32_t sig_size = 0;
+
+	netsec_offset_and_sizes(state,
+				true,
+				NULL,
+				&sig_size,
+				NULL,
+				NULL);
+
+	return sig_size;
+}
+
+static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
+				TALLOC_CTX *mem_ctx,
+				bool do_seal,
+				uint8_t *data, size_t length,
+				DATA_BLOB *sig)
+{
+	uint32_t min_sig_size = 0;
+	uint32_t used_sig_size = 0;
+	uint8_t header[8];
+	uint8_t checksum[32];
+	uint32_t checksum_length = sizeof(checksum_length);
+	uint8_t _confounder[8];
+	uint8_t *confounder = NULL;
+	uint32_t confounder_ofs = 0;
+	uint8_t seq_num[8];
+
+	netsec_offset_and_sizes(state,
+				do_seal,
+				&min_sig_size,
+				&used_sig_size,
+				&checksum_length,
+				&confounder_ofs);
+
+	SETUP_SEQNUM(state, seq_num, state->initiator);
+
+	if (do_seal) {
+		confounder = _confounder;
+		generate_random_buffer(confounder, 8);
+	} else {
+		confounder = NULL;
+	}
+
+	netsec_do_sign(state, confounder,
+		       data, length,
+		       header, checksum);
+
+	if (do_seal) {
+		netsec_do_seal(state, seq_num,
+			       confounder,
+			       data, length,
+			       true);
+	}
+
+	netsec_do_seq_num(state, checksum, checksum_length, seq_num);
+
+	(*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
+
+	memcpy(sig->data, header, 8);
+	memcpy(sig->data+8, seq_num, 8);
+	memcpy(sig->data+16, checksum, checksum_length);
+
+	if (confounder) {
+		memcpy(sig->data+confounder_ofs, confounder, 8);
+	}
+
+	dump_data_pw("signature:", sig->data+ 0, 8);
+	dump_data_pw("seq_num  :", sig->data+ 8, 8);
+	dump_data_pw("digest   :", sig->data+16, checksum_length);
+	dump_data_pw("confound :", sig->data+confounder_ofs, 8);
+
+	return NT_STATUS_OK;
+}
 
 _PUBLIC_ NTSTATUS gensec_schannel_init(void);
 
diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
index da76559..bce37c8 100644
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@@ -28,18 +28,4 @@ struct schannel_state;
 struct db_context *open_schannel_session_store(TALLOC_CTX *mem_ctx,
 					       struct loadparm_context *lp_ctx);
 
-struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-				struct netlogon_creds_CredentialState *creds,
-				bool initiator);
-NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-				bool do_unseal,
-				uint8_t *data, size_t length,
-				const DATA_BLOB *sig);
-uint32_t netsec_outgoing_sig_size(struct schannel_state *state);
-NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
-				TALLOC_CTX *mem_ctx,
-				bool do_seal,
-				uint8_t *data, size_t length,
-				DATA_BLOB *sig);
-
 #endif
diff --git a/libcli/auth/schannel_sign.c b/libcli/auth/schannel_sign.c
deleted file mode 100644
index 9502cba..0000000
--- a/libcli/auth/schannel_sign.c
+++ /dev/null
@@ -1,404 +0,0 @@
-/*
-   Unix SMB/CIFS implementation.
-
-   schannel library code
-
-   Copyright (C) Andrew Tridgell 2004
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "../libcli/auth/schannel.h"
-#include "../lib/crypto/crypto.h"
-
-struct schannel_state {
-	uint64_t seq_num;
-	bool initiator;
-	struct netlogon_creds_CredentialState *creds;
-};
-
-#define SETUP_SEQNUM(state, buf, initiator) do { \
-	uint8_t *_buf = buf; \
-	uint32_t _seq_num_low = (state)->seq_num & UINT32_MAX; \
-	uint32_t _seq_num_high = (state)->seq_num >> 32; \
-	if (initiator) { \
-		_seq_num_high |= 0x80000000; \
-	} \
-	RSIVAL(_buf, 0, _seq_num_low); \
-	RSIVAL(_buf, 4, _seq_num_high); \
-} while(0)
-
-struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
-				struct netlogon_creds_CredentialState *creds,
-				bool initiator)
-{
-	struct schannel_state *state;
-
-	state = talloc(mem_ctx, struct schannel_state);
-	if (state == NULL) {
-		return NULL;
-	}
-
-	state->initiator = initiator;
-	state->seq_num = 0;
-	state->creds = netlogon_creds_copy(state, creds);
-	if (state->creds == NULL) {
-		talloc_free(state);
-		return NULL;
-	}
-
-	return state;
-}
-
-static void netsec_offset_and_sizes(struct schannel_state *state,
-				    bool do_seal,
-				    uint32_t *_min_sig_size,
-				    uint32_t *_used_sig_size,
-				    uint32_t *_checksum_length,
-				    uint32_t *_confounder_ofs)
-{
-	uint32_t min_sig_size;
-	uint32_t used_sig_size;
-	uint32_t checksum_length;
-	uint32_t confounder_ofs;
-
-	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		min_sig_size = 48;
-		used_sig_size = 56;
-		/*
-		 * Note: windows has a bug here and uses the old values...
-		 *
-		 * checksum_length = 32;
-		 * confounder_ofs = 48;
-		 */
-		checksum_length = 8;
-		confounder_ofs = 24;
-	} else {
-		min_sig_size = 24;
-		used_sig_size = 32;
-		checksum_length = 8;
-		confounder_ofs = 24;
-	}
-
-	if (do_seal) {
-		min_sig_size += 8;
-	}
-
-	if (_min_sig_size) {
-		*_min_sig_size = min_sig_size;
-	}
-
-	if (_used_sig_size) {
-		*_used_sig_size = used_sig_size;
-	}
-
-	if (_checksum_length) {
-		*_checksum_length = checksum_length;
-	}
-
-	if (_confounder_ofs) {
-		*_confounder_ofs = confounder_ofs;
-	}
-}
-
-/*******************************************************************
- Encode or Decode the sequence number (which is symmetric)
- ********************************************************************/
-static void netsec_do_seq_num(struct schannel_state *state,
-			      const uint8_t *checksum,
-			      uint32_t checksum_length,
-			      uint8_t seq_num[8])
-{
-	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		AES_KEY key;
-		uint8_t iv[AES_BLOCK_SIZE];
-
-		AES_set_encrypt_key(state->creds->session_key, 128, &key);
-		ZERO_STRUCT(iv);
-		memcpy(iv+0, checksum, 8);
-		memcpy(iv+8, checksum, 8);
-
-		aes_cfb8_encrypt(seq_num, seq_num, 8, &key, iv, AES_ENCRYPT);
-	} else {
-		static const uint8_t zeros[4];
-		uint8_t sequence_key[16];
-		uint8_t digest1[16];
-
-		hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
-		hmac_md5(digest1, checksum, checksum_length, sequence_key);
-		arcfour_crypt(seq_num, sequence_key, 8);
-	}
-
-	state->seq_num++;
-}
-
-static void netsec_do_seal(struct schannel_state *state,
-			   const uint8_t seq_num[8],
-			   uint8_t confounder[8],
-			   uint8_t *data, uint32_t length,
-			   bool forward)
-{
-	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		AES_KEY key;
-		uint8_t iv[AES_BLOCK_SIZE];
-		uint8_t sess_kf0[16];
-		int i;
-
-		for (i = 0; i < 16; i++) {
-			sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-		}
-
-		AES_set_encrypt_key(sess_kf0, 128, &key);
-		ZERO_STRUCT(iv);
-		memcpy(iv+0, seq_num, 8);
-		memcpy(iv+8, seq_num, 8);
-
-		if (forward) {
-			aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_ENCRYPT);
-			aes_cfb8_encrypt(data, data, length, &key, iv, AES_ENCRYPT);
-		} else {
-			aes_cfb8_encrypt(confounder, confounder, 8, &key, iv, AES_DECRYPT);
-			aes_cfb8_encrypt(data, data, length, &key, iv, AES_DECRYPT);
-		}
-	} else {
-		uint8_t sealing_key[16];
-		static const uint8_t zeros[4];
-		uint8_t digest2[16];
-		uint8_t sess_kf0[16];
-		int i;
-
-		for (i = 0; i < 16; i++) {
-			sess_kf0[i] = state->creds->session_key[i] ^ 0xf0;
-		}
-
-		hmac_md5(sess_kf0, zeros, 4, digest2);
-		hmac_md5(digest2, seq_num, 8, sealing_key);
-
-		arcfour_crypt(confounder, sealing_key, 8);
-		arcfour_crypt(data, sealing_key, length);
-	}
-}
-
-/*******************************************************************
- Create a digest over the entire packet (including the data), and
- MD5 it with the session key.
- ********************************************************************/
-static void netsec_do_sign(struct schannel_state *state,
-			   const uint8_t *confounder,
-			   const uint8_t *data, size_t length,
-			   uint8_t header[8],
-			   uint8_t *checksum)
-{
-	if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		struct HMACSHA256Context ctx;
-
-		hmac_sha256_init(state->creds->session_key,
-				 sizeof(state->creds->session_key),
-				 &ctx);
-
-		if (confounder) {
-			SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
-			SSVAL(header, 2, NL_SEAL_AES128);
-			SSVAL(header, 4, 0xFFFF);
-			SSVAL(header, 6, 0x0000);
-
-			hmac_sha256_update(header, 8, &ctx);
-			hmac_sha256_update(confounder, 8, &ctx);
-		} else {
-			SSVAL(header, 0, NL_SIGN_HMAC_SHA256);
-			SSVAL(header, 2, NL_SEAL_NONE);
-			SSVAL(header, 4, 0xFFFF);
-			SSVAL(header, 6, 0x0000);
-
-			hmac_sha256_update(header, 8, &ctx);
-		}
-
-		hmac_sha256_update(data, length, &ctx);
-
-		hmac_sha256_final(checksum, &ctx);
-	} else {
-		uint8_t packet_digest[16];
-		static const uint8_t zeros[4];
-		MD5_CTX ctx;
-
-		MD5Init(&ctx);
-		MD5Update(&ctx, zeros, 4);
-		if (confounder) {
-			SSVAL(header, 0, NL_SIGN_HMAC_MD5);
-			SSVAL(header, 2, NL_SEAL_RC4);
-			SSVAL(header, 4, 0xFFFF);
-			SSVAL(header, 6, 0x0000);
-
-			MD5Update(&ctx, header, 8);
-			MD5Update(&ctx, confounder, 8);
-		} else {
-			SSVAL(header, 0, NL_SIGN_HMAC_MD5);
-			SSVAL(header, 2, NL_SEAL_NONE);
-			SSVAL(header, 4, 0xFFFF);
-			SSVAL(header, 6, 0x0000);
-
-			MD5Update(&ctx, header, 8);
-		}
-		MD5Update(&ctx, data, length);
-		MD5Final(packet_digest, &ctx);
-
-		hmac_md5(state->creds->session_key,
-			 packet_digest, sizeof(packet_digest),
-			 checksum);
-	}
-}
-
-NTSTATUS netsec_incoming_packet(struct schannel_state *state,
-				bool do_unseal,
-				uint8_t *data, size_t length,
-				const DATA_BLOB *sig)
-{
-	uint32_t min_sig_size = 0;
-	uint8_t header[8];
-	uint8_t checksum[32];
-	uint32_t checksum_length = sizeof(checksum_length);
-	uint8_t _confounder[8];
-	uint8_t *confounder = NULL;
-	uint32_t confounder_ofs = 0;
-	uint8_t seq_num[8];
-	int ret;
-
-	netsec_offset_and_sizes(state,
-				do_unseal,
-				&min_sig_size,
-				NULL,
-				&checksum_length,
-				&confounder_ofs);
-
-	if (sig->length < min_sig_size) {
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	if (do_unseal) {
-		confounder = _confounder;
-		memcpy(confounder, sig->data+confounder_ofs, 8);
-	} else {
-		confounder = NULL;
-	}
-
-	SETUP_SEQNUM(state, seq_num, !state->initiator);
-
-	if (do_unseal) {
-		netsec_do_seal(state, seq_num,
-			       confounder,
-			       data, length,
-			       false);
-	}
-
-	netsec_do_sign(state, confounder,
-		       data, length,
-		       header, checksum);
-
-	ret = memcmp(checksum, sig->data+16, checksum_length);
-	if (ret != 0) {
-		dump_data_pw("calc digest:", checksum, checksum_length);
-		dump_data_pw("wire digest:", sig->data+16, checksum_length);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	netsec_do_seq_num(state, checksum, checksum_length, seq_num);
-
-	ret = memcmp(seq_num, sig->data+8, 8);
-	if (ret != 0) {
-		dump_data_pw("calc seq num:", seq_num, 8);
-		dump_data_pw("wire seq num:", sig->data+8, 8);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	return NT_STATUS_OK;
-}
-
-uint32_t netsec_outgoing_sig_size(struct schannel_state *state)
-{
-	uint32_t sig_size = 0;
-
-	netsec_offset_and_sizes(state,
-				true,
-				NULL,
-				&sig_size,
-				NULL,
-				NULL);
-
-	return sig_size;
-}
-
-NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
-				TALLOC_CTX *mem_ctx,
-				bool do_seal,
-				uint8_t *data, size_t length,
-				DATA_BLOB *sig)
-{
-	uint32_t min_sig_size = 0;
-	uint32_t used_sig_size = 0;
-	uint8_t header[8];
-	uint8_t checksum[32];
-	uint32_t checksum_length = sizeof(checksum_length);
-	uint8_t _confounder[8];
-	uint8_t *confounder = NULL;
-	uint32_t confounder_ofs = 0;
-	uint8_t seq_num[8];
-
-	netsec_offset_and_sizes(state,
-				do_seal,
-				&min_sig_size,
-				&used_sig_size,
-				&checksum_length,
-				&confounder_ofs);
-
-	SETUP_SEQNUM(state, seq_num, state->initiator);
-
-	if (do_seal) {
-		confounder = _confounder;
-		generate_random_buffer(confounder, 8);
-	} else {
-		confounder = NULL;
-	}
-
-	netsec_do_sign(state, confounder,
-		       data, length,
-		       header, checksum);
-
-	if (do_seal) {
-		netsec_do_seal(state, seq_num,
-			       confounder,
-			       data, length,
-			       true);
-	}
-
-	netsec_do_seq_num(state, checksum, checksum_length, seq_num);
-
-	(*sig) = data_blob_talloc_zero(mem_ctx, used_sig_size);
-
-	memcpy(sig->data, header, 8);
-	memcpy(sig->data+8, seq_num, 8);
-	memcpy(sig->data+16, checksum, checksum_length);
-
-	if (confounder) {
-		memcpy(sig->data+confounder_ofs, confounder, 8);
-	}
-
-	dump_data_pw("signature:", sig->data+ 0, 8);
-	dump_data_pw("seq_num  :", sig->data+ 8, 8);
-	dump_data_pw("digest   :", sig->data+16, checksum_length);
-	dump_data_pw("confound :", sig->data+confounder_ofs, 8);
-
-	return NT_STATUS_OK;
-}
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index df23058..ca2be2d 100755
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -24,7 +24,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
 
 
 bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
-	source='schannel_state_tdb.c schannel_sign.c',
+	source='schannel_state_tdb.c',
 	deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
 	)
 
-- 
1.9.3


From 307627065568a259eb9e94953b872bf723477be6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 31 Dec 2013 10:11:18 +0100
Subject: [PATCH 150/249] auth/gensec: implement GENSEC_FEATURE_SIGN_PKT_HEADER
 in schannel.c

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 03006d0e4471465f071517097145806fbe46fdba)
---
 auth/gensec/schannel.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 46 insertions(+), 10 deletions(-)

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index c60ab4f..3d30e83 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -34,6 +34,7 @@
 #include "lib/crypto/crypto.h"
 
 struct schannel_state {
+	struct gensec_security *gensec;
 	uint64_t seq_num;
 	bool initiator;
 	struct netlogon_creds_CredentialState *creds;
@@ -50,17 +51,19 @@ struct schannel_state {
 	RSIVAL(_buf, 4, _seq_num_high); \
 } while(0)
 
-static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
+static struct schannel_state *netsec_create_state(
+				struct gensec_security *gensec,
 				struct netlogon_creds_CredentialState *creds,
 				bool initiator)
 {
 	struct schannel_state *state;
 
-	state = talloc(mem_ctx, struct schannel_state);
+	state = talloc(gensec, struct schannel_state);
 	if (state == NULL) {
 		return NULL;
 	}
 
+	state->gensec = gensec;
 	state->initiator = initiator;
 	state->seq_num = 0;
 	state->creds = netlogon_creds_copy(state, creds);
@@ -69,6 +72,8 @@ static struct schannel_state *netsec_create_state(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
+	gensec->private_data = state;
+
 	return state;
 }
 
@@ -273,6 +278,7 @@ static void netsec_do_sign(struct schannel_state *state,
 static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 				bool do_unseal,
 				uint8_t *data, size_t length,
+				const uint8_t *whole_pdu, size_t pdu_length,
 				const DATA_BLOB *sig)
 {
 	uint32_t min_sig_size = 0;
@@ -284,6 +290,8 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 	uint32_t confounder_ofs = 0;
 	uint8_t seq_num[8];
 	int ret;
+	const uint8_t *sign_data = NULL;
+	size_t sign_length = 0;
 
 	netsec_offset_and_sizes(state,
 				do_unseal,
@@ -312,8 +320,16 @@ static NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 			       false);
 	}
 
+	if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		sign_data = whole_pdu;
+		sign_length = pdu_length;
+	} else {
+		sign_data = data;
+		sign_length = length;
+	}
+
 	netsec_do_sign(state, confounder,
-		       data, length,
+		       sign_data, sign_length,
 		       header, checksum);
 
 	ret = memcmp(checksum, sig->data+16, checksum_length);
@@ -353,6 +369,7 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
 				TALLOC_CTX *mem_ctx,
 				bool do_seal,
 				uint8_t *data, size_t length,
+				const uint8_t *whole_pdu, size_t pdu_length,
 				DATA_BLOB *sig)
 {
 	uint32_t min_sig_size = 0;
@@ -364,6 +381,8 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
 	uint8_t *confounder = NULL;
 	uint32_t confounder_ofs = 0;
 	uint8_t seq_num[8];
+	const uint8_t *sign_data = NULL;
+	size_t sign_length = 0;
 
 	netsec_offset_and_sizes(state,
 				do_seal,
@@ -381,8 +400,16 @@ static NTSTATUS netsec_outgoing_packet(struct schannel_state *state,
 		confounder = NULL;
 	}
 
+	if (state->gensec->want_features & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		sign_data = whole_pdu;
+		sign_length = pdu_length;
+	} else {
+		sign_data = data;
+		sign_length = length;
+	}
+
 	netsec_do_sign(state, confounder,
-		       data, length,
+		       sign_data, sign_length,
 		       header, checksum);
 
 	if (do_seal) {
@@ -457,7 +484,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 		if (state == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		gensec_security->private_data = state;
 
 		bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
 #if 0
@@ -553,7 +579,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 		if (state == NULL) {
 			return NT_STATUS_NO_MEMORY;
 		}
-		gensec_security->private_data = state;
 
 		bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
 		bind_schannel_ack.Flags = 0;
@@ -608,6 +633,9 @@ static bool schannel_have_feature(struct gensec_security *gensec_security,
 	if (feature & GENSEC_FEATURE_DCE_STYLE) {
 		return true;
 	}
+	if (feature & GENSEC_FEATURE_SIGN_PKT_HEADER) {
+		return true;
+	}
 	return false;
 }
 
@@ -625,7 +653,9 @@ static NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
 
 	return netsec_incoming_packet(state, true,
 				      discard_const_p(uint8_t, data),
-				      length, sig);
+				      length,
+				      whole_pdu, pdu_length,
+				      sig);
 }
 
 /*
@@ -642,7 +672,9 @@ static NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
 
 	return netsec_incoming_packet(state, false,
 				      discard_const_p(uint8_t, data),
-				      length, sig);
+				      length,
+				      whole_pdu, pdu_length,
+				      sig);
 }
 /*
   seal a packet
@@ -658,7 +690,9 @@ static NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
 		struct schannel_state);
 
 	return netsec_outgoing_packet(state, mem_ctx, true,
-				      data, length, sig);
+				      data, length,
+				      whole_pdu, pdu_length,
+				      sig);
 }
 
 /*
@@ -676,7 +710,9 @@ static NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
 
 	return netsec_outgoing_packet(state, mem_ctx, false,
 				      discard_const_p(uint8_t, data),
-				      length, sig);
+				      length,
+				      whole_pdu, pdu_length,
+				      sig);
 }
 
 static const struct gensec_security_ops gensec_schannel_security_ops = {
-- 
1.9.3


From 5b457559dfaeaf8f3d9227a93e5b75e0e7464c23 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 5 Jan 2014 06:16:03 +0100
Subject: [PATCH 151/249] s3:rpc_client: talloc_zero pipe_auth_data

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5b39a351a8ceb3bec04236ceb4b2fe10651958a9)
---
 source3/rpc_client/cli_pipe.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index a343997..7d1e347 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -2101,7 +2101,7 @@ NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx,
 {
 	struct pipe_auth_data *result;
 
-	result = talloc(mem_ctx, struct pipe_auth_data);
+	result = talloc_zero(mem_ctx, struct pipe_auth_data);
 	if (result == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -2125,7 +2125,7 @@ NTSTATUS rpccli_anon_bind_data(TALLOC_CTX *mem_ctx,
 {
 	struct pipe_auth_data *result;
 
-	result = talloc(mem_ctx, struct pipe_auth_data);
+	result = talloc_zero(mem_ctx, struct pipe_auth_data);
 	if (result == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -2160,7 +2160,7 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx,
 	struct pipe_auth_data *result;
 	NTSTATUS status;
 
-	result = talloc(mem_ctx, struct pipe_auth_data);
+	result = talloc_zero(mem_ctx, struct pipe_auth_data);
 	if (result == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
-- 
1.9.3


From dd35874efea280b91ccaadf14a9a18e8a9017ea4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 5 Jan 2014 06:31:44 +0100
Subject: [PATCH 152/249] s3:rpc_client: make rpc_api_pipe_req_send/recv static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 946e29dbc148d40fadbee81d4d530a36c0f2f1e6)
---
 source3/rpc_client/cli_pipe.c |  4 ++--
 source3/rpc_client/cli_pipe.h | 10 ----------
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 7d1e347..3d12454 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1153,7 +1153,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq);
 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 				  bool *is_last_frag);
 
-struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
+static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
 					 struct tevent_context *ev,
 					 struct rpc_pipe_client *cli,
 					 uint8_t op_num,
@@ -1366,7 +1366,7 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
 	tevent_req_done(req);
 }
 
-NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
+static NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
 			       DATA_BLOB *reply_pdu)
 {
 	struct rpc_api_pipe_req_state *state = tevent_req_data(
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index ab99373..826f9bf 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -27,16 +27,6 @@
 
 /* The following definitions come from rpc_client/cli_pipe.c  */
 
-struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
-					 struct tevent_context *ev,
-					 struct rpc_pipe_client *cli,
-					 uint8_t op_num,
-					 DATA_BLOB *req_data);
-
-NTSTATUS rpc_api_pipe_req_recv(struct tevent_req *req,
-			       TALLOC_CTX *mem_ctx,
-			       DATA_BLOB *reply_pdu);
-
 struct tevent_req *rpc_pipe_bind_send(TALLOC_CTX *mem_ctx,
 				      struct tevent_context *ev,
 				      struct rpc_pipe_client *cli,
-- 
1.9.3


From 9ea586bbac52bf17e6a1147420bfc9648e697706 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 5 Jan 2014 07:56:20 +0100
Subject: [PATCH 153/249] s3:rpc_client: add some const to
 rpc_api_pipe_req_send()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4d3376e919b5c33f272b3a584d8172729a7468e0)
---
 source3/rpc_client/cli_pipe.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 3d12454..6b7fee2 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1142,7 +1142,7 @@ struct rpc_api_pipe_req_state {
 	struct rpc_pipe_client *cli;
 	uint8_t op_num;
 	uint32_t call_id;
-	DATA_BLOB *req_data;
+	const DATA_BLOB *req_data;
 	uint32_t req_data_sent;
 	DATA_BLOB rpc_out;
 	DATA_BLOB reply_pdu;
@@ -1157,7 +1157,7 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
 					 struct tevent_context *ev,
 					 struct rpc_pipe_client *cli,
 					 uint8_t op_num,
-					 DATA_BLOB *req_data)
+					 const DATA_BLOB *req_data)
 {
 	struct tevent_req *req, *subreq;
 	struct rpc_api_pipe_req_state *state;
-- 
1.9.3


From cc6303171f06ae26bce9d54013a63a6296563dd7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 5 Jan 2014 08:26:15 +0100
Subject: [PATCH 154/249] s3:rpc_client: handle DCERPC_AUTH_TYPE_SCHANNEL as
 any other gensec backend

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f7bf7e705e704d2f1702e42a8e400baff9521066)
---
 source3/rpc_client/cli_pipe.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 6b7fee2..b142774 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1627,11 +1627,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 
 	case DCERPC_AUTH_TYPE_NONE:
 	case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
-	case DCERPC_AUTH_TYPE_SCHANNEL:
 		/* Bind complete. */
 		tevent_req_done(req);
 		return;
 
+	case DCERPC_AUTH_TYPE_SCHANNEL:
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_SPNEGO:
 	case DCERPC_AUTH_TYPE_KRB5:
@@ -1666,11 +1666,11 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 
 	case DCERPC_AUTH_TYPE_NONE:
 	case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
-	case DCERPC_AUTH_TYPE_SCHANNEL:
 		/* Bind complete. */
 		tevent_req_done(req);
 		return;
 
+	case DCERPC_AUTH_TYPE_SCHANNEL:
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_KRB5:
 	case DCERPC_AUTH_TYPE_SPNEGO:
-- 
1.9.3


From 044ca24f9d8a3bf57d6981c89e6dcc5e4477059d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 22:41:33 +0100
Subject: [PATCH 155/249] s3:rpc_client: implement
 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 61bdbc23cd09a594a63f49ff8626934c85a8e51a)
---
 source3/librpc/rpc/dcerpc.h   |  4 +++-
 source3/rpc_client/cli_pipe.c | 44 +++++++++++++++++++++++++++++++++++++------
 2 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index b18b7ba..aaf8d68 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -39,7 +39,9 @@ struct NL_AUTH_MESSAGE;
 struct pipe_auth_data {
 	enum dcerpc_AuthType auth_type;
 	enum dcerpc_AuthLevel auth_level;
-	
+	bool client_hdr_signing;
+	bool hdr_signing;
+
 	void *auth_ctx;
 
 	/* Only the client code uses these 3 for now */
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index b142774..1cab580 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1002,16 +1002,31 @@ static NTSTATUS rpc_api_pipe_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
 
 static NTSTATUS create_generic_auth_rpc_bind_req(struct rpc_pipe_client *cli,
 						 TALLOC_CTX *mem_ctx,
-						 DATA_BLOB *auth_token)
+						 DATA_BLOB *auth_token,
+						 bool *client_hdr_signing)
 {
 	struct gensec_security *gensec_security;
 	DATA_BLOB null_blob = data_blob_null;
+	NTSTATUS status;
 
 	gensec_security = talloc_get_type_abort(cli->auth->auth_ctx,
 					struct gensec_security);
 
 	DEBUG(5, ("create_generic_auth_rpc_bind_req: generate first token\n"));
-	return gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
+	status = gensec_update(gensec_security, mem_ctx, NULL, null_blob, auth_token);
+
+	if (!NT_STATUS_IS_OK(status) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED))
+	{
+		return status;
+	}
+
+	if (client_hdr_signing != NULL) {
+		*client_hdr_signing = gensec_have_feature(gensec_security,
+						GENSEC_FEATURE_SIGN_PKT_HEADER);
+	}
+
+	return status;
 }
 
 /*******************************************************************
@@ -1024,17 +1039,23 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
 						const struct ndr_syntax_id *abstract,
 						const struct ndr_syntax_id *transfer,
 						const DATA_BLOB *auth_info,
+						bool client_hdr_signing,
 						DATA_BLOB *blob)
 {
 	uint16 auth_len = auth_info->length;
 	NTSTATUS status;
 	union dcerpc_payload u;
 	struct dcerpc_ctx_list ctx_list;
+	uint8_t pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
 
 	if (auth_len) {
 		auth_len -= DCERPC_AUTH_TRAILER_LENGTH;
 	}
 
+	if (client_hdr_signing) {
+		pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+	}
+
 	ctx_list.context_id = 0;
 	ctx_list.num_transfer_syntaxes = 1;
 	ctx_list.abstract_syntax = *abstract;
@@ -1048,9 +1069,7 @@ static NTSTATUS create_bind_or_alt_ctx_internal(TALLOC_CTX *mem_ctx,
 	u.bind.auth_info	= *auth_info;
 
 	status = dcerpc_push_ncacn_packet(mem_ctx,
-					  ptype,
-					  DCERPC_PFC_FLAG_FIRST |
-					  DCERPC_PFC_FLAG_LAST,
+					  ptype, pfc_flags,
 					  auth_len,
 					  rpc_call_id,
 					  &u,
@@ -1084,7 +1103,9 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
 	case DCERPC_AUTH_TYPE_NTLMSSP:
 	case DCERPC_AUTH_TYPE_KRB5:
 	case DCERPC_AUTH_TYPE_SPNEGO:
-		ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
+		ret = create_generic_auth_rpc_bind_req(cli, mem_ctx,
+						       &auth_token,
+						       &auth->client_hdr_signing);
 
 		if (!NT_STATUS_IS_OK(ret) &&
 		    !NT_STATUS_EQUAL(ret, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -1126,6 +1147,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
 					      abstract,
 					      transfer,
 					      &auth_info,
+					      auth->client_hdr_signing,
 					      rpc_out);
 	return ret;
 }
@@ -1507,6 +1529,7 @@ static NTSTATUS create_rpc_alter_context(TALLOC_CTX *mem_ctx,
 						 abstract,
 						 transfer,
 						 &auth_info,
+					         false, /* client_hdr_signing */
 						 rpc_out);
 	data_blob_free(&auth_info);
 	return status;
@@ -1676,6 +1699,15 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
 	case DCERPC_AUTH_TYPE_SPNEGO:
 		gensec_security = talloc_get_type_abort(pauth->auth_ctx,
 						struct gensec_security);
+
+		if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
+			if (pauth->client_hdr_signing) {
+				pauth->hdr_signing = true;
+				gensec_want_feature(gensec_security,
+						    GENSEC_FEATURE_SIGN_PKT_HEADER);
+			}
+		}
+
 		status = gensec_update(gensec_security, state, NULL,
 				       auth.credentials, &auth_token);
 		if (NT_STATUS_EQUAL(status,
-- 
1.9.3


From 472b11d1b0fdbb1ca61e64979e4b5fd7dc1756a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 22:56:03 +0100
Subject: [PATCH 156/249] s3:rpc_server: add support for
 DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN

If the backend supports it there's no reason to avoid it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 523d616268af5f94e11c863f9acdebabace80608)
---
 source3/rpc_server/srv_pipe.c | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 5f834fb..f572819 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -42,6 +42,7 @@
 #include "rpc_server/rpc_contexts.h"
 #include "lib/param/param.h"
 #include "librpc/ndr/ndr_table.h"
+#include "auth/gensec/gensec.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -418,10 +419,11 @@ bool is_known_pipename(const char *pipename, struct ndr_syntax_id *syntax)
 *******************************************************************/
 
 static bool pipe_auth_generic_bind(struct pipes_struct *p,
-				   TALLOC_CTX *mem_ctx,
+				   struct ncacn_packet *pkt,
 				   struct dcerpc_auth *auth_info,
 				   DATA_BLOB *response)
 {
+	TALLOC_CTX *mem_ctx = pkt;
 	struct gensec_security *gensec_security = NULL;
         NTSTATUS status;
 
@@ -444,6 +446,17 @@ static bool pipe_auth_generic_bind(struct pipes_struct *p,
 	p->auth.auth_ctx = gensec_security;
 	p->auth.auth_type = auth_info->auth_type;
 
+	if (pkt->pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) {
+		p->auth.client_hdr_signing = true;
+		p->auth.hdr_signing = gensec_have_feature(gensec_security,
+						GENSEC_FEATURE_SIGN_PKT_HEADER);
+	}
+
+	if (p->auth.hdr_signing) {
+		gensec_want_feature(gensec_security,
+				    GENSEC_FEATURE_SIGN_PKT_HEADER);
+	}
+
 	return true;
 }
 
@@ -548,6 +561,7 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
 	NTSTATUS status;
 	struct ndr_syntax_id id;
+	uint8_t pfc_flags = 0;
 	union dcerpc_payload u;
 	struct dcerpc_ack_ctx bind_ack_ctx;
 	DATA_BLOB auth_resp = data_blob_null;
@@ -792,10 +806,15 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
 	 * header and are never sending more than one PDU here.
 	 */
 
+	pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
+
+	if (p->auth.hdr_signing) {
+		pfc_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+	}
+
 	status = dcerpc_push_ncacn_packet(p->mem_ctx,
 					  DCERPC_PKT_BIND_ACK,
-					  DCERPC_PFC_FLAG_FIRST |
-						DCERPC_PFC_FLAG_LAST,
+					  pfc_flags,
 					  auth_resp.length,
 					  pkt->call_id,
 					  &u,
-- 
1.9.3


From 4e6bea89ffcca074e0320b98e65485f348a469a5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 09:25:23 +0100
Subject: [PATCH 157/249] librpc/ndr: add
 LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES

This lets ndr_pull_subcontext_end() make sure that all
subcontext bytes are consumed otherwise it returns NDR_ERR_UNREAD_BYTES.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b62308ed994e9734dfd934d230531010d9e7cefa)
---
 librpc/idl/idl_types.h |  2 ++
 librpc/ndr/libndr.h    |  6 ++++++
 librpc/ndr/ndr.c       | 20 ++++++++++++++++++++
 3 files changed, 28 insertions(+)

diff --git a/librpc/idl/idl_types.h b/librpc/idl/idl_types.h
index c50efac..838c219 100644
--- a/librpc/idl/idl_types.h
+++ b/librpc/idl/idl_types.h
@@ -53,3 +53,5 @@
 
 #define NDR_RELATIVE_REVERSE LIBNDR_FLAG_RELATIVE_REVERSE
 #define NDR_NO_RELATIVE_REVERSE LIBNDR_FLAG_NO_RELATIVE_REVERSE
+
+#define NDR_SUBCONTEXT_NO_UNREAD_BYTES LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES
diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h
index a950519..8070c3c 100644
--- a/librpc/ndr/libndr.h
+++ b/librpc/ndr/libndr.h
@@ -123,6 +123,12 @@ struct ndr_print {
 #define LIBNDR_FLAG_STR_RAW8		(1<<13)
 #define LIBNDR_STRING_FLAGS		(0x7FFC)
 
+/*
+ * This lets ndr_pull_subcontext_end() return
+ * NDR_ERR_UNREAD_BYTES.
+ */
+#define LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES (1<<17)
+
 /* set if relative pointers should *not* be marshalled in reverse order */
 #define LIBNDR_FLAG_NO_RELATIVE_REVERSE	(1<<18)
 
diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index e86cf2f..15a7f12 100644
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -638,6 +638,8 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
 				 ssize_t size_is)
 {
 	uint32_t advance;
+	uint32_t highest_ofs;
+
 	if (size_is >= 0) {
 		advance = size_is;
 	} else if (header_size > 0) {
@@ -645,6 +647,24 @@ _PUBLIC_ enum ndr_err_code ndr_pull_subcontext_end(struct ndr_pull *ndr,
 	} else {
 		advance = subndr->offset;
 	}
+
+	if (subndr->offset > ndr->relative_highest_offset) {
+		highest_ofs = subndr->offset;
+	} else {
+		highest_ofs = subndr->relative_highest_offset;
+	}
+	if (!(subndr->flags & LIBNDR_FLAG_SUBCONTEXT_NO_UNREAD_BYTES)) {
+		/*
+		 * avoid an error unless SUBCONTEXT_NO_UNREAD_BYTES is specified
+		 */
+		highest_ofs = advance;
+	}
+	if (highest_ofs < advance) {
+		return ndr_pull_error(subndr, NDR_ERR_UNREAD_BYTES,
+				      "not all bytes consumed ofs[%u] advance[%u]",
+				      highest_ofs, advance);
+	}
+
 	NDR_CHECK(ndr_pull_advance(ndr, advance));
 	return NDR_ERR_SUCCESS;
 }
-- 
1.9.3


From 5960d93d9cddca327ad8d24a41c64421ac6bb561 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 3 Jan 2014 15:06:23 +0100
Subject: [PATCH 158/249] dcerpc.idl: add documentation references

To [C706 - DCE 1.1: Remote Procedure Call] and [MS-RPCE].

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 66c39420e29e7c257d9cdc5d04c061472bbefd19)
---
 librpc/idl/dcerpc.idl | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 86f22a4..23cac89 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -5,8 +5,17 @@
   but given that pidl can handle it nicely it simplifies things a lot
   to do it this way
 
-  see http://www.opengroup.org/onlinepubs/9629399/chap12.htm for packet
-  layouts
+  See [C706 - DCE 1.1: Remote Procedure Call] for the OpenGroup
+  DCERPC specification:
+  http://pubs.opengroup.org/onlinepubs/9629399/toc.htm
+
+  See C706 - Chapter 12: RPC PDU Encodings for packet layouts:
+  http://www.opengroup.org/onlinepubs/9629399/chap12.htm
+
+  See also [MS-RPCE] for the Microsoft
+  "Remote Procedure Call Protocol Extensions".
+  http://msdn.microsoft.com/en-us/library/cc243560.aspx
+
 */
 import "misc.idl";
 
-- 
1.9.3


From 812cb7e6010b39fb752cf85026fd8d8a5dccbb39 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 2 Jan 2014 11:18:38 +0100
Subject: [PATCH 159/249] dcerpc.idl: add dcerpc_sec_verification_trailer

See [MS-RPCE] 2.2.2.13 Verification Trailer for details.

Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>

Signed-off-by: Gregor Beck <gbeck@sernet.de>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c0dc2fb7e1dadcef35a132040448cb27ff1d5bfa)
---
 librpc/idl/dcerpc.idl   | 67 +++++++++++++++++++++++++++++++++++++++++++++++++
 librpc/ndr/ndr_dcerpc.c | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
 librpc/wscript_build    |  2 +-
 3 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 librpc/ndr/ndr_dcerpc.c

diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 23cac89..8e9be0e 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -19,6 +19,8 @@
 */
 import "misc.idl";
 
+cpp_quote("extern const uint8_t DCERPC_SEC_VT_MAGIC[8];")
+
 interface dcerpc
 {
 	typedef struct {
@@ -514,4 +516,69 @@ interface dcerpc
 		uint8 serial_low;
 		[switch_is(ptype)] dcerpc_payload u;
 	} ncadg_packet;
+
+	typedef [bitmap16bit] bitmap {
+		DCERPC_SEC_VT_COMMAND_ENUM  = 0x3FFF,
+		DCERPC_SEC_VT_COMMAND_END   = 0x4000,
+		DCERPC_SEC_VT_MUST_PROCESS  = 0x8000
+	} dcerpc_sec_vt_command;
+
+	typedef [enum16bit] enum {
+		DCERPC_SEC_VT_COMMAND_BITMASK1  = 0x0001,
+		DCERPC_SEC_VT_COMMAND_PCONTEXT  = 0x0002,
+		DCERPC_SEC_VT_COMMAND_HEADER2   = 0x0003
+	} dcerpc_sec_vt_command_enum;
+
+	typedef [bitmap32bit] bitmap {
+		DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING = 0x00000001
+	} dcerpc_sec_vt_bitmask1;
+
+	typedef struct {
+		ndr_syntax_id abstract_syntax;
+		ndr_syntax_id transfer_syntax;
+	} dcerpc_sec_vt_pcontext;
+
+	typedef struct {
+		dcerpc_pkt_type ptype;  /* Packet type */
+		[value(0)] uint8 reserved1;
+		[value(0)] uint16 reserved2;
+		uint8 drep[4];          /* NDR data representation */
+		uint32 call_id;         /* Call identifier */
+		uint16 context_id;
+		uint16 opnum;
+	} dcerpc_sec_vt_header2;
+
+	typedef [switch_type(dcerpc_sec_vt_command_enum),nodiscriminant] union {
+	[case(DCERPC_SEC_VT_COMMAND_BITMASK1)] dcerpc_sec_vt_bitmask1 bitmask1;
+	[case(DCERPC_SEC_VT_COMMAND_PCONTEXT)] dcerpc_sec_vt_pcontext pcontext;
+	[case(DCERPC_SEC_VT_COMMAND_HEADER2)] dcerpc_sec_vt_header2 header2;
+	[default,flag(NDR_REMAINING)] DATA_BLOB _unknown;
+	} dcerpc_sec_vt_union;
+
+	typedef struct {
+		dcerpc_sec_vt_command command;
+		[switch_is(command & DCERPC_SEC_VT_COMMAND_ENUM)]
+			[subcontext(2),flag(NDR_SUBCONTEXT_NO_UNREAD_BYTES)]
+			dcerpc_sec_vt_union u;
+	} dcerpc_sec_vt;
+
+	typedef [public,nopush,nopull] struct {
+		uint16 count;
+	} dcerpc_sec_vt_count;
+
+	/*
+	 * We assume that the whole verification trailer fits into
+	 * the last 1024 bytes after the stub data.
+	 *
+	 * There're currently only 3 commands defined and each should
+	 * only be used once.
+	 */
+	const uint16 DCERPC_SEC_VT_MAX_SIZE = 1024;
+
+	typedef [public,flag(NDR_PAHEX)] struct {
+		[flag(NDR_ALIGN4)] DATA_BLOB _pad;
+		[value(DCERPC_SEC_VT_MAGIC)] uint8 magic[8];
+		dcerpc_sec_vt_count count;
+		dcerpc_sec_vt commands[count.count];
+	} dcerpc_sec_verification_trailer;
 }
diff --git a/librpc/ndr/ndr_dcerpc.c b/librpc/ndr/ndr_dcerpc.c
new file mode 100644
index 0000000..88a7f38
--- /dev/null
+++ b/librpc/ndr/ndr_dcerpc.c
@@ -0,0 +1,66 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Manually parsed structures found in the DCERPC protocol
+
+   Copyright (C) Stefan Metzmacher 2014
+   Copyright (C) Gregor Beck 2014
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "bin/default/librpc/gen_ndr/ndr_dcerpc.h"
+
+#include "librpc/gen_ndr/ndr_misc.h"
+
+const uint8_t DCERPC_SEC_VT_MAGIC[] = {0x8a,0xe3,0x13,0x71,0x02,0xf4,0x36,0x71};
+
+_PUBLIC_ enum ndr_err_code ndr_push_dcerpc_sec_vt_count(struct ndr_push *ndr, int ndr_flags, const struct dcerpc_sec_vt_count *r)
+{
+	NDR_PUSH_CHECK_FLAGS(ndr, ndr_flags);
+	/* nothing */
+	return NDR_ERR_SUCCESS;
+}
+
+_PUBLIC_ enum ndr_err_code ndr_pull_dcerpc_sec_vt_count(struct ndr_pull *ndr, int ndr_flags, struct dcerpc_sec_vt_count *r)
+{
+	uint32_t _saved_ofs = ndr->offset;
+
+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+
+	if (!(ndr_flags & NDR_SCALARS)) {
+		return NDR_ERR_SUCCESS;
+	}
+
+	r->count = 0;
+
+	while (true) {
+		uint16_t command;
+		uint16_t length;
+
+		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &command));
+		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &length));
+		NDR_CHECK(ndr_pull_advance(ndr, length));
+
+		r->count += 1;
+
+		if (command & DCERPC_SEC_VT_COMMAND_END) {
+			break;
+		}
+	}
+
+	ndr->offset = _saved_ofs;
+	return NDR_ERR_SUCCESS;
+}
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 2017a29..a5cf687 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -301,7 +301,7 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP',
 	)
 
 bld.SAMBA_SUBSYSTEM('NDR_DCERPC',
-    source='gen_ndr/ndr_dcerpc.c',
+    source='gen_ndr/ndr_dcerpc.c ndr/ndr_dcerpc.c',
     public_deps='ndr',
     public_headers='gen_ndr/ndr_dcerpc.h gen_ndr/dcerpc.h',
     header_path= [ ('*gen_ndr*', 'gen_ndr') ],
-- 
1.9.3


From 3480b809bd9426ce6b976b9965a54de32d246a66 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 5 Jan 2014 07:57:51 +0100
Subject: [PATCH 160/249] s3:rpc_client: fill alloc_hint with the remaining
 data not the total data.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f0532fe0cd69aeb161088ca990d376f119102e61)
---
 source3/rpc_client/cli_pipe.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 1cab580..5edd897 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1277,7 +1277,7 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 
 	ZERO_STRUCT(u.request);
 
-	u.request.alloc_hint	= state->req_data->length;
+	u.request.alloc_hint	= data_left;
 	u.request.context_id	= 0;
 	u.request.opnum		= state->op_num;
 
-- 
1.9.3


From bd675cd6e4848bee8798dacf1768556de48f3112 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 5 Jan 2014 08:12:45 +0100
Subject: [PATCH 161/249] s3:rpc_client: send a dcerpc_sec_verification_trailer
 if needed

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  7 02:24:42 CET 2014 on sn-devel-104
(cherry picked from commit 6ab9164c74e0ad57bdde8abb568953026b644e27)
---
 source3/librpc/rpc/dcerpc.h     |   1 +
 source3/rpc_client/cli_pipe.c   | 202 ++++++++++++++++++++++++++++++++++++++--
 source3/rpc_client/rpc_client.h |   1 +
 3 files changed, 194 insertions(+), 10 deletions(-)

diff --git a/source3/librpc/rpc/dcerpc.h b/source3/librpc/rpc/dcerpc.h
index aaf8d68..9d0f861 100644
--- a/source3/librpc/rpc/dcerpc.h
+++ b/source3/librpc/rpc/dcerpc.h
@@ -41,6 +41,7 @@ struct pipe_auth_data {
 	enum dcerpc_AuthLevel auth_level;
 	bool client_hdr_signing;
 	bool hdr_signing;
+	bool verified_bitmask1;
 
 	void *auth_ctx;
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 5edd897..a45023f 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1166,12 +1166,17 @@ struct rpc_api_pipe_req_state {
 	uint32_t call_id;
 	const DATA_BLOB *req_data;
 	uint32_t req_data_sent;
+	DATA_BLOB req_trailer;
+	uint32_t req_trailer_sent;
+	bool verify_bitmask1;
+	bool verify_pcontext;
 	DATA_BLOB rpc_out;
 	DATA_BLOB reply_pdu;
 };
 
 static void rpc_api_pipe_req_write_done(struct tevent_req *subreq);
 static void rpc_api_pipe_req_done(struct tevent_req *subreq);
+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state);
 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 				  bool *is_last_frag);
 
@@ -1207,6 +1212,11 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
 		goto post_status;
 	}
 
+	status = prepare_verification_trailer(state);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto post_status;
+	}
+
 	status = prepare_next_frag(state, &is_last_frag);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto post_status;
@@ -1241,25 +1251,164 @@ static struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
 	return NULL;
 }
 
+static NTSTATUS prepare_verification_trailer(struct rpc_api_pipe_req_state *state)
+{
+	struct pipe_auth_data *a = state->cli->auth;
+	struct dcerpc_sec_verification_trailer *t;
+	struct dcerpc_sec_vt *c = NULL;
+	struct ndr_push *ndr = NULL;
+	enum ndr_err_code ndr_err;
+	size_t align = 0;
+	size_t pad = 0;
+
+	if (a == NULL) {
+		return NT_STATUS_OK;
+	}
+
+	if (a->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+		return NT_STATUS_OK;
+	}
+
+	t = talloc_zero(state, struct dcerpc_sec_verification_trailer);
+	if (t == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!a->verified_bitmask1) {
+		t->commands = talloc_realloc(t, t->commands,
+					     struct dcerpc_sec_vt,
+					     t->count.count + 1);
+		if (t->commands == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		c = &t->commands[t->count.count++];
+		ZERO_STRUCTP(c);
+
+		c->command = DCERPC_SEC_VT_COMMAND_BITMASK1;
+		if (a->client_hdr_signing) {
+			c->u.bitmask1 = DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING;
+		}
+		state->verify_bitmask1 = true;
+	}
+
+	if (!state->cli->verified_pcontext) {
+		t->commands = talloc_realloc(t, t->commands,
+					     struct dcerpc_sec_vt,
+					     t->count.count + 1);
+		if (t->commands == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		c = &t->commands[t->count.count++];
+		ZERO_STRUCTP(c);
+
+		c->command = DCERPC_SEC_VT_COMMAND_PCONTEXT;
+		c->u.pcontext.abstract_syntax = state->cli->abstract_syntax;
+		c->u.pcontext.transfer_syntax = state->cli->transfer_syntax;
+
+		state->verify_pcontext = true;
+	}
+
+	if (!a->hdr_signing) {
+		t->commands = talloc_realloc(t, t->commands,
+					     struct dcerpc_sec_vt,
+					     t->count.count + 1);
+		if (t->commands == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		c = &t->commands[t->count.count++];
+		ZERO_STRUCTP(c);
+
+		c->command = DCERPC_SEC_VT_COMMAND_HEADER2;
+		c->u.header2.ptype = DCERPC_PKT_REQUEST;
+		c->u.header2.drep[0] = DCERPC_DREP_LE;
+		c->u.header2.drep[1] = 0;
+		c->u.header2.drep[2] = 0;
+		c->u.header2.drep[3] = 0;
+		c->u.header2.call_id = state->call_id;
+		c->u.header2.context_id = 0;
+		c->u.header2.opnum = state->op_num;
+	}
+
+	if (t->count.count == 0) {
+		TALLOC_FREE(t);
+		return NT_STATUS_OK;
+	}
+
+	c = &t->commands[t->count.count - 1];
+	c->command |= DCERPC_SEC_VT_COMMAND_END;
+
+	if (DEBUGLEVEL >= 10) {
+		NDR_PRINT_DEBUG(dcerpc_sec_verification_trailer, t);
+	}
+
+	ndr = ndr_push_init_ctx(state);
+	if (ndr == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ndr_err = ndr_push_dcerpc_sec_verification_trailer(ndr,
+						NDR_SCALARS | NDR_BUFFERS,
+						t);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		return ndr_map_error2ntstatus(ndr_err);
+	}
+	state->req_trailer = ndr_push_blob(ndr);
+
+	align = state->req_data->length & 0x3;
+	if (align > 0) {
+		pad = 4 - align;
+	}
+	if (pad > 0) {
+		bool ok;
+		uint8_t *p;
+		const uint8_t zeros[4] = { 0, };
+
+		ok = data_blob_append(ndr, &state->req_trailer, zeros, pad);
+		if (!ok) {
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		/* move the padding to the start */
+		p = state->req_trailer.data;
+		memmove(p + pad, p, state->req_trailer.length - pad);
+		memset(p, 0, pad);
+	}
+
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 				  bool *is_last_frag)
 {
-	size_t data_sent_thistime;
 	size_t auth_len;
 	size_t frag_len;
 	uint8_t flags = 0;
 	size_t pad_len;
 	size_t data_left;
+	size_t data_thistime;
+	size_t trailer_left;
+	size_t trailer_thistime = 0;
+	size_t total_left;
+	size_t total_thistime;
 	NTSTATUS status;
+	bool ok;
 	union dcerpc_payload u;
 
 	data_left = state->req_data->length - state->req_data_sent;
+	trailer_left = state->req_trailer.length - state->req_trailer_sent;
+	total_left = data_left + trailer_left;
+	if ((total_left < data_left) || (total_left < trailer_left)) {
+		/*
+		 * overflow
+		 */
+		return NT_STATUS_INVALID_PARAMETER_MIX;
+	}
 
 	status = dcerpc_guess_sizes(state->cli->auth,
-				    DCERPC_REQUEST_LENGTH, data_left,
+				    DCERPC_REQUEST_LENGTH, total_left,
 				    state->cli->max_xmit_frag,
 				    CLIENT_NDR_PADDING_SIZE,
-				    &data_sent_thistime,
+				    &total_thistime,
 				    &frag_len, &auth_len, &pad_len);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -1269,15 +1418,20 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 		flags = DCERPC_PFC_FLAG_FIRST;
 	}
 
-	if (data_sent_thistime == data_left) {
+	if (total_thistime == total_left) {
 		flags |= DCERPC_PFC_FLAG_LAST;
 	}
 
+	data_thistime = MIN(total_thistime, data_left);
+	if (data_thistime < total_thistime) {
+		trailer_thistime = total_thistime - data_thistime;
+	}
+
 	data_blob_free(&state->rpc_out);
 
 	ZERO_STRUCT(u.request);
 
-	u.request.alloc_hint	= data_left;
+	u.request.alloc_hint	= total_left;
 	u.request.context_id	= 0;
 	u.request.opnum		= state->op_num;
 
@@ -1297,11 +1451,26 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 	 * at this stage */
 	dcerpc_set_frag_length(&state->rpc_out, frag_len);
 
-	/* Copy in the data. */
-	if (!data_blob_append(NULL, &state->rpc_out,
+	if (data_thistime > 0) {
+		/* Copy in the data. */
+		ok = data_blob_append(NULL, &state->rpc_out,
 				state->req_data->data + state->req_data_sent,
-				data_sent_thistime)) {
-		return NT_STATUS_NO_MEMORY;
+				data_thistime);
+		if (!ok) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		state->req_data_sent += data_thistime;
+	}
+
+	if (trailer_thistime > 0) {
+		/* Copy in the verification trailer. */
+		ok = data_blob_append(NULL, &state->rpc_out,
+				state->req_trailer.data + state->req_trailer_sent,
+				trailer_thistime);
+		if (!ok) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		state->req_trailer_sent += trailer_thistime;
 	}
 
 	switch (state->cli->auth->auth_level) {
@@ -1321,7 +1490,6 @@ static NTSTATUS prepare_next_frag(struct rpc_api_pipe_req_state *state,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	state->req_data_sent += data_sent_thistime;
 	*is_last_frag = ((flags & DCERPC_PFC_FLAG_LAST) != 0);
 
 	return status;
@@ -1385,6 +1553,20 @@ static void rpc_api_pipe_req_done(struct tevent_req *subreq)
 		tevent_req_nterror(req, status);
 		return;
 	}
+
+	if (state->cli->auth == NULL) {
+		tevent_req_done(req);
+		return;
+	}
+
+	if (state->verify_bitmask1) {
+		state->cli->auth->verified_bitmask1 = true;
+	}
+
+	if (state->verify_pcontext) {
+		state->cli->verified_pcontext = true;
+	}
+
 	tevent_req_done(req);
 }
 
diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
index 6561b28..8024f01 100644
--- a/source3/rpc_client/rpc_client.h
+++ b/source3/rpc_client/rpc_client.h
@@ -39,6 +39,7 @@ struct rpc_pipe_client {
 
 	struct ndr_syntax_id abstract_syntax;
 	struct ndr_syntax_id transfer_syntax;
+	bool verified_pcontext;
 
 	char *desthost;
 	char *srv_name_slash;
-- 
1.9.3


From 3df8f8c1dda254a85e4fa02b74d23a4802bc595c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 18 Apr 2013 19:16:42 +0200
Subject: [PATCH 162/249] libcli/auth: add netlogon_creds_cli* infrastructure

This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.

Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.

We now use a node specific computer name in order to establish
individual netlogon sessions per node.

If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.

The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.

LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.

This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6e6d9f9f12284ed06a21cc02080e436b7326065f)
---
 libcli/auth/netlogon_creds_cli.c | 2596 ++++++++++++++++++++++++++++++++++++++
 libcli/auth/netlogon_creds_cli.h |  138 ++
 libcli/auth/wscript_build        |    4 +
 3 files changed, 2738 insertions(+)
 create mode 100644 libcli/auth/netlogon_creds_cli.c
 create mode 100644 libcli/auth/netlogon_creds_cli.h

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
new file mode 100644
index 0000000..75d6b2c
--- /dev/null
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -0,0 +1,2596 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   module to store/fetch session keys for the schannel client
+
+   Copyright (C) Stefan Metzmacher 2013
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "system/filesys.h"
+#include <tevent.h>
+#include "lib/util/tevent_ntstatus.h"
+#include "lib/dbwrap/dbwrap.h"
+#include "lib/dbwrap/dbwrap_rbt.h"
+#include "lib/util/util_tdb.h"
+#include "libcli/security/security.h"
+#include "../lib/param/param.h"
+#include "../libcli/auth/schannel.h"
+#include "../librpc/gen_ndr/ndr_schannel.h"
+#include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../librpc/gen_ndr/server_id.h"
+#include "netlogon_creds_cli.h"
+#include "source3/include/messages.h"
+#include "source3/include/g_lock.h"
+
+struct netlogon_creds_cli_locked_state;
+
+struct netlogon_creds_cli_context {
+	struct {
+		const char *computer;
+		const char *account;
+		uint32_t proposed_flags;
+		uint32_t required_flags;
+		enum netr_SchannelType type;
+		enum dcerpc_AuthLevel auth_level;
+	} client;
+
+	struct {
+		const char *computer;
+		const char *netbios_domain;
+		uint32_t cached_flags;
+		bool try_validation6;
+		bool try_logon_ex;
+		bool try_logon_with;
+	} server;
+
+	struct {
+		const char *key_name;
+		TDB_DATA key_data;
+		struct db_context *ctx;
+		struct g_lock_ctx *g_ctx;
+		struct netlogon_creds_cli_locked_state *locked_state;
+	} db;
+};
+
+struct netlogon_creds_cli_locked_state {
+	struct netlogon_creds_cli_context *context;
+	bool is_glocked;
+	struct netlogon_creds_CredentialState *creds;
+};
+
+static int netlogon_creds_cli_locked_state_destructor(
+		struct netlogon_creds_cli_locked_state *state)
+{
+	struct netlogon_creds_cli_context *context = state->context;
+
+	if (context == NULL) {
+		return 0;
+	}
+
+	if (context->db.locked_state == state) {
+		context->db.locked_state = NULL;
+	}
+
+	if (state->is_glocked) {
+		g_lock_unlock(context->db.g_ctx,
+			      context->db.key_name);
+	}
+
+	return 0;
+}
+
+static NTSTATUS netlogon_creds_cli_context_common(
+				const char *client_computer,
+				const char *client_account,
+				enum netr_SchannelType type,
+				enum dcerpc_AuthLevel auth_level,
+				uint32_t proposed_flags,
+				uint32_t required_flags,
+				const char *server_computer,
+				const char *server_netbios_domain,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_context)
+{
+	struct netlogon_creds_cli_context *context = NULL;
+
+	*_context = NULL;
+
+	context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
+	if (context == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->client.computer = talloc_strdup(context, client_computer);
+	if (context->client.computer == NULL) {
+		talloc_free(context);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->client.account = talloc_strdup(context, client_account);
+	if (context->client.account == NULL) {
+		talloc_free(context);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->client.proposed_flags = proposed_flags;
+	context->client.required_flags = required_flags;
+	context->client.type = type;
+	context->client.auth_level = auth_level;
+
+	context->server.computer = talloc_strdup(context, server_computer);
+	if (context->server.computer == NULL) {
+		talloc_free(context);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
+	if (context->server.netbios_domain == NULL) {
+		talloc_free(context);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
+					     client_computer,
+					     client_account,
+					     server_computer,
+					     server_netbios_domain);
+	if (context->db.key_name == NULL) {
+		talloc_free(context);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->db.key_data = string_term_tdb_data(context->db.key_name);
+
+	*_context = context;
+	return NT_STATUS_OK;
+}
+
+static struct db_context *netlogon_creds_cli_global_db;
+
+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
+{
+	char *fname;
+	struct db_context *global_db;
+
+	if (netlogon_creds_cli_global_db != NULL) {
+		return NT_STATUS_OK;
+	}
+
+	fname = lpcfg_private_db_path(talloc_autofree_context(), lp_ctx, "netlogon_creds_cli");
+	if (fname == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	global_db = dbwrap_local_open(talloc_autofree_context(), lp_ctx,
+				      fname, 0,
+				      TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+				      O_RDWR|O_CREAT,
+				      0600, DBWRAP_LOCK_ORDER_2);
+	if (global_db == NULL) {
+		DEBUG(0,("netlogon_creds_cli_open_global_db: Failed to open %s - %s\n",
+			 fname, strerror(errno)));
+		talloc_free(fname);
+		return NT_STATUS_NO_MEMORY;
+	}
+	TALLOC_FREE(fname);
+
+	netlogon_creds_cli_global_db = global_db;
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+				struct messaging_context *msg_ctx,
+				const char *client_account,
+				enum netr_SchannelType type,
+				const char *server_computer,
+				const char *server_netbios_domain,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_context)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	NTSTATUS status;
+	struct netlogon_creds_cli_context *context = NULL;
+	const char *client_computer;
+	uint32_t proposed_flags;
+	uint32_t required_flags = 0;
+	bool reject_md5_servers = false;
+	bool require_strong_key = false;
+	int require_sign_or_seal = true;
+	bool seal_secure_channel = true;
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+	bool neutralize_nt4_emulation = false;
+	struct server_id self = {
+		.vnn = NONCLUSTER_VNN,
+		.unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
+	};
+
+	if (msg_ctx != NULL) {
+		self = messaging_server_id(msg_ctx);
+	}
+
+	*_context = NULL;
+
+	if (self.vnn != NONCLUSTER_VNN) {
+		client_computer = talloc_asprintf(frame,
+						  "%s_cluster_vnn_%u",
+						  lpcfg_netbios_name(lp_ctx),
+						  (unsigned)self.vnn);
+		if (client_computer == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+	} else {
+		client_computer = lpcfg_netbios_name(lp_ctx);
+	}
+
+	/*
+	 * allow overwrite per domain
+	 * reject md5 servers:<netbios_domain>
+	 */
+	//TODO: add lpcfp_reject_md5_servers()
+	reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
+					     "__default__",
+					     "reject md5 servers",
+					     reject_md5_servers);
+	reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
+					     "reject md5 servers",
+					     server_netbios_domain,
+					     reject_md5_servers);
+
+	/*
+	 * allow overwrite per domain
+	 * require strong key:<netbios_domain>
+	 */
+	//TODO: add lpcfp_require_strong_key()
+	require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
+					     "__default__",
+					     "require strong key",
+					     require_strong_key);
+	require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
+					     "require strong key",
+					     server_netbios_domain,
+					     require_strong_key);
+
+	/*
+	 * allow overwrite per domain
+	 * client schannel:<netbios_domain>
+	 */
+	require_sign_or_seal = lpcfg_client_schannel(lp_ctx);
+	require_sign_or_seal = lpcfg_parm_int(lp_ctx, NULL,
+					      "client schannel",
+					      server_netbios_domain,
+					      require_sign_or_seal);
+
+	/*
+	 * allow overwrite per domain
+	 * winbind sealed pipes:<netbios_domain>
+	 */
+	seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+	seal_secure_channel = lpcfg_parm_bool(lp_ctx, NULL,
+					      "winbind sealed pipes",
+					      server_netbios_domain,
+					      seal_secure_channel);
+
+	/*
+	 * allow overwrite per domain
+	 * neutralize nt4 emulation:<netbios_domain>
+	 */
+	//TODO: add lpcfp_neutralize_nt4_emulation()
+	neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
+						   "__default__",
+						   "neutralize nt4 emulation",
+						   neutralize_nt4_emulation);
+	neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
+						   "neutralize nt4 emulation",
+						   server_netbios_domain,
+						   neutralize_nt4_emulation);
+
+	proposed_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+	proposed_flags |= NETLOGON_NEG_SUPPORTS_AES;
+
+	switch (type) {
+	case SEC_CHAN_WKSTA:
+		if (lpcfg_security(lp_ctx) == SEC_ADS) {
+			/*
+			 * AD domains should be secure
+			 */
+			required_flags |= NETLOGON_NEG_PASSWORD_SET2;
+			require_sign_or_seal = true;
+			require_strong_key = true;
+		}
+		break;
+
+	case SEC_CHAN_DOMAIN:
+		break;
+
+	case SEC_CHAN_DNS_DOMAIN:
+		/*
+		 * AD domains should be secure
+		 */
+		required_flags |= NETLOGON_NEG_PASSWORD_SET2;
+		require_sign_or_seal = true;
+		require_strong_key = true;
+		neutralize_nt4_emulation = true;
+		break;
+
+	case SEC_CHAN_BDC:
+		required_flags |= NETLOGON_NEG_PASSWORD_SET2;
+		require_sign_or_seal = true;
+		require_strong_key = true;
+		break;
+
+	case SEC_CHAN_RODC:
+		required_flags |= NETLOGON_NEG_RODC_PASSTHROUGH;
+		required_flags |= NETLOGON_NEG_PASSWORD_SET2;
+		require_sign_or_seal = true;
+		require_strong_key = true;
+		neutralize_nt4_emulation = true;
+		break;
+
+	default:
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (neutralize_nt4_emulation) {
+		proposed_flags |= NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION;
+	}
+
+	if (require_sign_or_seal == false) {
+		proposed_flags &= ~NETLOGON_NEG_AUTHENTICATED_RPC;
+	} else {
+		required_flags |= NETLOGON_NEG_ARCFOUR;
+		required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
+	}
+
+	if (reject_md5_servers) {
+		required_flags |= NETLOGON_NEG_ARCFOUR;
+		required_flags |= NETLOGON_NEG_PASSWORD_SET2;
+		required_flags |= NETLOGON_NEG_SUPPORTS_AES;
+		required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
+	}
+
+	if (require_strong_key) {
+		required_flags |= NETLOGON_NEG_ARCFOUR;
+		required_flags |= NETLOGON_NEG_STRONG_KEYS;
+		required_flags |= NETLOGON_NEG_AUTHENTICATED_RPC;
+	}
+
+	proposed_flags |= required_flags;
+
+	if (seal_secure_channel) {
+		auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+	} else {
+		auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+	}
+
+	status = netlogon_creds_cli_context_common(client_computer,
+						   client_account,
+						   type,
+						   auth_level,
+						   proposed_flags,
+						   required_flags,
+						   server_computer,
+						   server_netbios_domain,
+						   mem_ctx,
+						   &context);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	if (msg_ctx != NULL) {
+		context->db.g_ctx = g_lock_ctx_init(context, msg_ctx);
+		if (context->db.g_ctx == NULL) {
+			TALLOC_FREE(context);
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	if (netlogon_creds_cli_global_db != NULL) {
+		context->db.ctx = netlogon_creds_cli_global_db;
+		*_context = context;
+		TALLOC_FREE(frame);
+		return NT_STATUS_OK;
+	}
+
+	status = netlogon_creds_cli_open_global_db(lp_ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->db.ctx = netlogon_creds_cli_global_db;
+	*_context = context;
+	TALLOC_FREE(frame);
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
+				const char *client_account,
+				enum netr_SchannelType type,
+				uint32_t proposed_flags,
+				uint32_t required_flags,
+				enum dcerpc_AuthLevel auth_level,
+				const char *server_computer,
+				const char *server_netbios_domain,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_context)
+{
+	NTSTATUS status;
+	struct netlogon_creds_cli_context *context = NULL;
+
+	*_context = NULL;
+
+	status = netlogon_creds_cli_context_common(client_computer,
+						   client_account,
+						   type,
+						   auth_level,
+						   proposed_flags,
+						   required_flags,
+						   server_computer,
+						   server_netbios_domain,
+						   mem_ctx,
+						   &context);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	context->db.ctx = db_open_rbt(context);
+	if (context->db.ctx == NULL) {
+		talloc_free(context);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	*_context = context;
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_context_copy(
+				const struct netlogon_creds_cli_context *src,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_dst)
+{
+	struct netlogon_creds_cli_context *dst;
+
+	dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
+	if (dst == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	*dst = *src;
+
+	dst->client.computer = talloc_strdup(dst, src->client.computer);
+	if (dst->client.computer == NULL) {
+		TALLOC_FREE(dst);
+		return NT_STATUS_NO_MEMORY;
+	}
+	dst->client.account = talloc_strdup(dst, src->client.account);
+	if (dst->client.account == NULL) {
+		TALLOC_FREE(dst);
+		return NT_STATUS_NO_MEMORY;
+	}
+	dst->server.computer = talloc_strdup(dst, src->server.computer);
+	if (dst->server.computer == NULL) {
+		TALLOC_FREE(dst);
+		return NT_STATUS_NO_MEMORY;
+	}
+	dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
+	if (dst->server.netbios_domain == NULL) {
+		TALLOC_FREE(dst);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	dst->db.key_name = talloc_strdup(dst, src->db.key_name);
+	if (dst->db.key_name == NULL) {
+		TALLOC_FREE(dst);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	dst->db.key_data = string_term_tdb_data(dst->db.key_name);
+
+	*_dst = dst;
+	return NT_STATUS_OK;
+}
+
+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
+		struct netlogon_creds_cli_context *context)
+{
+	return context->client.auth_level;
+}
+
+struct netlogon_creds_cli_fetch_state {
+	TALLOC_CTX *mem_ctx;
+	struct netlogon_creds_CredentialState *creds;
+	uint32_t required_flags;
+	NTSTATUS status;
+};
+
+static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
+					    void *private_data)
+{
+	struct netlogon_creds_cli_fetch_state *state =
+		(struct netlogon_creds_cli_fetch_state *)private_data;
+	enum ndr_err_code ndr_err;
+	DATA_BLOB blob;
+	uint32_t tmp_flags;
+
+	state->creds = talloc_zero(state->mem_ctx,
+				   struct netlogon_creds_CredentialState);
+	if (state->creds == NULL) {
+		state->status = NT_STATUS_NO_MEMORY;
+		return;
+	}
+
+	blob.data = data.dptr;
+	blob.length = data.dsize;
+
+	ndr_err = ndr_pull_struct_blob(&blob, state->creds, state->creds,
+		(ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		TALLOC_FREE(state->creds);
+		state->status = ndr_map_error2ntstatus(ndr_err);
+		return;
+	}
+
+	tmp_flags = state->creds->negotiate_flags;
+	tmp_flags &= state->required_flags;
+	if (tmp_flags != state->required_flags) {
+		TALLOC_FREE(state->creds);
+		state->status = NT_STATUS_DOWNGRADE_DETECTED;
+		return;
+	}
+
+	state->status = NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_CredentialState **_creds)
+{
+	NTSTATUS status;
+	struct netlogon_creds_cli_fetch_state fstate = {
+		.mem_ctx = mem_ctx,
+		.status = NT_STATUS_INTERNAL_ERROR,
+		.required_flags = context->client.required_flags,
+	};
+	static const struct netr_Credential zero_creds;
+
+	*_creds = NULL;
+
+	status = dbwrap_parse_record(context->db.ctx,
+				     context->db.key_data,
+				     netlogon_creds_cli_fetch_parser,
+				     &fstate);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+	status = fstate.status;
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	/*
+	 * mark it as invalid for step operations.
+	 */
+	fstate.creds->sequence = 0;
+	fstate.creds->seed = zero_creds;
+	fstate.creds->client = zero_creds;
+	fstate.creds->server = zero_creds;
+
+	if (context->server.cached_flags == fstate.creds->negotiate_flags) {
+		*_creds = fstate.creds;
+		return NT_STATUS_OK;
+	}
+
+	/*
+	 * It is really important to try SamLogonEx here,
+	 * because multiple processes can talk to the same
+	 * domain controller, without using the credential
+	 * chain.
+	 *
+	 * With a normal SamLogon call, we must keep the
+	 * credentials chain updated and intact between all
+	 * users of the machine account (which would imply
+	 * cross-node communication for every NTLM logon).
+	 *
+	 * The credentials chain is not per NETLOGON pipe
+	 * connection, but globally on the server/client pair
+	 * by computer name, while the client is free to use
+	 * any computer name. We include the cluster node number
+	 * in our computer name in order to avoid cross node
+	 * coordination of the credential chain.
+	 *
+	 * It's also important to use NetlogonValidationSamInfo4 (6),
+	 * because it relies on the rpc transport encryption
+	 * and avoids using the global netlogon schannel
+	 * session key to en/decrypt secret information
+	 * like the user_session_key for network logons.
+	 *
+	 * [MS-APDS] 3.1.5.2 NTLM Network Logon
+	 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
+	 * NETLOGON_NEG_AUTHENTICATED_RPC set together
+	 * are the indication that the server supports
+	 * NetlogonValidationSamInfo4 (6). And it must only
+	 * be used if "SealSecureChannel" is used.
+	 *
+	 * The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
+	 * check is done in netlogon_creds_cli_LogonSamLogon*().
+	 */
+	context->server.cached_flags = fstate.creds->negotiate_flags;
+	context->server.try_validation6 = true;
+	context->server.try_logon_ex = true;
+	context->server.try_logon_with = true;
+
+	if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+		context->server.try_validation6 = false;
+		context->server.try_logon_ex = false;
+	}
+	if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
+		context->server.try_validation6 = false;
+	}
+
+	*_creds = fstate.creds;
+	return NT_STATUS_OK;
+}
+
+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
+			const struct netlogon_creds_CredentialState *creds1)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct netlogon_creds_CredentialState *creds2;
+	DATA_BLOB blob1;
+	DATA_BLOB blob2;
+	NTSTATUS status;
+	enum ndr_err_code ndr_err;
+	int cmp;
+
+	status = netlogon_creds_cli_get(context, frame, &creds2);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return false;
+	}
+
+	ndr_err = ndr_push_struct_blob(&blob1, frame, creds1,
+		(ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		TALLOC_FREE(frame);
+		return false;
+	}
+
+	ndr_err = ndr_push_struct_blob(&blob2, frame, creds2,
+		(ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		TALLOC_FREE(frame);
+		return false;
+	}
+
+	if (blob1.length != blob2.length) {
+		TALLOC_FREE(frame);
+		return false;
+	}
+
+	cmp = memcmp(blob1.data, blob2.data, blob1.length);
+	if (cmp != 0) {
+		TALLOC_FREE(frame);
+		return false;
+	}
+
+	TALLOC_FREE(frame);
+	return true;
+}
+
+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
+				  struct netlogon_creds_CredentialState **_creds)
+{
+	struct netlogon_creds_CredentialState *creds = *_creds;
+	NTSTATUS status;
+	enum ndr_err_code ndr_err;
+	DATA_BLOB blob;
+	TDB_DATA data;
+
+	*_creds = NULL;
+
+	if (context->db.locked_state == NULL) {
+		/*
+		 * this was not the result of netlogon_creds_cli_lock*()
+		 */
+		TALLOC_FREE(creds);
+		return NT_STATUS_INVALID_PAGE_PROTECTION;
+	}
+
+	if (context->db.locked_state->creds != creds) {
+		/*
+		 * this was not the result of netlogon_creds_cli_lock*()
+		 */
+		TALLOC_FREE(creds);
+		return NT_STATUS_INVALID_PAGE_PROTECTION;
+	}
+
+	ndr_err = ndr_push_struct_blob(&blob, creds, creds,
+		(ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		TALLOC_FREE(creds);
+		status = ndr_map_error2ntstatus(ndr_err);
+		return status;
+	}
+
+	data.dptr = blob.data;
+	data.dsize = blob.length;
+
+	status = dbwrap_store(context->db.ctx,
+			      context->db.key_data,
+			      data, TDB_REPLACE);
+	TALLOC_FREE(creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
+				   struct netlogon_creds_CredentialState **_creds)
+{
+	struct netlogon_creds_CredentialState *creds = *_creds;
+	NTSTATUS status;
+
+	*_creds = NULL;
+
+	if (context->db.locked_state == NULL) {
+		/*
+		 * this was not the result of netlogon_creds_cli_lock*()
+		 */
+		TALLOC_FREE(creds);
+		return NT_STATUS_INVALID_PAGE_PROTECTION;
+	}
+
+	if (context->db.locked_state->creds != creds) {
+		/*
+		 * this was not the result of netlogon_creds_cli_lock*()
+		 */
+		TALLOC_FREE(creds);
+		return NT_STATUS_INVALID_PAGE_PROTECTION;
+	}
+
+	status = dbwrap_delete(context->db.ctx,
+			       context->db.key_data);
+	TALLOC_FREE(creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
+struct netlogon_creds_cli_lock_state {
+	struct netlogon_creds_cli_locked_state *locked_state;
+	struct netlogon_creds_CredentialState *creds;
+};
+
+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req);
+
+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context)
+{
+	struct tevent_req *req;
+	struct netlogon_creds_cli_lock_state *state;
+	struct netlogon_creds_cli_locked_state *locked_state;
+	struct tevent_req *subreq;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct netlogon_creds_cli_lock_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	if (context->db.locked_state != NULL) {
+		tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
+		return tevent_req_post(req, ev);
+	}
+
+	locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
+	if (tevent_req_nomem(locked_state, req)) {
+		return tevent_req_post(req, ev);
+	}
+	talloc_set_destructor(locked_state,
+			      netlogon_creds_cli_locked_state_destructor);
+	locked_state->context = context;
+
+	context->db.locked_state = locked_state;
+	state->locked_state = locked_state;
+
+	if (context->db.g_ctx == NULL) {
+		netlogon_creds_cli_lock_fetch(req);
+		if (!tevent_req_is_in_progress(req)) {
+			return tevent_req_post(req, ev);
+		}
+
+		return req;
+	}
+
+	subreq = g_lock_lock_send(state, ev,
+				  context->db.g_ctx,
+				  context->db.key_name,
+				  G_LOCK_WRITE);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+	tevent_req_set_callback(subreq, netlogon_creds_cli_lock_done, req);
+
+	return req;
+}
+
+static void netlogon_creds_cli_lock_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_lock_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_lock_state);
+	NTSTATUS status;
+
+	status = g_lock_lock_recv(subreq);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+	state->locked_state->is_glocked = true;
+
+	netlogon_creds_cli_lock_fetch(req);
+}
+
+static void netlogon_creds_cli_lock_fetch(struct tevent_req *req)
+{
+	struct netlogon_creds_cli_lock_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_lock_state);
+	struct netlogon_creds_cli_context *context = state->locked_state->context;
+	struct netlogon_creds_cli_fetch_state fstate = {
+		.status = NT_STATUS_INTERNAL_ERROR,
+		.required_flags = context->client.required_flags,
+	};
+	NTSTATUS status;
+
+	fstate.mem_ctx = state;
+	status = dbwrap_parse_record(context->db.ctx,
+				     context->db.key_data,
+				     netlogon_creds_cli_fetch_parser,
+				     &fstate);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+	status = fstate.status;
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	if (context->server.cached_flags == fstate.creds->negotiate_flags) {
+		state->creds = fstate.creds;
+		tevent_req_done(req);
+		return;
+	}
+
+	context->server.cached_flags = fstate.creds->negotiate_flags;
+	context->server.try_validation6 = true;
+	context->server.try_logon_ex = true;
+	context->server.try_logon_with = true;
+
+	if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+		context->server.try_validation6 = false;
+		context->server.try_logon_ex = false;
+	}
+	if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
+		context->server.try_validation6 = false;
+	}
+
+	state->creds = fstate.creds;
+	tevent_req_done(req);
+	return;
+}
+
+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
+			TALLOC_CTX *mem_ctx,
+			struct netlogon_creds_CredentialState **creds)
+{
+	struct netlogon_creds_cli_lock_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_lock_state);
+	NTSTATUS status;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		tevent_req_received(req);
+		return status;
+	}
+
+	talloc_steal(state->creds, state->locked_state);
+	state->locked_state->creds = state->creds;
+	*creds = talloc_move(mem_ctx, &state->creds);
+	tevent_req_received(req);
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
+			TALLOC_CTX *mem_ctx,
+			struct netlogon_creds_CredentialState **creds)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = netlogon_creds_cli_lock_send(frame, ev, context);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+		goto fail;
+	}
+	status = netlogon_creds_cli_lock_recv(req, mem_ctx, creds);
+ fail:
+	TALLOC_FREE(frame);
+	return status;
+}
+
+struct netlogon_creds_cli_auth_state {
+	struct tevent_context *ev;
+	struct netlogon_creds_cli_context *context;
+	struct dcerpc_binding_handle *binding_handle;
+	struct samr_Password current_nt_hash;
+	struct samr_Password previous_nt_hash;
+	struct samr_Password used_nt_hash;
+	char *srv_name_slash;
+	uint32_t current_flags;
+	struct netr_Credential client_challenge;
+	struct netr_Credential server_challenge;
+	struct netlogon_creds_CredentialState *creds;
+	struct netr_Credential client_credential;
+	struct netr_Credential server_credential;
+	uint32_t rid;
+	bool try_auth3;
+	bool try_auth2;
+	bool require_auth2;
+	bool try_previous_nt_hash;
+	struct netlogon_creds_cli_locked_state *locked_state;
+};
+
+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq);
+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req);
+
+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				struct samr_Password current_nt_hash,
+				const struct samr_Password *previous_nt_hash)
+{
+	struct tevent_req *req;
+	struct netlogon_creds_cli_auth_state *state;
+	struct netlogon_creds_cli_locked_state *locked_state;
+	NTSTATUS status;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct netlogon_creds_cli_auth_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	state->ev = ev;
+	state->context = context;
+	state->binding_handle = b;
+	state->current_nt_hash = current_nt_hash;
+	if (previous_nt_hash != NULL) {
+		state->previous_nt_hash = *previous_nt_hash;
+		state->try_previous_nt_hash = true;
+	}
+
+	if (context->db.locked_state != NULL) {
+		tevent_req_nterror(req, NT_STATUS_LOCK_NOT_GRANTED);
+		return tevent_req_post(req, ev);
+	}
+
+	locked_state = talloc_zero(state, struct netlogon_creds_cli_locked_state);
+	if (tevent_req_nomem(locked_state, req)) {
+		return tevent_req_post(req, ev);
+	}
+	talloc_set_destructor(locked_state,
+			      netlogon_creds_cli_locked_state_destructor);
+	locked_state->context = context;
+
+	context->db.locked_state = locked_state;
+	state->locked_state = locked_state;
+
+	state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
+						context->server.computer);
+	if (tevent_req_nomem(state->srv_name_slash, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	state->try_auth3 = true;
+	state->try_auth2 = true;
+
+	if (context->client.required_flags != 0) {
+		state->require_auth2 = true;
+	}
+
+	state->used_nt_hash = state->current_nt_hash;
+	state->current_flags = context->client.proposed_flags;
+
+	if (context->db.g_ctx != NULL) {
+		struct tevent_req *subreq;
+
+		subreq = g_lock_lock_send(state, ev,
+					  context->db.g_ctx,
+					  context->db.key_name,
+					  G_LOCK_WRITE);
+		if (tevent_req_nomem(subreq, req)) {
+			return tevent_req_post(req, ev);
+		}
+		tevent_req_set_callback(subreq,
+					netlogon_creds_cli_auth_locked,
+					req);
+
+		return req;
+	}
+
+	status = dbwrap_delete(state->context->db.ctx,
+			       state->context->db.key_data);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+		status = NT_STATUS_OK;
+	}
+	if (tevent_req_nterror(req, status)) {
+		return tevent_req_post(req, ev);
+	}
+
+	netlogon_creds_cli_auth_challenge_start(req);
+	if (!tevent_req_is_in_progress(req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	return req;
+}
+
+static void netlogon_creds_cli_auth_locked(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_auth_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_auth_state);
+	NTSTATUS status;
+
+	status = g_lock_lock_recv(subreq);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+	state->locked_state->is_glocked = true;
+
+	status = dbwrap_delete(state->context->db.ctx,
+			       state->context->db.key_data);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
+		status = NT_STATUS_OK;
+	}
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	netlogon_creds_cli_auth_challenge_start(req);
+}
+
+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
+{
+	struct netlogon_creds_cli_auth_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_auth_state);
+	struct tevent_req *subreq;
+
+	TALLOC_FREE(state->creds);
+
+	generate_random_buffer(state->client_challenge.data,
+			       sizeof(state->client_challenge.data));
+
+	subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.computer,
+						&state->client_challenge,
+						&state->server_challenge);
+	if (tevent_req_nomem(subreq, req)) {
+		return;
+	}
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_auth_challenge_done,
+				req);
+}
+
+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_auth_challenge_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_auth_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_auth_state);
+	NTSTATUS status;
+	NTSTATUS result;
+
+	status = dcerpc_netr_ServerReqChallenge_recv(subreq, state, &result);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+	if (tevent_req_nterror(req, result)) {
+		return;
+	}
+
+	if (!state->try_auth3 && !state->try_auth2) {
+		state->current_flags = 0;
+	}
+
+	/* Calculate the session key and client credentials */
+
+	state->creds = netlogon_creds_client_init(state,
+						  state->context->client.account,
+						  state->context->client.computer,
+						  state->context->client.type,
+						  &state->client_challenge,
+						  &state->server_challenge,
+						  &state->used_nt_hash,
+						  &state->client_credential,
+						  state->current_flags);
+	if (tevent_req_nomem(state->creds, req)) {
+		return;
+	}
+
+	if (state->try_auth3) {
+		subreq = dcerpc_netr_ServerAuthenticate3_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.account,
+						state->context->client.type,
+						state->context->client.computer,
+						&state->client_credential,
+						&state->server_credential,
+						&state->creds->negotiate_flags,
+						&state->rid);
+		if (tevent_req_nomem(subreq, req)) {
+			return;
+		}
+	} else if (state->try_auth2) {
+		state->rid = 0;
+
+		subreq = dcerpc_netr_ServerAuthenticate2_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.account,
+						state->context->client.type,
+						state->context->client.computer,
+						&state->client_credential,
+						&state->server_credential,
+						&state->creds->negotiate_flags);
+		if (tevent_req_nomem(subreq, req)) {
+			return;
+		}
+	} else {
+		state->rid = 0;
+
+		subreq = dcerpc_netr_ServerAuthenticate_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.account,
+						state->context->client.type,
+						state->context->client.computer,
+						&state->client_credential,
+						&state->server_credential);
+		if (tevent_req_nomem(subreq, req)) {
+			return;
+		}
+	}
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_auth_srvauth_done,
+				req);
+}
+
+static void netlogon_creds_cli_auth_srvauth_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_auth_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_auth_state);
+	NTSTATUS status;
+	NTSTATUS result;
+	bool ok;
+	enum ndr_err_code ndr_err;
+	DATA_BLOB blob;
+	TDB_DATA data;
+	uint32_t tmp_flags;
+
+	if (state->try_auth3) {
+		status = dcerpc_netr_ServerAuthenticate3_recv(subreq, state,
+							      &result);
+		TALLOC_FREE(subreq);
+		if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+			state->try_auth3 = false;
+			netlogon_creds_cli_auth_challenge_start(req);
+			return;
+		}
+		if (tevent_req_nterror(req, status)) {
+			return;
+		}
+	} else if (state->try_auth2) {
+		status = dcerpc_netr_ServerAuthenticate2_recv(subreq, state,
+							      &result);
+		TALLOC_FREE(subreq);
+		if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+			state->try_auth2 = false;
+			if (state->require_auth2) {
+				status = NT_STATUS_DOWNGRADE_DETECTED;
+				tevent_req_nterror(req, status);
+				return;
+			}
+			netlogon_creds_cli_auth_challenge_start(req);
+			return;
+		}
+		if (tevent_req_nterror(req, status)) {
+			return;
+		}
+	} else {
+		status = dcerpc_netr_ServerAuthenticate_recv(subreq, state,
+							     &result);
+		TALLOC_FREE(subreq);
+		if (tevent_req_nterror(req, status)) {
+			return;
+		}
+	}
+
+	if (!NT_STATUS_IS_OK(result) &&
+	    !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED))
+	{
+		tevent_req_nterror(req, result);
+		return;
+	}
+
+	tmp_flags = state->creds->negotiate_flags;
+	tmp_flags &= state->context->client.required_flags;
+	if (tmp_flags != state->context->client.required_flags) {
+		if (NT_STATUS_IS_OK(result)) {
+			tevent_req_nterror(req, NT_STATUS_DOWNGRADE_DETECTED);
+			return;
+		}
+		tevent_req_nterror(req, result);
+		return;
+	}
+
+	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
+
+		tmp_flags = state->context->client.proposed_flags;
+		if ((state->current_flags == tmp_flags) &&
+		    (state->creds->negotiate_flags != tmp_flags))
+		{
+			/*
+			 * lets retry with the negotiated flags
+			 */
+			state->current_flags = state->creds->negotiate_flags;
+			netlogon_creds_cli_auth_challenge_start(req);
+			return;
+		}
+
+		if (!state->try_previous_nt_hash) {
+			/*
+			 * we already retried, giving up...
+			 */
+			tevent_req_nterror(req, result);
+			return;
+		}
+
+		/*
+		 * lets retry with the old nt hash.
+		 */
+		state->try_previous_nt_hash = false;
+		state->used_nt_hash = state->previous_nt_hash;
+		state->current_flags = state->context->client.proposed_flags;
+		netlogon_creds_cli_auth_challenge_start(req);
+		return;
+	}
+
+	ok = netlogon_creds_client_check(state->creds,
+					 &state->server_credential);
+	if (!ok) {
+		tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
+		return;
+	}
+
+	ndr_err = ndr_push_struct_blob(&blob, state, state->creds,
+		(ndr_push_flags_fn_t)ndr_push_netlogon_creds_CredentialState);
+	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+		status = ndr_map_error2ntstatus(ndr_err);
+		tevent_req_nterror(req, status);
+		return;
+	}
+
+	data.dptr = blob.data;
+	data.dsize = blob.length;
+
+	status = dbwrap_store(state->context->db.ctx,
+			      state->context->db.key_data,
+			      data, TDB_REPLACE);
+	TALLOC_FREE(state->locked_state);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	tevent_req_done(req);
+}
+
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req)
+{
+	NTSTATUS status;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		tevent_req_received(req);
+		return status;
+	}
+
+	tevent_req_received(req);
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
+				 struct dcerpc_binding_handle *b,
+				 struct samr_Password current_nt_hash,
+				 const struct samr_Password *previous_nt_hash)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = netlogon_creds_cli_auth_send(frame, ev, context, b,
+					   current_nt_hash,
+					   previous_nt_hash);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+		goto fail;
+	}
+	status = netlogon_creds_cli_auth_recv(req);
+ fail:
+	TALLOC_FREE(frame);
+	return status;
+}
+
+struct netlogon_creds_cli_check_state {
+	struct tevent_context *ev;
+	struct netlogon_creds_cli_context *context;
+	struct dcerpc_binding_handle *binding_handle;
+
+	char *srv_name_slash;
+
+	union netr_Capabilities caps;
+
+	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_CredentialState tmp_creds;
+	struct netr_Authenticator req_auth;
+	struct netr_Authenticator rep_auth;
+};
+
+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
+						     NTSTATUS status);
+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
+
+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b)
+{
+	struct tevent_req *req;
+	struct netlogon_creds_cli_check_state *state;
+	struct tevent_req *subreq;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct netlogon_creds_cli_check_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	state->ev = ev;
+	state->context = context;
+	state->binding_handle = b;
+
+	state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
+						context->server.computer);
+	if (tevent_req_nomem(state->srv_name_slash, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	dcerpc_binding_handle_auth_info(state->binding_handle,
+					&auth_type, &auth_level);
+
+	if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+		return tevent_req_post(req, ev);
+	}
+
+	switch (auth_level) {
+	case DCERPC_AUTH_LEVEL_INTEGRITY:
+	case DCERPC_AUTH_LEVEL_PRIVACY:
+		break;
+	default:
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+		return tevent_req_post(req, ev);
+	}
+
+	subreq = netlogon_creds_cli_lock_send(state, state->ev,
+					      state->context);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_check_locked,
+				req);
+
+	return req;
+}
+
+static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
+					     NTSTATUS status)
+{
+	struct netlogon_creds_cli_check_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_check_state);
+
+	if (state->creds == NULL) {
+		return;
+	}
+
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
+		TALLOC_FREE(state->creds);
+		return;
+	}
+
+	netlogon_creds_cli_delete(state->context, &state->creds);
+}
+
+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_check_locked(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_check_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_check_state);
+	NTSTATUS status;
+
+	status = netlogon_creds_cli_lock_recv(subreq, state,
+					      &state->creds);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	/*
+	 * we defer all callbacks in order to cleanup
+	 * the database record.
+	 */
+	tevent_req_defer_callback(req, state->ev);
+
+	state->tmp_creds = *state->creds;
+	netlogon_creds_client_authenticator(&state->tmp_creds,
+					    &state->req_auth);
+	ZERO_STRUCT(state->rep_auth);
+
+	subreq = dcerpc_netr_LogonGetCapabilities_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.computer,
+						&state->req_auth,
+						&state->rep_auth,
+						1,
+						&state->caps);
+	if (tevent_req_nomem(subreq, req)) {
+		status = NT_STATUS_NO_MEMORY;
+		netlogon_creds_cli_check_cleanup(req, status);
+		return;
+	}
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_check_caps,
+				req);
+}
+
+static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_check_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_check_state);
+	NTSTATUS status;
+	NTSTATUS result;
+	bool ok;
+
+	status = dcerpc_netr_LogonGetCapabilities_recv(subreq, state,
+						       &result);
+	TALLOC_FREE(subreq);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+		/*
+		 * Note that the negotiated flags are already checked
+		 * for our required flags after the ServerAuthenticate3/2 call.
+		 */
+		uint32_t negotiated = state->tmp_creds.negotiate_flags;
+
+		if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
+			/*
+			 * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
+			 * already, we expect this to work!
+			 */
+			status = NT_STATUS_DOWNGRADE_DETECTED;
+			tevent_req_nterror(req, status);
+			netlogon_creds_cli_check_cleanup(req, status);
+			return;
+		}
+
+		if (negotiated & NETLOGON_NEG_STRONG_KEYS) {
+			/*
+			 * If we have negotiated NETLOGON_NEG_STRONG_KEYS
+			 * we expect this to work at least as far as the
+			 * NOT_SUPPORTED error handled below!
+			 *
+			 * NT 4.0 and Old Samba servers are not
+			 * allowed without "require strong key = no"
+			 */
+			status = NT_STATUS_DOWNGRADE_DETECTED;
+			tevent_req_nterror(req, status);
+			netlogon_creds_cli_check_cleanup(req, status);
+			return;
+		}
+
+		/*
+		 * If we not require NETLOGON_NEG_SUPPORTS_AES or
+		 * NETLOGON_NEG_STRONG_KEYS, it's ok to ignore
+		 * NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+		 *
+		 * This is needed against NT 4.0 and old Samba servers.
+		 *
+		 * As we're using DCERPC_AUTH_TYPE_SCHANNEL with
+		 * DCERPC_AUTH_LEVEL_INTEGRITY or DCERPC_AUTH_LEVEL_PRIVACY
+		 * we should detect a faked NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE
+		 * with the next request as the sequence number processing
+		 * gets out of sync.
+		 */
+		netlogon_creds_cli_check_cleanup(req, result);
+		tevent_req_done(req);
+		return;
+	}
+	if (tevent_req_nterror(req, status)) {
+		netlogon_creds_cli_check_cleanup(req, status);
+		return;
+	}
+
+	if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
+		/*
+		 * Note that the negotiated flags are already checked
+		 * for our required flags after the ServerAuthenticate3/2 call.
+		 */
+		uint32_t negotiated = state->tmp_creds.negotiate_flags;
+
+		if (negotiated & NETLOGON_NEG_SUPPORTS_AES) {
+			/*
+			 * If we have negotiated NETLOGON_NEG_SUPPORTS_AES
+			 * already, we expect this to work!
+			 */
+			status = NT_STATUS_DOWNGRADE_DETECTED;
+			tevent_req_nterror(req, status);
+			netlogon_creds_cli_check_cleanup(req, status);
+			return;
+		}
+
+		/*
+		 * This is ok, the server does not support
+		 * NETLOGON_NEG_SUPPORTS_AES.
+		 *
+		 * netr_LogonGetCapabilities() was
+		 * netr_LogonDummyRoutine1() before
+		 * NETLOGON_NEG_SUPPORTS_AES was invented.
+		 */
+		netlogon_creds_cli_check_cleanup(req, result);
+		tevent_req_done(req);
+		return;
+	}
+
+	ok = netlogon_creds_client_check(&state->tmp_creds,
+					 &state->rep_auth.cred);
+	if (!ok) {
+		status = NT_STATUS_ACCESS_DENIED;
+		tevent_req_nterror(req, status);
+		netlogon_creds_cli_check_cleanup(req, status);
+		return;
+	}
+
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_check_cleanup(req, result);
+		return;
+	}
+
+	if (state->caps.server_capabilities != state->tmp_creds.negotiate_flags) {
+		status = NT_STATUS_DOWNGRADE_DETECTED;
+		tevent_req_nterror(req, status);
+		netlogon_creds_cli_check_cleanup(req, status);
+		return;
+	}
+
+	/*
+	 * This is the key check that makes this check secure.  If we
+	 * get OK here (rather than NOT_SUPPORTED), then the server
+	 * did support AES. If the server only proposed STRONG_KEYS
+	 * and not AES, then it should have failed with
+	 * NOT_IMPLEMENTED. We always send AES as a client, so the
+	 * server should always have returned it.
+	 */
+	if (!(state->caps.server_capabilities & NETLOGON_NEG_SUPPORTS_AES)) {
+		status = NT_STATUS_DOWNGRADE_DETECTED;
+		tevent_req_nterror(req, status);
+		netlogon_creds_cli_check_cleanup(req, status);
+		return;
+	}
+
+	*state->creds = state->tmp_creds;
+	status = netlogon_creds_cli_store(state->context,
+					  &state->creds);
+	netlogon_creds_cli_check_cleanup(req, status);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	tevent_req_done(req);
+}
+
+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req)
+{
+	NTSTATUS status;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		netlogon_creds_cli_check_cleanup(req, status);
+		tevent_req_received(req);
+		return status;
+	}
+
+	tevent_req_received(req);
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
+				  struct dcerpc_binding_handle *b)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = netlogon_creds_cli_check_send(frame, ev, context, b);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+		goto fail;
+	}
+	status = netlogon_creds_cli_check_recv(req);
+ fail:
+	TALLOC_FREE(frame);
+	return status;
+}
+
+struct netlogon_creds_cli_ServerPasswordSet_state {
+	struct tevent_context *ev;
+	struct netlogon_creds_cli_context *context;
+	struct dcerpc_binding_handle *binding_handle;
+	uint32_t old_timeout;
+
+	char *srv_name_slash;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	struct samr_CryptPassword samr_crypt_password;
+	struct netr_CryptPassword netr_crypt_password;
+	struct samr_Password samr_password;
+
+	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_CredentialState tmp_creds;
+	struct netr_Authenticator req_auth;
+	struct netr_Authenticator rep_auth;
+};
+
+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
+						     NTSTATUS status);
+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq);
+
+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				const char *new_password,
+				const uint32_t *new_version)
+{
+	struct tevent_req *req;
+	struct netlogon_creds_cli_ServerPasswordSet_state *state;
+	struct tevent_req *subreq;
+	bool ok;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct netlogon_creds_cli_ServerPasswordSet_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	state->ev = ev;
+	state->context = context;
+	state->binding_handle = b;
+
+	/*
+	 * netr_ServerPasswordSet
+	 */
+	E_md4hash(new_password, state->samr_password.hash);
+
+	/*
+	 * netr_ServerPasswordSet2
+	 */
+	ok = encode_pw_buffer(state->samr_crypt_password.data,
+			      new_password, STR_UNICODE);
+	if (!ok) {
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+		return tevent_req_post(req, ev);
+	}
+
+	if (new_version != NULL) {
+		struct NL_PASSWORD_VERSION version;
+		uint32_t len = IVAL(state->samr_crypt_password.data, 512);
+		uint32_t ofs = 512 - len;
+		uint8_t *p;
+
+		if (ofs < 12) {
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+			return tevent_req_post(req, ev);
+		}
+		ofs -= 12;
+
+		version.ReservedField = 0;
+		version.PasswordVersionNumber = *new_version;
+		version.PasswordVersionPresent =
+			NETLOGON_PASSWORD_VERSION_NUMBER_PRESENT;
+
+		p = state->samr_crypt_password.data + ofs;
+		SIVAL(p, 0, version.ReservedField);
+		SIVAL(p, 4, version.PasswordVersionNumber);
+		SIVAL(p, 8, version.PasswordVersionPresent);
+	}
+
+	state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
+						context->server.computer);
+	if (tevent_req_nomem(state->srv_name_slash, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	dcerpc_binding_handle_auth_info(state->binding_handle,
+					&state->auth_type,
+					&state->auth_level);
+
+	subreq = netlogon_creds_cli_lock_send(state, state->ev,
+					      state->context);
+	if (tevent_req_nomem(subreq, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_ServerPasswordSet_locked,
+				req);
+
+	return req;
+}
+
+static void netlogon_creds_cli_ServerPasswordSet_cleanup(struct tevent_req *req,
+							 NTSTATUS status)
+{
+	struct netlogon_creds_cli_ServerPasswordSet_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_ServerPasswordSet_state);
+
+	if (state->creds == NULL) {
+		return;
+	}
+
+	dcerpc_binding_handle_set_timeout(state->binding_handle,
+					  state->old_timeout);
+
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
+		TALLOC_FREE(state->creds);
+		return;
+	}
+
+	netlogon_creds_cli_delete(state->context, &state->creds);
+}
+
+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_ServerPasswordSet_locked(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_ServerPasswordSet_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_ServerPasswordSet_state);
+	NTSTATUS status;
+
+	status = netlogon_creds_cli_lock_recv(subreq, state,
+					      &state->creds);
+	TALLOC_FREE(subreq);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
+	if (state->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		switch (state->auth_level) {
+		case DCERPC_AUTH_LEVEL_INTEGRITY:
+		case DCERPC_AUTH_LEVEL_PRIVACY:
+			break;
+		default:
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+			return;
+		}
+	} else {
+		uint32_t tmp = state->creds->negotiate_flags;
+
+		if (tmp & NETLOGON_NEG_AUTHENTICATED_RPC) {
+			/*
+			 * if DCERPC_AUTH_TYPE_SCHANNEL is supported
+			 * it should be used, which means
+			 * we had a chance to verify no downgrade
+			 * happened.
+			 *
+			 * This relies on netlogon_creds_cli_check*
+			 * being called before, as first request after
+			 * the DCERPC bind.
+			 */
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
+			return;
+		}
+	}
+
+	state->old_timeout = dcerpc_binding_handle_set_timeout(
+				state->binding_handle, 600000);
+
+	/*
+	 * we defer all callbacks in order to cleanup
+	 * the database record.
+	 */
+	tevent_req_defer_callback(req, state->ev);
+
+	state->tmp_creds = *state->creds;
+	netlogon_creds_client_authenticator(&state->tmp_creds,
+					    &state->req_auth);
+	ZERO_STRUCT(state->rep_auth);
+
+	if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
+
+		if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+			netlogon_creds_aes_encrypt(&state->tmp_creds,
+					state->samr_crypt_password.data,
+					516);
+		} else {
+			netlogon_creds_arcfour_crypt(&state->tmp_creds,
+					state->samr_crypt_password.data,
+					516);
+		}
+
+		memcpy(state->netr_crypt_password.data,
+		       state->samr_crypt_password.data, 512);
+		state->netr_crypt_password.length =
+			IVAL(state->samr_crypt_password.data, 512);
+
+		subreq = dcerpc_netr_ServerPasswordSet2_send(state, state->ev,
+					state->binding_handle,
+					state->srv_name_slash,
+					state->tmp_creds.account_name,
+					state->tmp_creds.secure_channel_type,
+					state->tmp_creds.computer_name,
+					&state->req_auth,
+					&state->rep_auth,
+					&state->netr_crypt_password);
+		if (tevent_req_nomem(subreq, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+			return;
+		}
+	} else {
+		netlogon_creds_des_encrypt(&state->tmp_creds,
+					   &state->samr_password);
+
+		subreq = dcerpc_netr_ServerPasswordSet_send(state, state->ev,
+					state->binding_handle,
+					state->srv_name_slash,
+					state->tmp_creds.account_name,
+					state->tmp_creds.secure_channel_type,
+					state->tmp_creds.computer_name,
+					&state->req_auth,
+					&state->rep_auth,
+					&state->samr_password);
+		if (tevent_req_nomem(subreq, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+			return;
+		}
+	}
+
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_ServerPasswordSet_done,
+				req);
+}
+
+static void netlogon_creds_cli_ServerPasswordSet_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_ServerPasswordSet_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_ServerPasswordSet_state);
+	NTSTATUS status;
+	NTSTATUS result;
+	bool ok;
+
+	if (state->tmp_creds.negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
+		status = dcerpc_netr_ServerPasswordSet2_recv(subreq, state,
+							     &result);
+		TALLOC_FREE(subreq);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+			return;
+		}
+	} else {
+		status = dcerpc_netr_ServerPasswordSet_recv(subreq, state,
+							    &result);
+		TALLOC_FREE(subreq);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+			return;
+		}
+	}
+
+	ok = netlogon_creds_client_check(&state->tmp_creds,
+					 &state->rep_auth.cred);
+	if (!ok) {
+		status = NT_STATUS_ACCESS_DENIED;
+		tevent_req_nterror(req, status);
+		netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+		return;
+	}
+
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_ServerPasswordSet_cleanup(req, result);
+		return;
+	}
+
+	dcerpc_binding_handle_set_timeout(state->binding_handle,
+					  state->old_timeout);
+
+	*state->creds = state->tmp_creds;
+	status = netlogon_creds_cli_store(state->context,
+					  &state->creds);
+	if (tevent_req_nterror(req, status)) {
+		netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+		return;
+	}
+
+	tevent_req_done(req);
+}
+
+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req)
+{
+	NTSTATUS status;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		netlogon_creds_cli_ServerPasswordSet_cleanup(req, status);
+		tevent_req_received(req);
+		return status;
+	}
+
+	tevent_req_received(req);
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				const char *new_password,
+				const uint32_t *new_version)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = netlogon_creds_cli_ServerPasswordSet_send(frame, ev, context, b,
+							new_password,
+							new_version);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+		goto fail;
+	}
+	status = netlogon_creds_cli_ServerPasswordSet_recv(req);
+ fail:
+	TALLOC_FREE(frame);
+	return status;
+}
+
+struct netlogon_creds_cli_LogonSamLogon_state {
+	struct tevent_context *ev;
+	struct netlogon_creds_cli_context *context;
+	struct dcerpc_binding_handle *binding_handle;
+
+	char *srv_name_slash;
+
+	enum netr_LogonInfoClass logon_level;
+	const union netr_LogonLevel *const_logon;
+	union netr_LogonLevel *logon;
+	uint32_t flags;
+
+	uint16_t validation_level;
+	union netr_Validation *validation;
+	uint8_t authoritative;
+
+	/*
+	 * do we need encryption at the application layer?
+	 */
+	bool user_encrypt;
+	bool try_logon_ex;
+	bool try_validation6;
+
+	/*
+	 * the read only credentials before we started the operation
+	 */
+	struct netlogon_creds_CredentialState *ro_creds;
+
+	struct netlogon_creds_CredentialState *lk_creds;
+
+	struct netlogon_creds_CredentialState tmp_creds;
+	struct netr_Authenticator req_auth;
+	struct netr_Authenticator rep_auth;
+};
+
+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req);
+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
+						     NTSTATUS status);
+
+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				enum netr_LogonInfoClass logon_level,
+				const union netr_LogonLevel *logon,
+				uint32_t flags)
+{
+	struct tevent_req *req;
+	struct netlogon_creds_cli_LogonSamLogon_state *state;
+
+	req = tevent_req_create(mem_ctx, &state,
+				struct netlogon_creds_cli_LogonSamLogon_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	state->ev = ev;
+	state->context = context;
+	state->binding_handle = b;
+
+	state->logon_level = logon_level;
+	state->const_logon = logon;
+	state->flags = flags;
+
+	state->srv_name_slash = talloc_asprintf(state, "\\\\%s",
+						context->server.computer);
+	if (tevent_req_nomem(state->srv_name_slash, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	switch (logon_level) {
+	case NetlogonInteractiveInformation:
+	case NetlogonInteractiveTransitiveInformation:
+	case NetlogonServiceInformation:
+	case NetlogonServiceTransitiveInformation:
+	case NetlogonGenericInformation:
+		state->user_encrypt = true;
+		break;
+
+	case NetlogonNetworkInformation:
+	case NetlogonNetworkTransitiveInformation:
+		break;
+	}
+
+	state->validation = talloc_zero(state, union netr_Validation);
+	if (tevent_req_nomem(state->validation, req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	netlogon_creds_cli_LogonSamLogon_start(req);
+	if (!tevent_req_is_in_progress(req)) {
+		return tevent_req_post(req, ev);
+	}
+
+	/*
+	 * we defer all callbacks in order to cleanup
+	 * the database record.
+	 */
+	tevent_req_defer_callback(req, state->ev);
+	return req;
+}
+
+static void netlogon_creds_cli_LogonSamLogon_cleanup(struct tevent_req *req,
+						     NTSTATUS status)
+{
+	struct netlogon_creds_cli_LogonSamLogon_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_LogonSamLogon_state);
+
+	if (state->lk_creds == NULL) {
+		return;
+	}
+
+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+		/*
+		 * This is a hack to recover from a bug in old
+		 * Samba servers, when LogonSamLogonEx() fails:
+		 *
+		 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
+		 *
+		 * All following request will get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+		 *
+		 * A second bug generates NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE,
+		 * instead of NT_STATUS_ACCESS_DENIED or NT_STATUS_RPC_SEC_PKG_ERROR
+		 * If the sign/seal check fails.
+		 *
+		 * In that case we need to cleanup the netlogon session.
+		 *
+		 * It's the job of the caller to disconnect the current
+		 * connection, if netlogon_creds_cli_LogonSamLogon()
+		 * returns NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+		 */
+		if (!state->context->server.try_logon_with) {
+			status = NT_STATUS_NETWORK_ACCESS_DENIED;
+		}
+	}
+
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_DOWNGRADE_DETECTED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) &&
+	    !NT_STATUS_EQUAL(status, NT_STATUS_RPC_SEC_PKG_ERROR)) {
+		TALLOC_FREE(state->lk_creds);
+		return;
+	}
+
+	netlogon_creds_cli_delete(state->context, &state->lk_creds);
+}
+
+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq);
+
+static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req)
+{
+	struct netlogon_creds_cli_LogonSamLogon_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_LogonSamLogon_state);
+	struct tevent_req *subreq;
+	NTSTATUS status;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	TALLOC_FREE(state->ro_creds);
+	TALLOC_FREE(state->logon);
+	ZERO_STRUCTP(state->validation);
+
+	dcerpc_binding_handle_auth_info(state->binding_handle,
+					&auth_type, &auth_level);
+
+	state->try_logon_ex = state->context->server.try_logon_ex;
+	state->try_validation6 = state->context->server.try_validation6;
+
+	if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+		state->try_logon_ex = false;
+	}
+
+	if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+		state->try_validation6 = false;
+	}
+
+	if (state->try_logon_ex) {
+		if (state->try_validation6) {
+			state->validation_level = 6;
+		} else {
+			state->validation_level = 3;
+			state->user_encrypt = true;
+		}
+
+		state->logon = netlogon_creds_shallow_copy_logon(state,
+							state->logon_level,
+							state->const_logon);
+		if (tevent_req_nomem(state->logon, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+
+		if (state->user_encrypt) {
+			status = netlogon_creds_cli_get(state->context,
+							state,
+							&state->ro_creds);
+			if (!NT_STATUS_IS_OK(status)) {
+				status = NT_STATUS_ACCESS_DENIED;
+				tevent_req_nterror(req, status);
+				netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+				return;
+			}
+
+			netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
+							      state->logon_level,
+							      state->logon);
+		}
+
+		subreq = dcerpc_netr_LogonSamLogonEx_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.computer,
+						state->logon_level,
+						state->logon,
+						state->validation_level,
+						state->validation,
+						&state->authoritative,
+						&state->flags);
+		if (tevent_req_nomem(subreq, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+		tevent_req_set_callback(subreq,
+					netlogon_creds_cli_LogonSamLogon_done,
+					req);
+		return;
+	}
+
+	if (state->lk_creds == NULL) {
+		subreq = netlogon_creds_cli_lock_send(state, state->ev,
+						      state->context);
+		if (tevent_req_nomem(subreq, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+		tevent_req_set_callback(subreq,
+					netlogon_creds_cli_LogonSamLogon_done,
+					req);
+		return;
+	}
+
+	state->tmp_creds = *state->lk_creds;
+	netlogon_creds_client_authenticator(&state->tmp_creds,
+					    &state->req_auth);
+	ZERO_STRUCT(state->rep_auth);
+
+	state->logon = netlogon_creds_shallow_copy_logon(state,
+						state->logon_level,
+						state->const_logon);
+	if (tevent_req_nomem(state->logon, req)) {
+		status = NT_STATUS_NO_MEMORY;
+		netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+		return;
+	}
+
+	netlogon_creds_encrypt_samlogon_logon(state->ro_creds,
+					      state->logon_level,
+					      state->logon);
+
+	state->validation_level = 3;
+
+	if (state->context->server.try_logon_with) {
+		subreq = dcerpc_netr_LogonSamLogonWithFlags_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.computer,
+						&state->req_auth,
+						&state->rep_auth,
+						state->logon_level,
+						state->logon,
+						state->validation_level,
+						state->validation,
+						&state->authoritative,
+						&state->flags);
+		if (tevent_req_nomem(subreq, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+	} else {
+		state->flags = 0;
+
+		subreq = dcerpc_netr_LogonSamLogon_send(state, state->ev,
+						state->binding_handle,
+						state->srv_name_slash,
+						state->context->client.computer,
+						&state->req_auth,
+						&state->rep_auth,
+						state->logon_level,
+						state->logon,
+						state->validation_level,
+						state->validation,
+						&state->authoritative);
+		if (tevent_req_nomem(subreq, req)) {
+			status = NT_STATUS_NO_MEMORY;
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+	}
+
+	tevent_req_set_callback(subreq,
+				netlogon_creds_cli_LogonSamLogon_done,
+				req);
+}
+
+static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
+{
+	struct tevent_req *req =
+		tevent_req_callback_data(subreq,
+		struct tevent_req);
+	struct netlogon_creds_cli_LogonSamLogon_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_LogonSamLogon_state);
+	NTSTATUS status;
+	NTSTATUS result;
+	bool ok;
+
+	if (state->try_logon_ex) {
+		status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
+							  state->validation,
+							  &result);
+		TALLOC_FREE(subreq);
+		if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+			state->context->server.try_validation6 = false;
+			state->context->server.try_logon_ex = false;
+			netlogon_creds_cli_LogonSamLogon_start(req);
+			return;
+		}
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+
+		if ((state->validation_level == 6) &&
+		    (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
+		     NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
+		     NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL)))
+		{
+			state->context->server.try_validation6 = false;
+			netlogon_creds_cli_LogonSamLogon_start(req);
+			return;
+		}
+
+		if (tevent_req_nterror(req, result)) {
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
+			return;
+		}
+
+		if (state->ro_creds == NULL) {
+			tevent_req_done(req);
+			return;
+		}
+
+		ok = netlogon_creds_cli_validate(state->context, state->ro_creds);
+		if (!ok) {
+			/*
+			 * We got a race, lets retry with on authenticator
+			 * protection.
+			 */
+			TALLOC_FREE(state->ro_creds);
+			state->try_logon_ex = false;
+			netlogon_creds_cli_LogonSamLogon_start(req);
+			return;
+		}
+
+		netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
+							state->validation_level,
+							state->validation);
+
+		tevent_req_done(req);
+		return;
+	}
+
+	if (state->lk_creds == NULL) {
+		status = netlogon_creds_cli_lock_recv(subreq, state,
+						      &state->lk_creds);
+		TALLOC_FREE(subreq);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+
+		netlogon_creds_cli_LogonSamLogon_start(req);
+		return;
+	}
+
+	if (state->context->server.try_logon_with) {
+		status = dcerpc_netr_LogonSamLogonWithFlags_recv(subreq,
+								 state->validation,
+								 &result);
+		TALLOC_FREE(subreq);
+		if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+			state->context->server.try_logon_with = false;
+			netlogon_creds_cli_LogonSamLogon_start(req);
+			return;
+		}
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+	} else {
+		status = dcerpc_netr_LogonSamLogon_recv(subreq,
+							state->validation,
+							&result);
+		TALLOC_FREE(subreq);
+		if (tevent_req_nterror(req, status)) {
+			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+			return;
+		}
+	}
+
+	ok = netlogon_creds_client_check(&state->tmp_creds,
+					 &state->rep_auth.cred);
+	if (!ok) {
+		status = NT_STATUS_ACCESS_DENIED;
+		tevent_req_nterror(req, status);
+		netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+		return;
+	}
+
+	*state->lk_creds = state->tmp_creds;
+	status = netlogon_creds_cli_store(state->context,
+					  &state->lk_creds);
+	if (tevent_req_nterror(req, status)) {
+		netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+		return;
+	}
+
+	if (tevent_req_nterror(req, result)) {
+		netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
+		return;
+	}
+
+	netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
+						state->validation_level,
+						state->validation);
+
+	tevent_req_done(req);
+}
+
+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
+					TALLOC_CTX *mem_ctx,
+					uint16_t *validation_level,
+					union netr_Validation **validation,
+					uint8_t *authoritative,
+					uint32_t *flags)
+{
+	struct netlogon_creds_cli_LogonSamLogon_state *state =
+		tevent_req_data(req,
+		struct netlogon_creds_cli_LogonSamLogon_state);
+	NTSTATUS status;
+
+	/* authoritative is also returned on error */
+	*authoritative = state->authoritative;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
+		tevent_req_received(req);
+		return status;
+	}
+
+	*validation_level = state->validation_level;
+	*validation = talloc_move(mem_ctx, &state->validation);
+	*flags = state->flags;
+
+	tevent_req_received(req);
+	return NT_STATUS_OK;
+}
+
+NTSTATUS netlogon_creds_cli_LogonSamLogon(
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				enum netr_LogonInfoClass logon_level,
+				const union netr_LogonLevel *logon,
+				TALLOC_CTX *mem_ctx,
+				uint16_t *validation_level,
+				union netr_Validation **validation,
+				uint8_t *authoritative,
+				uint32_t *flags)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct tevent_context *ev;
+	struct tevent_req *req;
+	NTSTATUS status = NT_STATUS_NO_MEMORY;
+
+	ev = samba_tevent_context_init(frame);
+	if (ev == NULL) {
+		goto fail;
+	}
+	req = netlogon_creds_cli_LogonSamLogon_send(frame, ev, context, b,
+						    logon_level, logon,
+						    *flags);
+	if (req == NULL) {
+		goto fail;
+	}
+	if (!tevent_req_poll_ntstatus(req, ev, &status)) {
+		goto fail;
+	}
+	status = netlogon_creds_cli_LogonSamLogon_recv(req, mem_ctx,
+						       validation_level,
+						       validation,
+						       authoritative,
+						       flags);
+ fail:
+	TALLOC_FREE(frame);
+	return status;
+}
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
new file mode 100644
index 0000000..f8f2bef
--- /dev/null
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -0,0 +1,138 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   module to store/fetch session keys for the schannel client
+
+   Copyright (C) Stefan Metzmacher 2013
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef NETLOGON_CREDS_CLI_H
+#define NETLOGON_CREDS_CLI_H
+
+#include "librpc/gen_ndr/dcerpc.h"
+#include "librpc/gen_ndr/schannel.h"
+
+struct netlogon_creds_cli_context;
+struct messaging_context;
+struct dcerpc_binding_handle;
+
+NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
+
+NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
+				struct messaging_context *msg_ctx,
+				const char *client_account,
+				enum netr_SchannelType type,
+				const char *server_computer,
+				const char *server_netbios_domain,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_context);
+NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
+				const char *client_account,
+				enum netr_SchannelType type,
+				enum dcerpc_AuthLevel auth_level,
+				uint32_t proposed_flags,
+				uint32_t required_flags,
+				const char *server_computer,
+				const char *server_netbios_domain,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_context);
+NTSTATUS netlogon_creds_cli_context_copy(
+				const struct netlogon_creds_cli_context *src,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_cli_context **_dst);
+
+enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
+		struct netlogon_creds_cli_context *context);
+
+NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
+				TALLOC_CTX *mem_ctx,
+				struct netlogon_creds_CredentialState **_creds);
+bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
+			const struct netlogon_creds_CredentialState *creds1);
+
+NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
+				  struct netlogon_creds_CredentialState **_creds);
+NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
+				   struct netlogon_creds_CredentialState **_creds);
+
+struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context);
+NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
+			TALLOC_CTX *mem_ctx,
+			struct netlogon_creds_CredentialState **creds);
+NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
+			TALLOC_CTX *mem_ctx,
+			struct netlogon_creds_CredentialState **creds);
+
+struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				struct samr_Password current_nt_hash,
+				const struct samr_Password *previous_nt_hash);
+NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
+NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
+				 struct dcerpc_binding_handle *b,
+				 struct samr_Password current_nt_hash,
+				 const struct samr_Password *previous_nt_hash);
+
+struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b);
+NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
+NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
+				  struct dcerpc_binding_handle *b);
+
+struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				const char *new_password,
+				const uint32_t *new_version);
+NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
+NTSTATUS netlogon_creds_cli_ServerPasswordSet(
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				const char *new_password,
+				const uint32_t *new_version);
+
+struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
+				struct tevent_context *ev,
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				enum netr_LogonInfoClass logon_level,
+				const union netr_LogonLevel *logon,
+				uint32_t flags);
+NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
+					TALLOC_CTX *mem_ctx,
+					uint16_t *validation_level,
+					union netr_Validation **validation,
+					uint8_t *authoritative,
+					uint32_t *flags);
+NTSTATUS netlogon_creds_cli_LogonSamLogon(
+				struct netlogon_creds_cli_context *context,
+				struct dcerpc_binding_handle *b,
+				enum netr_LogonInfoClass logon_level,
+				const union netr_LogonLevel *logon,
+				TALLOC_CTX *mem_ctx,
+				uint16_t *validation_level,
+				union netr_Validation **validation,
+				uint8_t *authoritative,
+				uint32_t *flags);
+
+#endif /* NETLOGON_CREDS_CLI_H */
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index ca2be2d..51eb293 100755
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
 	deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
 	)
 
+bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
+        source='netlogon_creds_cli.c',
+        deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
+        )
 
 bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
 	source='pam_errors.c',
-- 
1.9.3


From e4a4e18ea7f9a9742de16e477917da6ae11ac42e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 13 Dec 2013 17:31:45 +0100
Subject: [PATCH 163/249] libcli/auth: use unique key_name values in
 netlogon_creds_cli_context_common()

Until all callers are fixed to pass the same 'server_computer'
value, we try to calculate a server_netbios_name and use this
as unique identifier for a specific domain controller.

Otherwise winbind would use 'hostname.example.com'
while 'net rpc testjoin' would use 'HOSTNAME',
which leads to 2 records in netlogon_creds_cli.tdb
for the same domain controller.

Once all callers are fixed we can think about reverting this
commit.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit dc96b1ddccfe8eb1a631355f9471ee0b620d682c)
---
 libcli/auth/netlogon_creds_cli.c | 58 +++++++++++++++++++++++++++++++++-------
 1 file changed, 48 insertions(+), 10 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 75d6b2c..a872b31 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -106,23 +106,30 @@ static NTSTATUS netlogon_creds_cli_context_common(
 				struct netlogon_creds_cli_context **_context)
 {
 	struct netlogon_creds_cli_context *context = NULL;
+	TALLOC_CTX *frame = talloc_stackframe();
+	char *_key_name = NULL;
+	char *server_netbios_name = NULL;
+	char *p = NULL;
 
 	*_context = NULL;
 
 	context = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
 	if (context == NULL) {
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	context->client.computer = talloc_strdup(context, client_computer);
 	if (context->client.computer == NULL) {
-		talloc_free(context);
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	context->client.account = talloc_strdup(context, client_account);
 	if (context->client.account == NULL) {
-		talloc_free(context);
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -133,29 +140,60 @@ static NTSTATUS netlogon_creds_cli_context_common(
 
 	context->server.computer = talloc_strdup(context, server_computer);
 	if (context->server.computer == NULL) {
-		talloc_free(context);
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	context->server.netbios_domain = talloc_strdup(context, server_netbios_domain);
 	if (context->server.netbios_domain == NULL) {
-		talloc_free(context);
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	context->db.key_name = talloc_asprintf(context, "CLI[%s/%s]/SRV[%s/%s]",
-					     client_computer,
-					     client_account,
-					     server_computer,
-					     server_netbios_domain);
+	/*
+	 * TODO:
+	 * Force the callers to provide a unique
+	 * value for server_computer and use this directly.
+	 *
+	 * For now we have to deal with
+	 * "HOSTNAME" vs. "hostname.example.com".
+	 */
+	server_netbios_name = talloc_strdup(frame, server_computer);
+	if (server_netbios_name == NULL) {
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	p = strchr(server_netbios_name, '.');
+	if (p != NULL) {
+		p[0] = '\0';
+	}
+
+	_key_name = talloc_asprintf(frame, "CLI[%s/%s]/SRV[%s/%s]",
+				    client_computer,
+				    client_account,
+				    server_netbios_name,
+				    server_netbios_domain);
+	if (_key_name == NULL) {
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	context->db.key_name = talloc_strdup_upper(context, _key_name);
 	if (context->db.key_name == NULL) {
-		talloc_free(context);
+		TALLOC_FREE(context);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	context->db.key_data = string_term_tdb_data(context->db.key_name);
 
 	*_context = context;
+	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
 
-- 
1.9.3


From 29bc7cb7a1c0ef62c923ce859cdd07de2846c5f5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 19:01:28 +0200
Subject: [PATCH 164/249] s3:param: set Globals.bWinbindSealedPipes = true

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 99d8653d83aa2e2e3a0ea097ab7cb65d62d76daf)
---
 source3/param/loadparm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 40f3242..7d95256 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -834,6 +834,7 @@ static void init_globals(bool reinit_globals)
 	Globals.security = SEC_USER;
 	Globals.bEncryptPasswords = true;
 	Globals.clientSchannel = Auto;
+	Globals.bWinbindSealedPipes = true;
 	Globals.serverSchannel = Auto;
 	Globals.bReadRaw = true;
 	Globals.bWriteRaw = true;
-- 
1.9.3


From 21b9d9847ba236d78156de07dd24032e64f2124d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 18:39:56 +0200
Subject: [PATCH 165/249] lib/param: add "neutralize nt4 emulation" option,
 defaulting to false

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b39ca3a2aefdd43a55b9cdd8fa5136254b283927)
---
 .../smbdotconf/winbind/netutralizent4emulation.xml    | 19 +++++++++++++++++++
 lib/param/param_functions.c                           |  1 +
 lib/param/param_table.c                               |  9 +++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/netutralizent4emulation.xml

diff --git a/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
new file mode 100644
index 0000000..8294a90
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/netutralizent4emulation.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="neutralize nt4 emulation"
+                 context="G"
+                 type="boolean"
+                 advanced="1" developer="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd sends
+	the NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION flag in order to bypass
+	the NT4 emulation of a domain controller.</para>
+
+	<para>Typically you should not need set this.
+	It can be useful for upgrades from NT4 to AD domains.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'neutralize nt4 emulation:NETBIOSDOMAIN = yes' as option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index 60f9c07..aef091b 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -192,6 +192,7 @@ FN_GLOBAL_BOOL(log_writeable_files_on_exit, bLogWriteableFilesOnExit)
 FN_GLOBAL_BOOL(map_untrusted_to_domain, bMapUntrustedToDomain)
 FN_GLOBAL_BOOL(ms_add_printer_wizard, bMsAddPrinterWizard)
 FN_GLOBAL_BOOL(multicast_dns_register, bMulticastDnsRegister)
+FN_GLOBAL_BOOL(neutralize_nt4_emulation, bNeutralizeNT4Emulation)
 FN_GLOBAL_BOOL(nis_home_map, bNISHomeMap)
 FN_GLOBAL_BOOL(nmbd_bind_explicit_broadcast, bNmbdBindExplicitBroadcast)
 FN_GLOBAL_BOOL(ntlm_auth, bNTLMAuth)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 8e3f952..edf6829 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4188,6 +4188,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "neutralize nt4 emulation",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(bNeutralizeNT4Emulation),
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{N_("DNS options"), P_SEP, P_SEPARATOR},
 	{
-- 
1.9.3


From d1cfe2d0f3f72e8b7700eee01e47b0bb9d3b9ca3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 18:39:56 +0200
Subject: [PATCH 166/249] lib/param: add "reject md5 servers" option,
 defaulting to false

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit de4f8f0825790452455a9d51e9d84d4d4a5c0d3b)
---
 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 23 +++++++++++++++++++++++
 lib/param/param_functions.c                      |  1 +
 lib/param/param_table.c                          |  9 +++++++++
 3 files changed, 33 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/rejectmd5servers.xml

diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
new file mode 100644
index 0000000..18f8bcb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -0,0 +1,23 @@
+<samba:parameter name="reject md5 servers"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd requires support
+	for aes support for the netlogon secure channel.</para>
+
+	<para>The following flags will be required NETLOGON_NEG_ARCFOUR,
+	NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+	<para>You can set this to yes if all domain controllers support aes.
+	This will prevent downgrade attacks.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+
+	<para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index aef091b..ecd7f8e 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -204,6 +204,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
 FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
+FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
 FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
 FN_GLOBAL_BOOL(stat_cache, bStatCache)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index edf6829..b53f850 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4197,6 +4197,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "reject md5 servers",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(bRejectMD5Servers),
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{N_("DNS options"), P_SEP, P_SEPARATOR},
 	{
-- 
1.9.3


From 2545090f09da279655510f87d02c631c74409eb1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 18:39:56 +0200
Subject: [PATCH 167/249] lib/param: add "require strong key" option,
 defaulting to true

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6630c68cce8fbbd700e7d4cd92ec3ebb2a268f06)
---
 docs-xml/smbdotconf/winbind/requirestrongkey.xml | 27 ++++++++++++++++++++++++
 lib/param/loadparm.c                             |  1 +
 lib/param/param_functions.c                      |  1 +
 lib/param/param_table.c                          |  9 ++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/requirestrongkey.xml

diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
new file mode 100644
index 0000000..de749bb
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -0,0 +1,27 @@
+<samba:parameter name="require strong key"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd requires support
+	for md5 strong key support for the netlogon secure channel.</para>
+
+	<para>The following flags will be required NETLOGON_NEG_STRONG_KEYS,
+	NETLOGON_NEG_ARCFOUR and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+	<para>You can set this to no if some domain controllers only support des.
+	This might allows weak crypto to be negotiated, may via downgrade attacks.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'require strong key:NETBIOSDOMAIN = no' as option.</para>
+
+	<para>Note for active directory domain this option is hardcoded to 'yes'</para>
+
+	<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
+
+	<para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 23b45e2..a84a166 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2183,6 +2183,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "winbind separator", "\\");
 	lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
+	lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
 	lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "winbindd privileged socket directory", dyn_WINBINDD_PRIVILEGED_SOCKET_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index ecd7f8e..41b137f 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
 FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
+FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
 FN_GLOBAL_BOOL(rpc_big_endian, bRpcBigEndian)
 FN_GLOBAL_BOOL(stat_cache, bStatCache)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index b53f850..36e8554 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4206,6 +4206,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "require strong key",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(bRequireStrongKey),
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{N_("DNS options"), P_SEP, P_SEPARATOR},
 	{
-- 
1.9.3


From 4e604cc566b2854045c5b794a846c1ab1ef4a35f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 19:01:47 +0200
Subject: [PATCH 168/249] s3:param: set Globals.bRequireStrongKey = true

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e7954bcc04ec6761b2ed6dad08b90c65efafa948)
---
 source3/param/loadparm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7d95256..ed46e53 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -835,6 +835,7 @@ static void init_globals(bool reinit_globals)
 	Globals.bEncryptPasswords = true;
 	Globals.clientSchannel = Auto;
 	Globals.bWinbindSealedPipes = true;
+	Globals.bRequireStrongKey = true;
 	Globals.serverSchannel = Auto;
 	Globals.bReadRaw = true;
 	Globals.bWriteRaw = true;
-- 
1.9.3


From 382f69a0f3762947a3e8cc02e8e9817533073195 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 18:48:15 +0200
Subject: [PATCH 169/249] libcli/auth: make use of real options in
 netlogon_creds_cli_context_global()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa3af7c2e8f1bf292e190ba3d933b6e1d552595d)
---
 libcli/auth/netlogon_creds_cli.c | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index a872b31..6590b21 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -279,11 +279,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	 * allow overwrite per domain
 	 * reject md5 servers:<netbios_domain>
 	 */
-	//TODO: add lpcfp_reject_md5_servers()
-	reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
-					     "__default__",
-					     "reject md5 servers",
-					     reject_md5_servers);
+	reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
 	reject_md5_servers = lpcfg_parm_bool(lp_ctx, NULL,
 					     "reject md5 servers",
 					     server_netbios_domain,
@@ -293,11 +289,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	 * allow overwrite per domain
 	 * require strong key:<netbios_domain>
 	 */
-	//TODO: add lpcfp_require_strong_key()
-	require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
-					     "__default__",
-					     "require strong key",
-					     require_strong_key);
+	require_strong_key = lpcfg_require_strong_key(lp_ctx);
 	require_strong_key = lpcfg_parm_bool(lp_ctx, NULL,
 					     "require strong key",
 					     server_netbios_domain,
@@ -327,11 +319,7 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	 * allow overwrite per domain
 	 * neutralize nt4 emulation:<netbios_domain>
 	 */
-	//TODO: add lpcfp_neutralize_nt4_emulation()
-	neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
-						   "__default__",
-						   "neutralize nt4 emulation",
-						   neutralize_nt4_emulation);
+	neutralize_nt4_emulation = lpcfg_neutralize_nt4_emulation(lp_ctx);
 	neutralize_nt4_emulation = lpcfg_parm_bool(lp_ctx, NULL,
 						   "neutralize nt4 emulation",
 						   server_netbios_domain,
-- 
1.9.3


From 79e8c0c97591ed8bc129561e44b0d94757fcc4e1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 23 Dec 2013 10:45:27 +0100
Subject: [PATCH 170/249] docs-xml: explain the interaction between security =
 ads and other options.

It implies 'require strong key = yes' and 'client schannel = yes'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f703a37a56e215827dbb2a7ec8da6738bf17f600)
---
 docs-xml/smbdotconf/security/security.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/security/security.xml b/docs-xml/smbdotconf/security/security.xml
index 406089f..2f5c3f7 100644
--- a/docs-xml/smbdotconf/security/security.xml
+++ b/docs-xml/smbdotconf/security/security.xml
@@ -99,7 +99,10 @@
 	
 	<para>Note that this mode does NOT make Samba operate as a Active Directory Domain 
 		Controller. </para>
-	
+
+	<para>Note that this forces <smbconfoption name="require strong key">yes</smbconfoption>
+	and <smbconfoption name="client schannel">yes</smbconfoption> for the primary domain.</para>
+
 	<para>Read the chapter about Domain Membership in the HOWTO for details.</para>
 </description>
 
-- 
1.9.3


From 27ea332df51e3cd8ed9601633282b688e6f288a7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 23 Dec 2013 10:46:57 +0100
Subject: [PATCH 171/249] docs-xml: explain the interaction of 'client
 schannel' with 'require strong key = yes'

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1d69fdddd5287757c2e67b0982d00241a6d75d26)
---
 docs-xml/smbdotconf/security/clientschannel.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index e229182..ac4cc59 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -12,6 +12,11 @@
     enforce it, and <smbconfoption name="client schannel">yes</smbconfoption> denies access 
     if the server is not able to speak netlogon schannel. 
     </para>
+
+    <para>Note that for active directory domains this is hardcoded to
+    <smbconfoption name="client schannel">yes</smbconfoption>.</para>
+
+    <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
 </description>
 <value type="default">auto</value>
 <value type="example">yes</value>
-- 
1.9.3


From 4853daeffb1916db3b92dc6ba9e5776652ec5f4e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 19:31:58 +0200
Subject: [PATCH 172/249] s3:winbindd: make use of the "winbind sealed pipes"
 option for all connections

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 225982e1cb6276ed5c6a47c0e4827d75e8ab2fb1)
---
 source3/winbindd/winbindd.h    |  3 +++
 source3/winbindd/winbindd_cm.c | 20 +++++++++++++++++---
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index 72eb3ec..afde685 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -25,6 +25,7 @@
 
 #include "nsswitch/winbind_struct_protocol.h"
 #include "nsswitch/libwbclient/wbclient.h"
+#include "librpc/gen_ndr/dcerpc.h"
 #include "librpc/gen_ndr/wbint.h"
 
 #include "talloc_dict.h"
@@ -105,6 +106,8 @@ struct getpwent_user {
 struct winbindd_cm_conn {
 	struct cli_state *cli;
 
+	enum dcerpc_AuthLevel auth_level;
+
 	struct rpc_pipe_client *samr_pipe;
 	struct policy_handle sam_connect_handle, sam_domain_handle;
 
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index c4f59d3..6c1244e 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -1722,6 +1722,7 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
 	}
 
 	if (NT_STATUS_IS_OK(result)) {
+		bool seal_pipes = true;
 
 		winbindd_set_locator_kdc_envs(domain);
 
@@ -1741,6 +1742,17 @@ static NTSTATUS cm_open_connection(struct winbindd_domain *domain,
 		 */
 		store_current_dc_in_gencache(domain->name, domain->dcname,
 					     new_conn->cli);
+
+		seal_pipes = lp_winbind_sealed_pipes();
+		seal_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+					  domain->name,
+					  seal_pipes);
+
+		if (seal_pipes) {
+			new_conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+		} else {
+			new_conn->auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+		}
 	} else {
 		/* Ensure we setup the retry handler. */
 		set_domain_offline(domain);
@@ -1813,6 +1825,8 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
 		}
 	}
 
+	conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+
 	if (conn->cli) {
 		cli_shutdown(conn->cli);
 	}
@@ -2363,7 +2377,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 					  &ndr_table_samr,
 					  NCACN_NP,
 					  GENSEC_OID_NTLMSSP,
-					  DCERPC_AUTH_LEVEL_PRIVACY,
+					  conn->auth_level,
 					  smbXcli_conn_remote_name(conn->cli->conn),
 					  domain_name,
 					  machine_account,
@@ -2534,7 +2548,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 
 	if (conn->lsa_pipe_tcp &&
 	    conn->lsa_pipe_tcp->transport->transport == NCACN_IP_TCP &&
-	    conn->lsa_pipe_tcp->auth->auth_level == DCERPC_AUTH_LEVEL_PRIVACY &&
+	    conn->lsa_pipe_tcp->auth->auth_level >= DCERPC_AUTH_LEVEL_INTEGRITY &&
 	    rpccli_is_connected(conn->lsa_pipe_tcp)) {
 		goto done;
 	}
@@ -2602,7 +2616,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	result = cli_rpc_pipe_open_spnego
 		(conn->cli, &ndr_table_lsarpc, NCACN_NP,
 		 GENSEC_OID_NTLMSSP,
-		 DCERPC_AUTH_LEVEL_PRIVACY,
+		 conn->auth_level,
 		 smbXcli_conn_remote_name(conn->cli->conn),
 		 conn->cli->domain, conn->cli->user_name, conn->cli->password,
 		 &conn->lsa_pipe);
-- 
1.9.3


From c2116e6a1ee32ff36942091287e90b08d1ecf6d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 14 Nov 2013 18:53:06 +0100
Subject: [PATCH 173/249] docs-xml: update 'winbind sealed pipes' description

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 11aed7cd3dbd967593b34a206f0802fd0002bf27)
---
 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
index 26f446e..63f5588 100644
--- a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
@@ -4,12 +4,12 @@
                  advanced="1" developer="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
-	<para>This option controls whether any requests made over the Samba 4 winbind
+	<para>This option controls whether any requests from winbindd to domain controllers
 		pipe will be sealed. Disabling sealing can be useful for debugging
 		purposes.</para>
 
-	<para>Note that this option only applies to the Samba 4 winbind and not
-		to the standard winbind.</para>
+	<para>The behavior can be controlled per netbios domain
+	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
 </description>
 
 <value type="default">yes</value>
-- 
1.9.3


From ea14b4a713a85a2d87cba6ad88127020e1d5e813 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 27 Jul 2013 11:30:13 +0200
Subject: [PATCH 174/249] s3:rpc_client: make use of the new
 netlogon_creds_cli_context

This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds
and lets the secure channel session state be stored in node local database.

This is the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 38d4dba37406515181e4d6f1a1faffc18e652e27)
---
 source3/libnet/libnet_join.c           |   3 +-
 source3/libnet/libnet_samsync.c        |  19 +-
 source3/rpc_client/cli_netlogon.c      | 436 ++++++++-------------------------
 source3/rpc_client/cli_pipe.c          | 139 +++--------
 source3/rpc_client/cli_pipe.h          |   2 +-
 source3/rpc_client/cli_pipe_schannel.c |   3 +-
 source3/rpc_client/rpc_client.h        |   2 +-
 source3/rpcclient/cmd_netlogon.c       |  57 ++++-
 source3/winbindd/winbindd.h            |   9 -
 source3/winbindd/winbindd_cm.c         |  36 +--
 source3/winbindd/winbindd_pam.c        | 136 ++--------
 source3/wscript_build                  |   6 +-
 12 files changed, 250 insertions(+), 598 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index c1eccda..5dc620f 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1279,7 +1279,8 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 	status = cli_rpc_pipe_open_schannel_with_key(
 		cli, &ndr_table_netlogon, NCACN_NP,
 		DCERPC_AUTH_LEVEL_PRIVACY,
-		netbios_domain_name, &netlogon_pipe->dc, &pipe_hnd);
+		netbios_domain_name,
+		netlogon_pipe->netlogon_creds, &pipe_hnd);
 
 	cli_shutdown(cli);
 
diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
index a103785..02d3fc6 100644
--- a/source3/libnet/libnet_samsync.c
+++ b/source3/libnet/libnet_samsync.c
@@ -30,6 +30,7 @@
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
 #include "../libcli/security/security.h"
 #include "messages.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
 
 /**
  * Fix up the delta, dealing with encryption issues so that the final
@@ -213,8 +214,15 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
 
 	do {
 		struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+		struct netlogon_creds_CredentialState *creds = NULL;
 
-		netlogon_creds_client_authenticator(ctx->cli->dc, &credential);
+		status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
+						 mem_ctx, &creds);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		netlogon_creds_client_authenticator(creds, &credential);
 
 		if (ctx->single_object_replication &&
 		    !ctx->force_full_replication) {
@@ -254,28 +262,33 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
 		}
 
 		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(creds);
 			return status;
 		}
 
 		/* Check returned credentials. */
-		if (!netlogon_creds_client_check(ctx->cli->dc,
+		if (!netlogon_creds_client_check(creds,
 						 &return_authenticator.cred)) {
+			TALLOC_FREE(creds);
 			DEBUG(0,("credentials chain check failed\n"));
 			return NT_STATUS_ACCESS_DENIED;
 		}
 
 		if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_SUPPORTED)) {
+			TALLOC_FREE(creds);
 			return result;
 		}
 
 		if (NT_STATUS_IS_ERR(result)) {
+			TALLOC_FREE(creds);
 			break;
 		}
 
 		samsync_fix_delta_array(mem_ctx,
-					ctx->cli->dc,
+					creds,
 					database_id,
 					delta_enum_array);
+		TALLOC_FREE(creds);
 
 		/* Process results */
 		callback_status = ctx->ops->process_objects(mem_ctx, database_id,
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 5e8a2fc..fcd24d6 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -23,11 +23,13 @@
 #include "includes.h"
 #include "rpc_client/rpc_client.h"
 #include "../libcli/auth/libcli_auth.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
 #include "rpc_client/cli_netlogon.h"
 #include "rpc_client/init_netlogon.h"
 #include "rpc_client/util_netlogon.h"
 #include "../libcli/security/security.h"
+#include "lib/param/param.h"
 
 /****************************************************************************
  Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
@@ -44,113 +46,81 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 				     enum netr_SchannelType sec_chan_type,
 				     uint32_t *neg_flags_inout)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct loadparm_context *lp_ctx;
 	NTSTATUS status;
-	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	struct netr_Credential clnt_chal_send;
-	struct netr_Credential srv_chal_recv;
 	struct samr_Password password;
-	bool retried = false;
 	fstring mach_acct;
-	uint32_t neg_flags = *neg_flags_inout;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
+	struct netlogon_creds_CredentialState *creds = NULL;
 
 	if (!ndr_syntax_id_equal(&cli->abstract_syntax,
 				 &ndr_table_netlogon.syntax_id)) {
+		TALLOC_FREE(frame);
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	TALLOC_FREE(cli->dc);
-
-	/* Store the machine account password we're going to use. */
-	memcpy(password.hash, machine_pwd, 16);
-
-	fstr_sprintf( mach_acct, "%s$", machine_account);
-
- again:
-	/* Create the client challenge. */
-	generate_random_buffer(clnt_chal_send.data, 8);
-
-	/* Get the server challenge. */
-	status = dcerpc_netr_ServerReqChallenge(b, talloc_tos(),
-						cli->srv_name_slash,
-						clnt_name,
-						&clnt_chal_send,
-						&srv_chal_recv,
-						&result);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
+	if (!strequal(lp_netbios_name(), clnt_name)) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	/* Calculate the session key and client credentials */
+	TALLOC_FREE(cli->netlogon_creds);
 
-	cli->dc = netlogon_creds_client_init(cli,
-				    mach_acct,
-				    clnt_name,
-				    sec_chan_type,
-				    &clnt_chal_send,
-				    &srv_chal_recv,
-				    &password,
-				    &clnt_chal_send,
-				    neg_flags);
+	fstr_sprintf( mach_acct, "%s$", machine_account);
 
-	if (!cli->dc) {
+	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
-
-	/*
-	 * Send client auth-2 challenge and receive server repy.
-	 */
-
-	status = dcerpc_netr_ServerAuthenticate2(b, talloc_tos(),
-						 cli->srv_name_slash,
-						 cli->dc->account_name,
-						 sec_chan_type,
-						 cli->dc->computer_name,
-						 &clnt_chal_send, /* input. */
-						 &srv_chal_recv, /* output. */
-						 &neg_flags,
-						 &result);
+	status = netlogon_creds_cli_context_global(lp_ctx,
+						   NULL, /* msg_ctx */
+						   mach_acct,
+						   sec_chan_type,
+						   server_name,
+						   domain,
+						   cli, &cli->netlogon_creds);
+	talloc_unlink(frame, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
 		return status;
 	}
-	/* we might be talking to NT4, so let's downgrade in that case and retry
-	 * with the returned neg_flags - gd */
 
-	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) && !retried) {
-		retried = true;
-		TALLOC_FREE(cli->dc);
-		goto again;
+	status = netlogon_creds_cli_get(cli->netlogon_creds,
+					frame, &creds);
+	if (NT_STATUS_IS_OK(status)) {
+		DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
+			 "cached credential\n",
+			 cli->desthost));
+		*neg_flags_inout = creds->negotiate_flags;
+		TALLOC_FREE(frame);
+		return NT_STATUS_OK;
 	}
 
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
-	}
-
-	/*
-	 * Check the returned value using the initial
-	 * server received challenge.
-	 */
-
-	if (!netlogon_creds_client_check(cli->dc, &srv_chal_recv)) {
-		/*
-		 * Server replied with bad credential. Fail.
-		 */
-		DEBUG(0,("rpccli_netlogon_setup_creds: server %s "
-			"replied with bad credential\n",
-			cli->desthost ));
-		return NT_STATUS_ACCESS_DENIED;
-	}
+	/* Store the machine account password we're going to use. */
+	memcpy(password.hash, machine_pwd, 16);
 
 	DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
 		"chain established.\n",
 		cli->desthost ));
 
-	cli->dc->negotiate_flags = neg_flags;
-	*neg_flags_inout = neg_flags;
+	status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
+					 password, NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	status = netlogon_creds_cli_get(cli->netlogon_creds,
+					frame, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
 
+	*neg_flags_inout = creds->negotiate_flags;
+	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
 
@@ -163,20 +133,16 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 				   const char *username,
 				   const char *password,
 				   const char *workstation,
-				   uint16_t validation_level,
+				   uint16_t _ignored_validation_level,
 				   int logon_type)
 {
-	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	NTSTATUS status;
-	struct netr_Authenticator clnt_creds;
-	struct netr_Authenticator ret_creds;
 	union netr_LogonLevel *logon;
-	union netr_Validation validation;
-	uint8_t authoritative;
+	uint16_t validation_level = 0;
+	union netr_Validation *validation = NULL;
+	uint8_t authoritative = 0;
+	uint32_t flags = 0;
 	fstring clnt_name_slash;
-	struct dcerpc_binding_handle *b = cli->binding_handle;
-
-	ZERO_STRUCT(ret_creds);
 
 	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
 	if (!logon) {
@@ -191,8 +157,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
 	/* Initialise input parameters */
 
-	netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
-
 	switch (logon_type) {
 	case NetlogonInteractiveInformation: {
 
@@ -208,17 +172,6 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
 		nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
 
-		if (cli->dc->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			netlogon_creds_aes_encrypt(cli->dc, lmpassword.hash, 16);
-			netlogon_creds_aes_encrypt(cli->dc, ntpassword.hash, 16);
-		} else if (cli->dc->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			netlogon_creds_arcfour_crypt(cli->dc, lmpassword.hash, 16);
-			netlogon_creds_arcfour_crypt(cli->dc, ntpassword.hash, 16);
-		} else {
-			netlogon_creds_des_encrypt(cli->dc, &lmpassword);
-			netlogon_creds_des_encrypt(cli->dc, &ntpassword);
-		}
-
 		password_info->identity_info.domain_name.string		= domain;
 		password_info->identity_info.parameter_control		= logon_parameters;
 		password_info->identity_info.logon_id_low		= 0xdead;
@@ -281,28 +234,20 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 		return NT_STATUS_INVALID_INFO_CLASS;
 	}
 
-	status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
-					   cli->srv_name_slash,
-					   lp_netbios_name(),
-					   &clnt_creds,
-					   &ret_creds,
-					   logon_type,
-					   logon,
-					   validation_level,
-					   &validation,
-					   &authoritative,
-					   &result);
+	status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
+						  cli->binding_handle,
+						  logon_type,
+						  logon,
+						  mem_ctx,
+						  &validation_level,
+						  &validation,
+						  &authoritative,
+						  &flags);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
-	/* Always check returned credentials */
-	if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
-		DEBUG(0,("rpccli_netlogon_sam_logon: credentials chain check failed\n"));
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	return result;
+	return NT_STATUS_OK;
 }
 
 static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
@@ -366,29 +311,24 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 					   const char *domain,
 					   const char *workstation,
 					   const uint8 chal[8],
-					   uint16_t validation_level,
+					   uint16_t _ignored_validation_level,
 					   DATA_BLOB lm_response,
 					   DATA_BLOB nt_response,
 					   struct netr_SamInfo3 **info3)
 {
-	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	NTSTATUS status;
 	const char *workstation_name_slash;
-	const char *server_name_slash;
-	struct netr_Authenticator clnt_creds;
-	struct netr_Authenticator ret_creds;
 	union netr_LogonLevel *logon = NULL;
 	struct netr_NetworkInfo *network_info;
-	uint8_t authoritative;
-	union netr_Validation validation;
+	uint16_t validation_level = 0;
+	union netr_Validation *validation = NULL;
+	uint8_t authoritative = 0;
+	uint32_t flags = 0;
 	struct netr_ChallengeResponse lm;
 	struct netr_ChallengeResponse nt;
-	struct dcerpc_binding_handle *b = cli->binding_handle;
 
 	*info3 = NULL;
 
-	ZERO_STRUCT(ret_creds);
-
 	ZERO_STRUCT(lm);
 	ZERO_STRUCT(nt);
 
@@ -402,21 +342,13 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
-
-	if (server[0] != '\\' && server[1] != '\\') {
-		server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
-	} else {
-		server_name_slash = server;
-	}
-
 	if (workstation[0] != '\\' && workstation[1] != '\\') {
 		workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
 	} else {
 		workstation_name_slash = workstation;
 	}
 
-	if (!workstation_name_slash || !server_name_slash) {
+	if (!workstation_name_slash) {
 		DEBUG(0, ("talloc_asprintf failed!\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
@@ -443,40 +375,27 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 
 	/* Marshall data and send request */
 
-	status = dcerpc_netr_LogonSamLogon(b, mem_ctx,
-					   server_name_slash,
-					   lp_netbios_name(),
-					   &clnt_creds,
-					   &ret_creds,
-					   NetlogonNetworkInformation,
-					   logon,
-					   validation_level,
-					   &validation,
-					   &authoritative,
-					   &result);
+	status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
+						  cli->binding_handle,
+						  NetlogonNetworkInformation,
+						  logon,
+						  mem_ctx,
+						  &validation_level,
+						  &validation,
+						  &authoritative,
+						  &flags);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
-	/* Always check returned credentials. */
-	if (!netlogon_creds_client_check(cli->dc, &ret_creds.cred)) {
-		DEBUG(0,("rpccli_netlogon_sam_network_logon: credentials chain check failed\n"));
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
-	}
-
-	netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
-						   &validation);
-
-	result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
+	status = map_validation_to_info3(mem_ctx,
+					 validation_level, validation,
+					 info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
-	return result;
+	return NT_STATUS_OK;
 }
 
 NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
@@ -492,100 +411,18 @@ NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
 					      DATA_BLOB nt_response,
 					      struct netr_SamInfo3 **info3)
 {
-	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	NTSTATUS status;
-	const char *workstation_name_slash;
-	const char *server_name_slash;
-	union netr_LogonLevel *logon = NULL;
-	struct netr_NetworkInfo *network_info;
-	uint8_t authoritative;
-	union netr_Validation validation;
-	struct netr_ChallengeResponse lm;
-	struct netr_ChallengeResponse nt;
-	uint32_t flags = 0;
-	struct dcerpc_binding_handle *b = cli->binding_handle;
-
-	*info3 = NULL;
-
-	ZERO_STRUCT(lm);
-	ZERO_STRUCT(nt);
-
-	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-	if (!logon) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-	if (!network_info) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (server[0] != '\\' && server[1] != '\\') {
-		server_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", server);
-	} else {
-		server_name_slash = server;
-	}
-
-	if (workstation[0] != '\\' && workstation[1] != '\\') {
-		workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
-	} else {
-		workstation_name_slash = workstation;
-	}
-
-	if (!workstation_name_slash || !server_name_slash) {
-		DEBUG(0, ("talloc_asprintf failed!\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	/* Initialise input parameters */
-
-	lm.data = lm_response.data;
-	lm.length = lm_response.length;
-	nt.data = nt_response.data;
-	nt.length = nt_response.length;
-
-	network_info->identity_info.domain_name.string		= domain;
-	network_info->identity_info.parameter_control		= logon_parameters;
-	network_info->identity_info.logon_id_low		= 0xdead;
-	network_info->identity_info.logon_id_high		= 0xbeef;
-	network_info->identity_info.account_name.string		= username;
-	network_info->identity_info.workstation.string		= workstation_name_slash;
-
-	memcpy(network_info->challenge, chal, 8);
-	network_info->nt = nt;
-	network_info->lm = lm;
-
-	logon->network = network_info;
-
-        /* Marshall data and send request */
-
-	status = dcerpc_netr_LogonSamLogonEx(b, mem_ctx,
-					     server_name_slash,
-					     lp_netbios_name(),
-					     NetlogonNetworkInformation,
-					     logon,
-					     validation_level,
-					     &validation,
-					     &authoritative,
-					     &flags,
-					     &result);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
-	}
-
-	netlogon_creds_decrypt_samlogon_validation(cli->dc, validation_level,
-						   &validation);
-
-	result = map_validation_to_info3(mem_ctx, validation_level, &validation, info3);
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
-	}
-
-	return result;
+	return rpccli_netlogon_sam_network_logon(cli,
+						 mem_ctx,
+						 logon_parameters,
+						 server,
+						 username,
+						 domain,
+						 workstation,
+						 chal,
+						 validation_level,
+						 lm_response,
+						 nt_response,
+						 info3);
 }
 
 /*********************************************************
@@ -605,11 +442,9 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 					    const unsigned char new_trust_passwd_hash[16],
 					    enum netr_SchannelType sec_channel_type)
 {
-	NTSTATUS result, status;
-	struct netr_Authenticator clnt_creds, srv_cred;
-	struct dcerpc_binding_handle *b = cli->binding_handle;
+	NTSTATUS result;
 
-	if (!cli->dc) {
+	if (cli->netlogon_creds == NULL) {
 		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
 					NETLOGON_NEG_SUPPORTS_AES;
 		result = rpccli_netlogon_setup_creds(cli,
@@ -627,77 +462,16 @@ NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 		}
 	}
 
-	netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
-
-	if (cli->dc->negotiate_flags & NETLOGON_NEG_PASSWORD_SET2) {
-
-		struct netr_CryptPassword new_password;
-		uint32_t old_timeout;
-
-		init_netr_CryptPassword(new_trust_pwd_cleartext,
-					cli->dc,
-					&new_password);
-
-		old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
-
-		status = dcerpc_netr_ServerPasswordSet2(b, mem_ctx,
-							cli->srv_name_slash,
-							cli->dc->account_name,
-							sec_channel_type,
-							cli->dc->computer_name,
-							&clnt_creds,
-							&srv_cred,
-							&new_password,
-							&result);
-
-		dcerpc_binding_handle_set_timeout(b, old_timeout);
-
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0,("dcerpc_netr_ServerPasswordSet2 failed: %s\n",
-				nt_errstr(status)));
-			return status;
-		}
-	} else {
-
-		struct samr_Password new_password;
-		uint32_t old_timeout;
-
-		memcpy(new_password.hash, new_trust_passwd_hash, sizeof(new_password.hash));
-		netlogon_creds_des_encrypt(cli->dc, &new_password);
-
-		old_timeout = dcerpc_binding_handle_set_timeout(b, 600000);
-
-		status = dcerpc_netr_ServerPasswordSet(b, mem_ctx,
-						       cli->srv_name_slash,
-						       cli->dc->account_name,
-						       sec_channel_type,
-						       cli->dc->computer_name,
-						       &clnt_creds,
-						       &srv_cred,
-						       &new_password,
-						       &result);
-
-		dcerpc_binding_handle_set_timeout(b, old_timeout);
-
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(0,("dcerpc_netr_ServerPasswordSet failed: %s\n",
-				nt_errstr(status)));
-			return status;
-		}
-	}
-
-	/* Always check returned credentials. */
-	if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
-		DEBUG(0,("credentials chain check failed\n"));
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
+	result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
+						      cli->binding_handle,
+						      new_trust_pwd_cleartext,
+						      NULL); /* new_version */
 	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0,("dcerpc_netr_ServerPasswordSet{2} failed: %s\n",
+		DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
 			nt_errstr(result)));
 		return result;
 	}
 
-	return result;
+	return NT_STATUS_OK;
 }
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index a45023f..fe1613d 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -24,6 +24,7 @@
 #include "librpc/gen_ndr/ndr_epmapper_c.h"
 #include "../librpc/gen_ndr/ndr_dssetup.h"
 #include "../libcli/auth/schannel.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
 #include "auth_generic.h"
 #include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "librpc/gen_ndr/ndr_netlogon_c.h"
@@ -3024,34 +3025,39 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     enum dcerpc_transport_t transport,
 					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
-					     struct netlogon_creds_CredentialState **pdc,
+					     struct netlogon_creds_cli_context *netlogon_creds,
 					     struct rpc_pipe_client **_rpccli)
 {
 	struct rpc_pipe_client *rpccli;
 	struct pipe_auth_data *rpcauth;
+	struct netlogon_creds_CredentialState *creds = NULL;
 	NTSTATUS status;
-	NTSTATUS result;
-	struct netlogon_creds_CredentialState save_creds;
-	struct netr_Authenticator auth;
-	struct netr_Authenticator return_auth;
-	union netr_Capabilities capabilities;
 	const char *target_service = table->authservices->names[0];
+	int rpc_pipe_bind_dbglvl = 0;
 
 	status = cli_rpc_pipe_open(cli, transport, table, &rpccli);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
+	status = netlogon_creds_cli_lock(netlogon_creds, rpccli, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("netlogon_creds_cli_get returned %s\n",
+			  nt_errstr(status)));
+		TALLOC_FREE(rpccli);
+		return status;
+	}
+
 	status = rpccli_generic_bind_data(rpccli,
 					  DCERPC_AUTH_TYPE_SCHANNEL,
 					  auth_level,
 					  NULL,
 					  target_service,
 					  domain,
-					  (*pdc)->computer_name,
+					  creds->computer_name,
 					  NULL,
 					  CRED_AUTO_USE_KERBEROS,
-					  *pdc,
+					  creds,
 					  &rpcauth);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("rpccli_generic_bind_data returned %s\n",
@@ -3060,120 +3066,43 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 		return status;
 	}
 
-	/*
-	 * The credentials on a new netlogon pipe are the ones we are passed
-	 * in - copy them over
-	 *
-	 * This may get overwritten... in rpc_pipe_bind()...
-	 */
-	rpccli->dc = netlogon_creds_copy(rpccli, *pdc);
-	if (rpccli->dc == NULL) {
-		TALLOC_FREE(rpccli);
-		return NT_STATUS_NO_MEMORY;
-	}
-
 	status = rpc_pipe_bind(rpccli, rpcauth);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
+		rpc_pipe_bind_dbglvl = 1;
+		netlogon_creds_cli_delete(netlogon_creds, &creds);
+	}
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: "
-			  "cli_rpc_pipe_bind failed with error %s\n",
-			  nt_errstr(status) ));
+		DEBUG(rpc_pipe_bind_dbglvl,
+		      ("cli_rpc_pipe_open_schannel_with_key: "
+		       "rpc_pipe_bind failed with error %s\n",
+		       nt_errstr(status)));
 		TALLOC_FREE(rpccli);
 		return status;
 	}
 
-	if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
-		goto done;
-	}
-
-	save_creds = *rpccli->dc;
-	ZERO_STRUCT(return_auth);
-	ZERO_STRUCT(capabilities);
+	TALLOC_FREE(creds);
 
-	netlogon_creds_client_authenticator(&save_creds, &auth);
-
-	status = dcerpc_netr_LogonGetCapabilities(rpccli->binding_handle,
-						  talloc_tos(),
-						  rpccli->srv_name_slash,
-						  save_creds.computer_name,
-						  &auth, &return_auth,
-						  1, &capabilities,
-						  &result);
-	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-		if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			DEBUG(5, ("AES was negotiated and the error was %s - "
-				  "downgrade detected\n",
-				  nt_errstr(status)));
-			TALLOC_FREE(rpccli);
-			return NT_STATUS_INVALID_NETWORK_RESPONSE;
-		}
-
-		/* This is probably an old Samba Version */
-		DEBUG(5, ("We are checking against an NT or old Samba - %s\n",
-			  nt_errstr(status)));
+	if (!ndr_syntax_id_equal(&table->syntax_id, &ndr_table_netlogon.syntax_id)) {
 		goto done;
 	}
 
+	status = netlogon_creds_cli_check(netlogon_creds,
+					  rpccli->binding_handle);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
+		DEBUG(0, ("netlogon_creds_cli_check failed with %s\n",
 			  nt_errstr(status)));
 		TALLOC_FREE(rpccli);
 		return status;
 	}
 
-	if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
-		if (save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-			/* This means AES isn't supported. */
-			DEBUG(5, ("AES was negotiated and the result was %s - "
-				  "downgrade detected\n",
-				  nt_errstr(result)));
-			TALLOC_FREE(rpccli);
-			return NT_STATUS_INVALID_NETWORK_RESPONSE;
-		}
-
-		/* This is probably an old Windows version */
-		DEBUG(5, ("We are checking against an win2k3 or Samba - %s\n",
-			  nt_errstr(result)));
-		goto done;
-	}
-
-	/*
-	 * We need to check the credential state here, cause win2k3 and earlier
-	 * returns NT_STATUS_NOT_IMPLEMENTED
-	 */
-	if (!netlogon_creds_client_check(&save_creds, &return_auth.cred)) {
-		/*
-		 * Server replied with bad credential. Fail.
-		 */
-		DEBUG(0,("cli_rpc_pipe_open_schannel_with_key: server %s "
-			 "replied with bad credential\n",
-			 rpccli->desthost));
-		TALLOC_FREE(rpccli);
-		return NT_STATUS_INVALID_NETWORK_RESPONSE;
-	}
-	*rpccli->dc = save_creds;
-
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0, ("dcerpc_netr_LogonGetCapabilities failed with %s\n",
-			  nt_errstr(result)));
-		TALLOC_FREE(rpccli);
-		return result;
-	}
-
-	if (!(save_creds.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES)) {
-		/* This means AES isn't supported. */
-		DEBUG(5, ("AES is not negotiated, but netr_LogonGetCapabilities "
-			  "was OK - downgrade detected\n"));
-		TALLOC_FREE(rpccli);
-		return NT_STATUS_INVALID_NETWORK_RESPONSE;
-	}
-
-	if (save_creds.negotiate_flags != capabilities.server_capabilities) {
-		DEBUG(0, ("The client capabilities don't match the server "
-			  "capabilities: local[0x%08X] remote[0x%08X]\n",
-			  save_creds.negotiate_flags,
-			  capabilities.server_capabilities));
+	status = netlogon_creds_cli_context_copy(netlogon_creds,
+						 rpccli,
+						 &rpccli->netlogon_creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
+			  nt_errstr(status)));
 		TALLOC_FREE(rpccli);
-		return NT_STATUS_INVALID_NETWORK_RESPONSE;
+		return status;
 	}
 
 done:
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 826f9bf..cf0c5c6 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -96,7 +96,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     enum dcerpc_transport_t transport,
 					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
-					     struct netlogon_creds_CredentialState **pdc,
+					     struct netlogon_creds_cli_context *netlogon_creds,
 					     struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index aaae44b..e3d65c8 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -112,7 +112,8 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, table, transport, auth_level, domain, &netlogon_pipe->dc,
+		cli, table, transport, auth_level, domain,
+		netlogon_pipe->netlogon_creds,
 		&result);
 
 	/* Now we've bound using the session key we can close the netlog pipe. */
diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
index 8024f01..7c4cceb 100644
--- a/source3/rpc_client/rpc_client.h
+++ b/source3/rpc_client/rpc_client.h
@@ -50,7 +50,7 @@ struct rpc_pipe_client {
 	struct pipe_auth_data *auth;
 
 	/* The following is only non-null on a netlogon client pipe. */
-	struct netlogon_creds_CredentialState *dc;
+	struct netlogon_creds_cli_context *netlogon_creds;
 };
 
 #endif /* _RPC_CLIENT_H */
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index d92434b..2e0b5e5 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -26,6 +26,7 @@
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
 #include "rpc_client/cli_netlogon.h"
 #include "secrets.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
 
 static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli,
 				       TALLOC_CTX *mem_ctx, int argc,
@@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
 
 	do {
 		struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+		struct netlogon_creds_CredentialState *creds = NULL;
 
-		netlogon_creds_client_authenticator(cli->dc, &credential);
+		status = netlogon_creds_cli_lock(cli->netlogon_creds,
+						 mem_ctx, &creds);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
+
+		netlogon_creds_client_authenticator(creds, &credential);
 
 		status = dcerpc_netr_DatabaseSync2(b, mem_ctx,
 						   logon_server,
@@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
 						   0xffff,
 						   &result);
 		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(creds);
 			return status;
 		}
 
 		/* Check returned credentials. */
-		if (!netlogon_creds_client_check(cli->dc,
+		if (!netlogon_creds_client_check(creds,
 						 &return_authenticator.cred)) {
 			DEBUG(0,("credentials chain check failed\n"));
+			TALLOC_FREE(creds);
 			return NT_STATUS_ACCESS_DENIED;
 		}
+		TALLOC_FREE(creds);
 
 		if (NT_STATUS_IS_ERR(result)) {
 			break;
@@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
 
 	do {
 		struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
+		struct netlogon_creds_CredentialState *creds = NULL;
+
+		status = netlogon_creds_cli_lock(cli->netlogon_creds,
+						 mem_ctx, &creds);
+		if (!NT_STATUS_IS_OK(status)) {
+			return status;
+		}
 
-		netlogon_creds_client_authenticator(cli->dc, &credential);
+		netlogon_creds_client_authenticator(creds, &credential);
 
 		status = dcerpc_netr_DatabaseDeltas(b, mem_ctx,
 						    logon_server,
@@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
 						    0xffff,
 						    &result);
 		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(creds);
 			return status;
 		}
 
 		/* Check returned credentials. */
-		if (!netlogon_creds_client_check(cli->dc,
+		if (!netlogon_creds_client_check(creds,
 						 &return_authenticator.cred)) {
 			DEBUG(0,("credentials chain check failed\n"));
+			TALLOC_FREE(creds);
 			return NT_STATUS_ACCESS_DENIED;
 		}
+		TALLOC_FREE(creds);
 
 		if (NT_STATUS_IS_ERR(result)) {
 			break;
@@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 	struct netr_ChangeLogEntry e;
 	uint32_t rid = 500;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
+	struct netlogon_creds_CredentialState *creds = NULL;
 
 	if (argc > 2) {
 		fprintf(stderr, "Usage: %s <user rid>\n", argv[0]);
@@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 		return status;
 	}
 
-	netlogon_creds_client_authenticator(cli->dc, &clnt_creds);
+	status = netlogon_creds_cli_lock(cli->netlogon_creds,
+					 mem_ctx, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	netlogon_creds_client_authenticator(creds, &clnt_creds);
 
 	ZERO_STRUCT(e);
 
@@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 					  &delta_enum_array,
 					  &result);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(creds);
 		return status;
 	}
 
-	if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) {
+	if (!netlogon_creds_client_check(creds, &srv_cred.cred)) {
 		DEBUG(0,("credentials chain check failed\n"));
+		TALLOC_FREE(creds);
 		return NT_STATUS_ACCESS_DENIED;
 	}
+	TALLOC_FREE(creds);
 
 	return result;
 }
@@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
 	union netr_Capabilities capabilities;
 	uint32_t level = 1;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
+	struct netlogon_creds_CredentialState *creds = NULL;
 
 	if (argc > 2) {
 		fprintf(stderr, "Usage: %s <level>\n", argv[0]);
@@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
 
 	ZERO_STRUCT(return_authenticator);
 
-	netlogon_creds_client_authenticator(cli->dc, &credential);
+	status = netlogon_creds_cli_lock(cli->netlogon_creds,
+					 mem_ctx, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	netlogon_creds_client_authenticator(creds, &credential);
 
 	status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx,
 						  cli->desthost,
@@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
 						  &capabilities,
 						  &result);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(creds);
 		return status;
 	}
 
-	if (!netlogon_creds_client_check(cli->dc,
+	if (!netlogon_creds_client_check(creds,
 					 &return_authenticator.cred)) {
 		DEBUG(0,("credentials chain check failed\n"));
+		TALLOC_FREE(creds);
 		return NT_STATUS_ACCESS_DENIED;
 	}
+	TALLOC_FREE(creds);
 
 	printf("capabilities: 0x%08x\n", capabilities.server_capabilities);
 
diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index afde685..b5fc010 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -165,16 +165,7 @@ struct winbindd_domain {
 	time_t startup_time;		       /* When we set "startup" true. monotonic clock */
 	bool startup;                          /* are we in the first 30 seconds after startup_time ? */
 
-	bool can_do_samlogon_ex; /* Due to the lack of finer control what type
-				  * of DC we have, let us try to do a
-				  * credential-chain less samlogon_ex call
-				  * with AD and schannel. If this fails with
-				  * DCERPC_FAULT_OP_RNG_ERROR, then set this
-				  * to False. This variable is around so that
-				  * we don't have to try _ex every time. */
-
 	bool can_do_ncacn_ip_tcp;
-	bool can_do_validation6;
 
 	/* Lookup methods for this domain (LDAP or RPC) */
 	struct winbindd_methods *methods;
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 6c1244e..e0d1d0c 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2047,7 +2047,6 @@ static bool set_dc_type_and_flags_trustinfo( struct winbindd_domain *domain )
 				 domain->active_directory ? "" : "NOT "));
 
 			domain->can_do_ncacn_ip_tcp = domain->active_directory;
-			domain->can_do_validation6 = domain->active_directory;
 
 			domain->initialized = True;
 
@@ -2248,7 +2247,6 @@ done:
 		  domain->name, domain->active_directory ? "" : "NOT "));
 
 	domain->can_do_ncacn_ip_tcp = domain->active_directory;
-	domain->can_do_validation6 = domain->active_directory;
 
 	TALLOC_FREE(cli);
 
@@ -2289,7 +2287,7 @@ static void set_dc_type_and_flags( struct winbindd_domain *domain )
 ***********************************************************************/
 
 static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
-				   struct netlogon_creds_CredentialState **ppdc)
+				   struct netlogon_creds_cli_context **ppdc)
 {
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	struct rpc_pipe_client *netlogon_pipe;
@@ -2306,11 +2304,11 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
 	/* Return a pointer to the struct netlogon_creds_CredentialState from the
 	   netlogon pipe. */
 
-	if (!domain->conn.netlogon_pipe->dc) {
+	if (!domain->conn.netlogon_pipe->netlogon_creds) {
 		return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
 	}
 
-	*ppdc = domain->conn.netlogon_pipe->dc;
+	*ppdc = domain->conn.netlogon_pipe->netlogon_creds;
 	return NT_STATUS_OK;
 }
 
@@ -2319,7 +2317,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 {
 	struct winbindd_cm_conn *conn;
 	NTSTATUS status, result;
-	struct netlogon_creds_CredentialState *p_creds;
+	struct netlogon_creds_cli_context *p_creds;
 	char *machine_password = NULL;
 	char *machine_account = NULL;
 	const char *domain_name = NULL;
@@ -2431,7 +2429,7 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	status = cli_rpc_pipe_open_schannel_with_key
 		(conn->cli, &ndr_table_samr, NCACN_NP,
 		 DCERPC_AUTH_LEVEL_PRIVACY,
-		 domain->name, &p_creds, &conn->samr_pipe);
+		 domain->name, p_creds, &conn->samr_pipe);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10,("cm_connect_sam: failed to connect to SAMR pipe for "
@@ -2534,7 +2532,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 			    struct rpc_pipe_client **cli)
 {
 	struct winbindd_cm_conn *conn;
-	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_cli_context *creds;
 	NTSTATUS status;
 
 	DEBUG(10,("cm_connect_lsa_tcp\n"));
@@ -2565,7 +2563,7 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 						     NCACN_IP_TCP,
 						     DCERPC_AUTH_LEVEL_PRIVACY,
 						     domain->name,
-						     &creds,
+						     creds,
 						     &conn->lsa_pipe_tcp);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10,("cli_rpc_pipe_open_schannel_with_key failed: %s\n",
@@ -2589,7 +2587,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 {
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
-	struct netlogon_creds_CredentialState *p_creds;
+	struct netlogon_creds_cli_context *p_creds;
 
 	result = init_dc_connection_rpc(domain);
 	if (!NT_STATUS_IS_OK(result))
@@ -2662,7 +2660,7 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	result = cli_rpc_pipe_open_schannel_with_key
 		(conn->cli, &ndr_table_lsarpc, NCACN_NP,
 		 DCERPC_AUTH_LEVEL_PRIVACY,
-		 domain->name, &p_creds, &conn->lsa_pipe);
+		 domain->name, p_creds, &conn->lsa_pipe);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(10,("cm_connect_lsa: failed to connect to LSA pipe for "
@@ -2826,10 +2824,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
  no_schannel:
 	if ((lp_client_schannel() == False) ||
 			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-		/*
-		 * NetSamLogonEx only works for schannel
-		 */
-		domain->can_do_samlogon_ex = False;
 
 		/* We're done - just keep the existing connection to NETLOGON
 		 * open */
@@ -2845,7 +2839,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
 	result = cli_rpc_pipe_open_schannel_with_key(
 		conn->cli, &ndr_table_netlogon, NCACN_NP,
-		DCERPC_AUTH_LEVEL_PRIVACY, domain->name, &netlogon_pipe->dc,
+		DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
+		netlogon_pipe->netlogon_creds,
 		&conn->netlogon_pipe);
 
 	/* We can now close the initial netlogon pipe. */
@@ -2859,15 +2854,6 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 		return result;
 	}
 
-	/*
-	 * Always try netr_LogonSamLogonEx. We will fall back for NT4
-	 * which gives DCERPC_FAULT_OP_RNG_ERROR (function not
-	 * supported). We used to only try SamLogonEx for AD, but
-	 * Samba DCs can also do it. And because we don't distinguish
-	 * between Samba and NT4, always try it once.
-	 */
-	domain->can_do_samlogon_ex = true;
-
 	*cli = conn->netlogon_pipe;
 	return NT_STATUS_OK;
 }
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index c356686..39483a5 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1228,8 +1228,6 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 
 	do {
 		struct rpc_pipe_client *netlogon_pipe;
-		const struct pipe_auth_data *auth;
-		uint32_t neg_flags = 0;
 
 		ZERO_STRUCTP(info3);
 		retry = false;
@@ -1278,75 +1276,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 		}
 		netr_attempts = 0;
 
-		auth = netlogon_pipe->auth;
-		if (netlogon_pipe->dc) {
-			neg_flags = netlogon_pipe->dc->negotiate_flags;
-		}
-
-		/* It is really important to try SamLogonEx here,
-		 * because in a clustered environment, we want to use
-		 * one machine account from multiple physical
-		 * computers.
-		 *
-		 * With a normal SamLogon call, we must keep the
-		 * credentials chain updated and intact between all
-		 * users of the machine account (which would imply
-		 * cross-node communication for every NTLM logon).
-		 *
-		 * (The credentials chain is not per NETLOGON pipe
-		 * connection, but globally on the server/client pair
-		 * by machine name).
-		 *
-		 * When using SamLogonEx, the credentials are not
-		 * supplied, but the session key is implied by the
-		 * wrapping SamLogon context.
-		 *
-		 *  -- abartlet 21 April 2008
-		 *
-		 * It's also important to use NetlogonValidationSamInfo4 (6),
-		 * because it relies on the rpc transport encryption
-		 * and avoids using the global netlogon schannel
-		 * session key to en/decrypt secret information
-		 * like the user_session_key for network logons.
-		 *
-		 * [MS-APDS] 3.1.5.2 NTLM Network Logon
-		 * says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
-		 * NETLOGON_NEG_AUTHENTICATED_RPC set together
-		 * are the indication that the server supports
-		 * NetlogonValidationSamInfo4 (6). And it must only
-		 * be used if "SealSecureChannel" is used.
-		 *
-		 * -- metze 4 February 2011
-		 */
-
-		if (auth == NULL) {
-			domain->can_do_validation6 = false;
-		} else if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-			domain->can_do_validation6 = false;
-		} else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
-			domain->can_do_validation6 = false;
-		} else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
-			domain->can_do_validation6 = false;
-		} else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
-			domain->can_do_validation6 = false;
-		}
-
-		if (domain->can_do_samlogon_ex && domain->can_do_validation6) {
-			result = rpccli_netlogon_sam_network_logon_ex(
-					netlogon_pipe,
-					mem_ctx,
-					logon_parameters,
-					server,		/* server name */
-					username,	/* user name */
-					domainname,	/* target domain */
-					workstation,	/* workstation */
-					chal,
-					6,
-					lm_response,
-					nt_response,
-					info3);
-		} else {
-			result = rpccli_netlogon_sam_network_logon(
+		result = rpccli_netlogon_sam_network_logon(
 					netlogon_pipe,
 					mem_ctx,
 					logon_parameters,
@@ -1355,48 +1285,10 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 					domainname,	/* target domain */
 					workstation,	/* workstation */
 					chal,
-					domain->can_do_validation6 ? 6 : 3,
+					-1, /* ignored */
 					lm_response,
 					nt_response,
 					info3);
-		}
-
-		if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
-
-			/*
-			 * It's likely that the server also does not support
-			 * validation level 6
-			 */
-			domain->can_do_validation6 = false;
-
-			if (domain->can_do_samlogon_ex) {
-				DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
-					  "retrying with NetSamLogon\n"));
-				domain->can_do_samlogon_ex = false;
-				retry = true;
-				continue;
-			}
-
-
-			/* Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
-			 * (no Ex). This happens against old Samba
-			 * DCs. Drop the connection.
-			 */
-			invalidate_cm_connection(&domain->conn);
-			result = NT_STATUS_LOGON_FAILURE;
-			break;
-		}
-
-		if (domain->can_do_validation6 &&
-		    (NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
-		     NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
-		     NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
-			DEBUG(3,("Got a DC that can not do validation level 6, "
-				  "retrying with level 3\n"));
-			domain->can_do_validation6 = false;
-			retry = true;
-			continue;
-		}
 
 		/*
 		 * we increment this after the "feature negotiation"
@@ -1428,6 +1320,30 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 			retry = true;
 		}
 
+		if (NT_STATUS_EQUAL(result, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) {
+			/*
+			 * Got DCERPC_FAULT_OP_RNG_ERROR for SamLogon
+			 * (no Ex). This happens against old Samba
+			 * DCs, if LogonSamLogonEx() fails with an error
+			 * e.g. NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD.
+			 *
+			 * The server will log something like this:
+			 * api_net_sam_logon_ex: Failed to marshall NET_R_SAM_LOGON_EX.
+			 *
+			 * This sets the whole connection into a fault_state mode
+			 * and all following request get NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE.
+			 *
+			 * This also happens to our retry with LogonSamLogonWithFlags()
+			 * and LogonSamLogon().
+			 *
+			 * In order to recover from this situation, we need to
+			 * drop the connection.
+			 */
+			invalidate_cm_connection(&domain->conn);
+			result = NT_STATUS_LOGON_FAILURE;
+			break;
+		}
+
 	} while ( (attempts < 2) && retry );
 
 	if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT)) {
diff --git a/source3/wscript_build b/source3/wscript_build
index 13d15c3..0d3ba8e 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -671,8 +671,8 @@ bld.SAMBA3_LIBRARY('msrpc3',
                    deps='''ndr ndr-standard
                     RPC_NDR_EPMAPPER NTLMSSP_COMMON COMMON_SCHANNEL LIBCLI_AUTH
                     LIBTSOCKET gse dcerpc-binding
-                    libsmb
-                    ndr-table''',
+                    libsmb ndr-table NETLOGON_CREDS_CLI
+                   ''',
                    vars=locals(),
                    private_library=True)
 
@@ -1114,7 +1114,7 @@ bld.SAMBA3_LIBRARY('libcli_lsa3',
 
 bld.SAMBA3_LIBRARY('libcli_netlogon3',
                    source=LIBCLI_NETLOGON_SRC,
-                   deps='RPC_NDR_NETLOGON INIT_NETLOGON cliauth param',
+                   deps='msrpc3 RPC_NDR_NETLOGON INIT_NETLOGON cliauth param NETLOGON_CREDS_CLI',
                    private_library=True)
 
 bld.SAMBA3_LIBRARY('cli_spoolss',
-- 
1.9.3


From 0b489bffb452e05d595abc2894532100162a4e8c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 17:03:00 +0200
Subject: [PATCH 175/249] s3:rpc_client: use netlogon_creds_cli_auth_level() in
 cli_rpc_pipe_open_schannel_with_key()

This means the auth level is now based on the "winbindd sealed pipes" option,
defaulting to "yes" and DCERPC_AUTH_LEVEL_PRIVACY.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5adfc5f9f737c003b84b0187fa17b9fc3784442e)
---
 source3/libnet/libnet_join.c           | 1 -
 source3/rpc_client/cli_pipe.c          | 4 +++-
 source3/rpc_client/cli_pipe.h          | 1 -
 source3/rpc_client/cli_pipe_schannel.c | 2 +-
 source3/winbindd/winbindd_cm.c         | 5 +----
 5 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 5dc620f..b2805ee 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1278,7 +1278,6 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 
 	status = cli_rpc_pipe_open_schannel_with_key(
 		cli, &ndr_table_netlogon, NCACN_NP,
-		DCERPC_AUTH_LEVEL_PRIVACY,
 		netbios_domain_name,
 		netlogon_pipe->netlogon_creds, &pipe_hnd);
 
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index fe1613d..31cd7f5 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3023,7 +3023,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     const struct ndr_interface_table *table,
 					     enum dcerpc_transport_t transport,
-					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
 					     struct netlogon_creds_cli_context *netlogon_creds,
 					     struct rpc_pipe_client **_rpccli)
@@ -3031,6 +3030,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 	struct rpc_pipe_client *rpccli;
 	struct pipe_auth_data *rpcauth;
 	struct netlogon_creds_CredentialState *creds = NULL;
+	enum dcerpc_AuthLevel auth_level;
 	NTSTATUS status;
 	const char *target_service = table->authservices->names[0];
 	int rpc_pipe_bind_dbglvl = 0;
@@ -3048,6 +3048,8 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 		return status;
 	}
 
+	auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
+
 	status = rpccli_generic_bind_data(rpccli,
 					  DCERPC_AUTH_TYPE_SCHANNEL,
 					  auth_level,
diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index cf0c5c6..c21c55d 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -94,7 +94,6 @@ NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli,
 NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     const struct ndr_interface_table *table,
 					     enum dcerpc_transport_t transport,
-					     enum dcerpc_AuthLevel auth_level,
 					     const char *domain,
 					     struct netlogon_creds_cli_context *netlogon_creds,
 					     struct rpc_pipe_client **presult);
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index e3d65c8..8f9161f 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -112,7 +112,7 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
-		cli, table, transport, auth_level, domain,
+		cli, table, transport, domain,
 		netlogon_pipe->netlogon_creds,
 		&result);
 
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index e0d1d0c..1546002 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2428,7 +2428,6 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	}
 	status = cli_rpc_pipe_open_schannel_with_key
 		(conn->cli, &ndr_table_samr, NCACN_NP,
-		 DCERPC_AUTH_LEVEL_PRIVACY,
 		 domain->name, p_creds, &conn->samr_pipe);
 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -2561,7 +2560,6 @@ NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
 	status = cli_rpc_pipe_open_schannel_with_key(conn->cli,
 						     &ndr_table_lsarpc,
 						     NCACN_IP_TCP,
-						     DCERPC_AUTH_LEVEL_PRIVACY,
 						     domain->name,
 						     creds,
 						     &conn->lsa_pipe_tcp);
@@ -2659,7 +2657,6 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
 	}
 	result = cli_rpc_pipe_open_schannel_with_key
 		(conn->cli, &ndr_table_lsarpc, NCACN_NP,
-		 DCERPC_AUTH_LEVEL_PRIVACY,
 		 domain->name, p_creds, &conn->lsa_pipe);
 
 	if (!NT_STATUS_IS_OK(result)) {
@@ -2839,7 +2836,7 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 
 	result = cli_rpc_pipe_open_schannel_with_key(
 		conn->cli, &ndr_table_netlogon, NCACN_NP,
-		DCERPC_AUTH_LEVEL_PRIVACY, domain->name,
+		domain->name,
 		netlogon_pipe->netlogon_creds,
 		&conn->netlogon_pipe);
 
-- 
1.9.3


From 0f19f3b64e4f0b969eec4f2048df7c40be661e82 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 7 Aug 2013 11:27:25 +0200
Subject: [PATCH 176/249] s3:rpc_client: add
 rpccli_{create,setup}_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 14ceb7b501fce6623be284cbcceb573fd2e10d3a)
---
 source3/rpc_client/cli_netlogon.c | 105 ++++++++++++++++++++++++++++++++++++++
 source3/rpc_client/cli_netlogon.h |  16 ++++++
 2 files changed, 121 insertions(+)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index fcd24d6..89aec37 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -21,15 +21,19 @@
 */
 
 #include "includes.h"
+#include "libsmb/libsmb.h"
 #include "rpc_client/rpc_client.h"
+#include "rpc_client/cli_pipe.h"
 #include "../libcli/auth/libcli_auth.h"
 #include "../libcli/auth/netlogon_creds_cli.h"
 #include "../librpc/gen_ndr/ndr_netlogon_c.h"
+#include "../librpc/gen_ndr/schannel.h"
 #include "rpc_client/cli_netlogon.h"
 #include "rpc_client/init_netlogon.h"
 #include "rpc_client/util_netlogon.h"
 #include "../libcli/security/security.h"
 #include "lib/param/param.h"
+#include "libcli/smb/smbXcli_base.h"
 
 /****************************************************************************
  Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
@@ -124,6 +128,107 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
+				      const char *server_netbios_domain,
+				      const char *client_account,
+				      enum netr_SchannelType sec_chan_type,
+				      struct messaging_context *msg_ctx,
+				      TALLOC_CTX *mem_ctx,
+				      struct netlogon_creds_cli_context **netlogon_creds)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct loadparm_context *lp_ctx;
+	NTSTATUS status;
+
+	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+	status = netlogon_creds_cli_context_global(lp_ctx,
+						   msg_ctx,
+						   client_account,
+						   sec_chan_type,
+						   server_computer,
+						   server_netbios_domain,
+						   mem_ctx, netlogon_creds);
+	TALLOC_FREE(frame);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+				     struct netlogon_creds_cli_context *netlogon_creds,
+				     bool force_reauth,
+				     struct samr_Password current_nt_hash,
+				     const struct samr_Password *previous_nt_hash)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct rpc_pipe_client *netlogon_pipe = NULL;
+	struct netlogon_creds_CredentialState *creds = NULL;
+	NTSTATUS status;
+
+	status = netlogon_creds_cli_get(netlogon_creds,
+					frame, &creds);
+	if (NT_STATUS_IS_OK(status)) {
+		const char *action = "using";
+
+		if (force_reauth) {
+			action = "overwrite";
+		}
+
+		DEBUG(5,("%s: %s cached netlogon_creds cli[%s/%s] to %s\n",
+			 __FUNCTION__, action,
+			 creds->account_name, creds->computer_name,
+			 smbXcli_conn_remote_name(cli->conn)));
+		if (!force_reauth) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_OK;
+		}
+		TALLOC_FREE(creds);
+	}
+
+	status = cli_rpc_pipe_open_noauth(cli,
+					  &ndr_table_netlogon,
+					  &netlogon_pipe);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(5,("%s: failed to open noauth netlogon connection to %s - %s\n",
+			 __FUNCTION__,
+			 smbXcli_conn_remote_name(cli->conn),
+			 nt_errstr(status)));
+		TALLOC_FREE(frame);
+		return status;
+	}
+	talloc_steal(frame, netlogon_pipe);
+
+	status = netlogon_creds_cli_auth(netlogon_creds,
+					 netlogon_pipe->binding_handle,
+					 current_nt_hash,
+					 previous_nt_hash);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	status = netlogon_creds_cli_get(netlogon_creds,
+					frame, &creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	DEBUG(5,("%s: using new netlogon_creds cli[%s/%s] to %s\n",
+		 __FUNCTION__,
+		 creds->account_name, creds->computer_name,
+		 smbXcli_conn_remote_name(cli->conn)));
+
+	TALLOC_FREE(frame);
+	return NT_STATUS_OK;
+}
+
 /* Logon domain user */
 
 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index ad59d5b..82e0923 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -23,6 +23,10 @@
 #ifndef _RPC_CLIENT_CLI_NETLOGON_H_
 #define _RPC_CLIENT_CLI_NETLOGON_H_
 
+struct cli_state;
+struct messaging_context;
+struct netlogon_creds_cli_context;
+
 /* The following definitions come from rpc_client/cli_netlogon.c  */
 
 NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
@@ -33,6 +37,18 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 				     const unsigned char machine_pwd[16],
 				     enum netr_SchannelType sec_chan_type,
 				     uint32_t *neg_flags_inout);
+NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
+				      const char *server_netbios_domain,
+				      const char *client_account,
+				      enum netr_SchannelType sec_chan_type,
+				      struct messaging_context *msg_ctx,
+				      TALLOC_CTX *mem_ctx,
+				      struct netlogon_creds_cli_context **netlogon_creds);
+NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
+				     struct netlogon_creds_cli_context *netlogon_creds,
+				     bool force_reauth,
+				     struct samr_Password current_nt_hash,
+				     const struct samr_Password *previous_nt_hash);
 NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 				   TALLOC_CTX *mem_ctx,
 				   uint32 logon_parameters,
-- 
1.9.3


From de0ed0882a458e52ef232e7d44234bf393311fc0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Dec 2013 20:05:56 +0100
Subject: [PATCH 177/249] s3:rpc_client: add rpccli_pre_open_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3c025af657899c9a2ff14f868c03ff72ab74cf8e)
---
 source3/rpc_client/cli_netlogon.c | 21 +++++++++++++++++++++
 source3/rpc_client/cli_netlogon.h |  1 +
 2 files changed, 22 insertions(+)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 89aec37..9342fc3 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -128,6 +128,27 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS rpccli_pre_open_netlogon_creds(void)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct loadparm_context *lp_ctx;
+	NTSTATUS status;
+
+	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = netlogon_creds_cli_open_global_db(lp_ctx);
+	TALLOC_FREE(frame);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
 NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
 				      const char *server_netbios_domain,
 				      const char *client_account,
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 82e0923..3096c48 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -37,6 +37,7 @@ NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
 				     const unsigned char machine_pwd[16],
 				     enum netr_SchannelType sec_chan_type,
 				     uint32_t *neg_flags_inout);
+NTSTATUS rpccli_pre_open_netlogon_creds(void);
 NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
 				      const char *server_netbios_domain,
 				      const char *client_account,
-- 
1.9.3


From f4f7df785d1641f1e21ad8374140715fd41be07a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 14:07:43 +0200
Subject: [PATCH 178/249] s3:rpc_client: remove unused
 rpccli_netlogon_sam_network_logon_ex()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a07cc9a1c6ab8fee516e069a6f90bb48a7abf875)
---
 source3/rpc_client/cli_netlogon.c | 27 ---------------------------
 source3/rpc_client/cli_netlogon.h | 12 ------------
 2 files changed, 39 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 9342fc3..253d060 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -524,33 +524,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
-					      TALLOC_CTX *mem_ctx,
-					      uint32 logon_parameters,
-					      const char *server,
-					      const char *username,
-					      const char *domain,
-					      const char *workstation,
-					      const uint8 chal[8],
-					      uint16_t validation_level,
-					      DATA_BLOB lm_response,
-					      DATA_BLOB nt_response,
-					      struct netr_SamInfo3 **info3)
-{
-	return rpccli_netlogon_sam_network_logon(cli,
-						 mem_ctx,
-						 logon_parameters,
-						 server,
-						 username,
-						 domain,
-						 workstation,
-						 chal,
-						 validation_level,
-						 lm_response,
-						 nt_response,
-						 info3);
-}
-
 /*********************************************************
  Change the domain password on the PDC.
 
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 3096c48..f10e5c7 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -71,18 +71,6 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 					   DATA_BLOB lm_response,
 					   DATA_BLOB nt_response,
 					   struct netr_SamInfo3 **info3);
-NTSTATUS rpccli_netlogon_sam_network_logon_ex(struct rpc_pipe_client *cli,
-					      TALLOC_CTX *mem_ctx,
-					      uint32 logon_parameters,
-					      const char *server,
-					      const char *username,
-					      const char *domain,
-					      const char *workstation,
-					      const uint8 chal[8],
-					      uint16_t validation_level,
-					      DATA_BLOB lm_response,
-					      DATA_BLOB nt_response,
-					      struct netr_SamInfo3 **info3);
 NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 					    TALLOC_CTX *mem_ctx,
 					    const char *account_name,
-- 
1.9.3


From b250859baf6c720e636c2435b0593af83acf6acc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 14:36:24 +0200
Subject: [PATCH 179/249] s3:rpc_client: add rpccli_netlogon_network_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5196493c9e599b741417b119b48188ba0d646a37)
---
 source3/rpc_client/cli_netlogon.c | 103 ++++++++++++++++++++++++++++++++++++++
 source3/rpc_client/cli_netlogon.h |  14 ++++++
 2 files changed, 117 insertions(+)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 253d060..e335423 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -524,6 +524,109 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+				       struct dcerpc_binding_handle *binding_handle,
+				       TALLOC_CTX *mem_ctx,
+				       uint32_t logon_parameters,
+				       const char *username,
+				       const char *domain,
+				       const char *workstation,
+				       const uint8 chal[8],
+				       DATA_BLOB lm_response,
+				       DATA_BLOB nt_response,
+				       uint8_t *authoritative,
+				       uint32_t *flags,
+				       struct netr_SamInfo3 **info3)
+{
+	NTSTATUS status;
+	const char *workstation_name_slash;
+	union netr_LogonLevel *logon = NULL;
+	struct netr_NetworkInfo *network_info;
+	uint16_t validation_level = 0;
+	union netr_Validation *validation = NULL;
+	uint8_t _authoritative = 0;
+	uint32_t _flags = 0;
+	struct netr_ChallengeResponse lm;
+	struct netr_ChallengeResponse nt;
+
+	*info3 = NULL;
+
+	if (authoritative == NULL) {
+		authoritative = &_authoritative;
+	}
+	if (flags == NULL) {
+		flags = &_flags;
+	}
+
+	ZERO_STRUCT(lm);
+	ZERO_STRUCT(nt);
+
+	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
+	if (!logon) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
+	if (!network_info) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (workstation[0] != '\\' && workstation[1] != '\\') {
+		workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
+	} else {
+		workstation_name_slash = workstation;
+	}
+
+	if (!workstation_name_slash) {
+		DEBUG(0, ("talloc_asprintf failed!\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* Initialise input parameters */
+
+	lm.data = lm_response.data;
+	lm.length = lm_response.length;
+	nt.data = nt_response.data;
+	nt.length = nt_response.length;
+
+	network_info->identity_info.domain_name.string		= domain;
+	network_info->identity_info.parameter_control		= logon_parameters;
+	network_info->identity_info.logon_id_low		= 0xdead;
+	network_info->identity_info.logon_id_high		= 0xbeef;
+	network_info->identity_info.account_name.string		= username;
+	network_info->identity_info.workstation.string		= workstation_name_slash;
+
+	memcpy(network_info->challenge, chal, 8);
+	network_info->nt = nt;
+	network_info->lm = lm;
+
+	logon->network = network_info;
+
+	/* Marshall data and send request */
+
+	status = netlogon_creds_cli_LogonSamLogon(creds,
+						  binding_handle,
+						  NetlogonNetworkInformation,
+						  logon,
+						  mem_ctx,
+						  &validation_level,
+						  &validation,
+						  authoritative,
+						  flags);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	status = map_validation_to_info3(mem_ctx,
+					 validation_level, validation,
+					 info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
 /*********************************************************
  Change the domain password on the PDC.
 
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index f10e5c7..54ed7ae 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -26,6 +26,7 @@
 struct cli_state;
 struct messaging_context;
 struct netlogon_creds_cli_context;
+struct dcerpc_binding_handle;
 
 /* The following definitions come from rpc_client/cli_netlogon.c  */
 
@@ -71,6 +72,19 @@ NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 					   DATA_BLOB lm_response,
 					   DATA_BLOB nt_response,
 					   struct netr_SamInfo3 **info3);
+NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
+				       struct dcerpc_binding_handle *binding_handle,
+				       TALLOC_CTX *mem_ctx,
+				       uint32_t logon_parameters,
+				       const char *username,
+				       const char *domain,
+				       const char *workstation,
+				       const uint8 chal[8],
+				       DATA_BLOB lm_response,
+				       DATA_BLOB nt_response,
+				       uint8_t *authoritative,
+				       uint32_t *flags,
+				       struct netr_SamInfo3 **info3);
 NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
 					    TALLOC_CTX *mem_ctx,
 					    const char *account_name,
-- 
1.9.3


From 2488e78fdf3058bf3a48c2086afd0f3248a43417 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 14:56:06 +0200
Subject: [PATCH 180/249] s3:rpc_client: add rpccli_netlogon_password_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b7dc3fb20468aa67ea7ddc1cea21fbe458e74565)
---
 source3/rpc_client/cli_netlogon.c | 133 ++++++++++++++++++++++++++++++++++++++
 source3/rpc_client/cli_netlogon.h |   8 +++
 2 files changed, 141 insertions(+)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index e335423..a9f8604 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -376,6 +376,139 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 	return NT_STATUS_OK;
 }
 
+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
+					struct dcerpc_binding_handle *binding_handle,
+					uint32_t logon_parameters,
+					const char *domain,
+					const char *username,
+					const char *password,
+					const char *workstation,
+					enum netr_LogonInfoClass logon_type)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	NTSTATUS status;
+	union netr_LogonLevel *logon;
+	uint16_t validation_level = 0;
+	union netr_Validation *validation = NULL;
+	uint8_t authoritative = 0;
+	uint32_t flags = 0;
+	char *workstation_slash = NULL;
+
+	logon = talloc_zero(frame, union netr_LogonLevel);
+	if (logon == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (workstation == NULL) {
+		workstation = lp_netbios_name();
+	}
+
+	workstation_slash = talloc_asprintf(frame, "\\\\%s", workstation);
+	if (workstation_slash == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* Initialise input parameters */
+
+	switch (logon_type) {
+	case NetlogonInteractiveInformation: {
+
+		struct netr_PasswordInfo *password_info;
+
+		struct samr_Password lmpassword;
+		struct samr_Password ntpassword;
+
+		password_info = talloc_zero(frame, struct netr_PasswordInfo);
+		if (password_info == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
+
+		password_info->identity_info.domain_name.string		= domain;
+		password_info->identity_info.parameter_control		= logon_parameters;
+		password_info->identity_info.logon_id_low		= 0xdead;
+		password_info->identity_info.logon_id_high		= 0xbeef;
+		password_info->identity_info.account_name.string	= username;
+		password_info->identity_info.workstation.string		= workstation_slash;
+
+		password_info->lmpassword = lmpassword;
+		password_info->ntpassword = ntpassword;
+
+		logon->password = password_info;
+
+		break;
+	}
+	case NetlogonNetworkInformation: {
+		struct netr_NetworkInfo *network_info;
+		uint8 chal[8];
+		unsigned char local_lm_response[24];
+		unsigned char local_nt_response[24];
+		struct netr_ChallengeResponse lm;
+		struct netr_ChallengeResponse nt;
+
+		ZERO_STRUCT(lm);
+		ZERO_STRUCT(nt);
+
+		network_info = talloc_zero(frame, struct netr_NetworkInfo);
+		if (network_info == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		generate_random_buffer(chal, 8);
+
+		SMBencrypt(password, chal, local_lm_response);
+		SMBNTencrypt(password, chal, local_nt_response);
+
+		lm.length = 24;
+		lm.data = local_lm_response;
+
+		nt.length = 24;
+		nt.data = local_nt_response;
+
+		network_info->identity_info.domain_name.string		= domain;
+		network_info->identity_info.parameter_control		= logon_parameters;
+		network_info->identity_info.logon_id_low		= 0xdead;
+		network_info->identity_info.logon_id_high		= 0xbeef;
+		network_info->identity_info.account_name.string		= username;
+		network_info->identity_info.workstation.string		= workstation_slash;
+
+		memcpy(network_info->challenge, chal, 8);
+		network_info->nt = nt;
+		network_info->lm = lm;
+
+		logon->network = network_info;
+
+		break;
+	}
+	default:
+		DEBUG(0, ("switch value %d not supported\n",
+			logon_type));
+		TALLOC_FREE(frame);
+		return NT_STATUS_INVALID_INFO_CLASS;
+	}
+
+	status = netlogon_creds_cli_LogonSamLogon(creds,
+						  binding_handle,
+						  logon_type,
+						  logon,
+						  frame,
+						  &validation_level,
+						  &validation,
+						  &authoritative,
+						  &flags);
+	TALLOC_FREE(frame);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	return NT_STATUS_OK;
+}
+
 static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
 					uint16_t validation_level,
 					union netr_Validation *validation,
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 54ed7ae..d4c6670 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -60,6 +60,14 @@ NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
 				   const char *workstation,
 				   uint16_t validation_level,
 				   int logon_type);
+NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
+					struct dcerpc_binding_handle *binding_handle,
+					uint32_t logon_parameters,
+					const char *domain,
+					const char *username,
+					const char *password,
+					const char *workstation,
+					enum netr_LogonInfoClass logon_type);
 NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
 					   TALLOC_CTX *mem_ctx,
 					   uint32 logon_parameters,
-- 
1.9.3


From 10c272f991643913358efd5fefb28fc1ce307c70 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Dec 2013 20:06:14 +0100
Subject: [PATCH 181/249] s3:winbindd: call rpccli_pre_open_netlogon_creds() in
 the parent

This opens the CLEAR_IF_FIRST tdb in the long living parent.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 07126b6fb22cebce660d1d1a4f0f9fb905064aa0)
---
 source3/winbindd/winbindd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 69a17bf..a90c8fe 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -31,6 +31,7 @@
 #include "../librpc/gen_ndr/srv_lsa.h"
 #include "../librpc/gen_ndr/srv_samr.h"
 #include "secrets.h"
+#include "rpc_client/cli_netlogon.h"
 #include "idmap.h"
 #include "lib/addrchange.h"
 #include "serverid.h"
@@ -1538,6 +1539,13 @@ int main(int argc, char **argv, char **envp)
 		return False;
 	}
 
+	status = rpccli_pre_open_netlogon_creds();
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("rpccli_pre_open_netlogon_creds() - %s\n",
+			  nt_errstr(status)));
+		exit(1);
+	}
+
 	/* Unblock all signals we are interested in as they may have been
 	   blocked by the parent process. */
 
-- 
1.9.3


From 4cb4ec2065f1f8b3598eb37ca24ce0f8fdf567aa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 7 Aug 2013 11:32:44 +0200
Subject: [PATCH 182/249] s3:winbindd: make use of
 rpccli_{create,setup}_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 22e4e2c1d1252e434cb928d4530c378a62a64138)
---
 source3/winbindd/winbindd.h          |   3 +
 source3/winbindd/winbindd_cm.c       | 125 ++++++++++++++++++++---------------
 source3/winbindd/winbindd_dual_srv.c |   1 +
 3 files changed, 77 insertions(+), 52 deletions(-)

diff --git a/source3/winbindd/winbindd.h b/source3/winbindd/winbindd.h
index b5fc010..8f89e27 100644
--- a/source3/winbindd/winbindd.h
+++ b/source3/winbindd/winbindd.h
@@ -116,6 +116,9 @@ struct winbindd_cm_conn {
 	struct policy_handle lsa_policy;
 
 	struct rpc_pipe_client *netlogon_pipe;
+	struct netlogon_creds_cli_context *netlogon_creds;
+	uint32_t netlogon_flags;
+	bool netlogon_force_reauth;
 };
 
 /* Async child */
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 1546002..7b6cc96 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -79,6 +79,7 @@
 #include "auth/gensec/gensec.h"
 #include "../libcli/smb/smbXcli_base.h"
 #include "lib/param/loadparm.h"
+#include "libcli/auth/netlogon_creds_cli.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
@@ -1826,6 +1827,9 @@ void invalidate_cm_connection(struct winbindd_cm_conn *conn)
 	}
 
 	conn->auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+	conn->netlogon_force_reauth = false;
+	conn->netlogon_flags = 0;
+	TALLOC_FREE(conn->netlogon_creds);
 
 	if (conn->cli) {
 		cli_shutdown(conn->cli);
@@ -2292,8 +2296,18 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	struct rpc_pipe_client *netlogon_pipe;
 
-	if (lp_client_schannel() == False) {
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	*ppdc = NULL;
+
+	if ((!IS_DC) && (!domain->primary)) {
+		return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+	}
+
+	if (domain->conn.netlogon_creds != NULL) {
+		if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+			return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+		}
+		*ppdc = domain->conn.netlogon_creds;
+		return NT_STATUS_OK;
 	}
 
 	result = cm_connect_netlogon(domain, &netlogon_pipe);
@@ -2301,14 +2315,15 @@ static NTSTATUS cm_get_schannel_creds(struct winbindd_domain *domain,
 		return result;
 	}
 
-	/* Return a pointer to the struct netlogon_creds_CredentialState from the
-	   netlogon pipe. */
+	if (domain->conn.netlogon_creds == NULL) {
+		return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
+	}
 
-	if (!domain->conn.netlogon_pipe->netlogon_creds) {
-		return NT_STATUS_INTERNAL_ERROR; /* This shouldn't happen. */
+	if (!(domain->conn.netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+		return NT_STATUS_TRUSTED_DOMAIN_FAILURE;
 	}
 
-	*ppdc = domain->conn.netlogon_pipe->netlogon_creds;
+	*ppdc = domain->conn.netlogon_creds;
 	return NT_STATUS_OK;
 }
 
@@ -2747,14 +2762,16 @@ NTSTATUS cm_connect_lsat(struct winbindd_domain *domain,
 NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 			     struct rpc_pipe_client **cli)
 {
+	struct messaging_context *msg_ctx = winbind_messaging_context();
 	struct winbindd_cm_conn *conn;
 	NTSTATUS result;
-
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
-	uint8_t  mach_pwd[16];
 	enum netr_SchannelType sec_chan_type;
+	const char *_account_name;
 	const char *account_name;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
+	struct samr_Password current_nt_hash;
+	struct samr_Password *previous_nt_hash = NULL;
+	struct netlogon_creds_CredentialState *creds = NULL;
+	bool ok;
 
 	*cli = NULL;
 
@@ -2771,60 +2788,68 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 	}
 
 	TALLOC_FREE(conn->netlogon_pipe);
-
-	result = cli_rpc_pipe_open_noauth(conn->cli,
-					  &ndr_table_netlogon,
-					  &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(result)) {
-		return result;
-	}
+	conn->netlogon_flags = 0;
+	TALLOC_FREE(conn->netlogon_creds);
 
 	if ((!IS_DC) && (!domain->primary)) {
-		/* Clear the schannel request bit and drop down */
-		neg_flags &= ~NETLOGON_NEG_SCHANNEL;		
 		goto no_schannel;
 	}
 
-	if (lp_client_schannel() != False) {
-		neg_flags |= NETLOGON_NEG_SCHANNEL;
+	ok = get_trust_pw_hash(domain->name,
+			       current_nt_hash.hash,
+			       &_account_name,
+			       &sec_chan_type);
+	if (!ok) {
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	if (!get_trust_pw_hash(domain->name, mach_pwd, &account_name,
-			       &sec_chan_type))
-	{
-		TALLOC_FREE(netlogon_pipe);
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
+	if (account_name == NULL) {
+		return NT_STATUS_NO_MEMORY;
 	}
 
-	result = rpccli_netlogon_setup_creds(
-		 netlogon_pipe,
-		 domain->dcname, /* server name. */
-		 domain->name,   /* domain name */
-		 lp_netbios_name(), /* client name */
-		 account_name,   /* machine account */
-		 mach_pwd,       /* machine password */
-		 sec_chan_type,  /* from get_trust_pw */
-		 &neg_flags);
+	result = rpccli_create_netlogon_creds(domain->dcname,
+					      domain->name,
+					      account_name,
+					      sec_chan_type,
+					      msg_ctx,
+					      domain,
+					      &conn->netlogon_creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		SAFE_FREE(previous_nt_hash);
+		return result;
+	}
 
+	result = rpccli_setup_netlogon_creds(conn->cli,
+					     conn->netlogon_creds,
+					     conn->netlogon_force_reauth,
+					     current_nt_hash,
+					     previous_nt_hash);
+	conn->netlogon_force_reauth = false;
+	SAFE_FREE(previous_nt_hash);
 	if (!NT_STATUS_IS_OK(result)) {
-		TALLOC_FREE(netlogon_pipe);
 		return result;
 	}
 
-	if ((lp_client_schannel() == True) &&
-			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
-		DEBUG(3, ("Server did not offer schannel\n"));
-		TALLOC_FREE(netlogon_pipe);
-		return NT_STATUS_ACCESS_DENIED;
+	result = netlogon_creds_cli_get(conn->netlogon_creds,
+					talloc_tos(),
+					&creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		return result;
 	}
+	conn->netlogon_flags = creds->negotiate_flags;
+	TALLOC_FREE(creds);
 
  no_schannel:
-	if ((lp_client_schannel() == False) ||
-			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
+	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+		result = cli_rpc_pipe_open_noauth(conn->cli,
+					&ndr_table_netlogon,
+					&conn->netlogon_pipe);
+		if (!NT_STATUS_IS_OK(result)) {
+			invalidate_cm_connection(conn);
+			return result;
+		}
 
-		/* We're done - just keep the existing connection to NETLOGON
-		 * open */
-		conn->netlogon_pipe = netlogon_pipe;
 		*cli = conn->netlogon_pipe;
 		return NT_STATUS_OK;
 	}
@@ -2837,12 +2862,8 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
 	result = cli_rpc_pipe_open_schannel_with_key(
 		conn->cli, &ndr_table_netlogon, NCACN_NP,
 		domain->name,
-		netlogon_pipe->netlogon_creds,
+		conn->netlogon_creds,
 		&conn->netlogon_pipe);
-
-	/* We can now close the initial netlogon pipe. */
-	TALLOC_FREE(netlogon_pipe);
-
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(3, ("Could not open schannel'ed NETLOGON pipe. Error "
 			  "was %s\n", nt_errstr(result)));
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index b873655..001591a 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -580,6 +580,7 @@ NTSTATUS _wbint_CheckMachineAccount(struct pipes_struct *p,
 
 again:
 	invalidate_cm_connection(&domain->conn);
+	domain->conn.netlogon_force_reauth = true;
 
 	{
 		struct rpc_pipe_client *netlogon_pipe;
-- 
1.9.3


From dc77edf0b74a88950f4de2472c05a73fcc629dc1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 13:07:45 +0200
Subject: [PATCH 183/249] s3:auth_domain: simplify
 connect_to_domain_password_server()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d9d55f5406949187901476d673c7d6ff0fc165c2)
---
 source3/auth/auth_domain.c | 31 ++++++++++++-------------------
 1 file changed, 12 insertions(+), 19 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 9f88c4a..ae27bf0 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -47,16 +47,17 @@ static struct named_mutex *mutex;
  *
  **/
 
-static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
+static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 						const char *domain,
 						const char *dc_name,
 						const struct sockaddr_storage *dc_ss,
 						struct rpc_pipe_client **pipe_ret)
 {
-        NTSTATUS result;
+	NTSTATUS result;
+	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
 
-	*cli = NULL;
+	*cli_ret = NULL;
 
 	*pipe_ret = NULL;
 
@@ -80,7 +81,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 	}
 
 	/* Attempt connection */
-	result = cli_full_connection(cli, lp_netbios_name(), dc_name, dc_ss, 0,
+	result = cli_full_connection(&cli, lp_netbios_name(), dc_name, dc_ss, 0,
 		"IPC$", "IPC", "", "", "", 0, SMB_SIGNING_DEFAULT);
 
 	if (!NT_STATUS_IS_OK(result)) {
@@ -89,11 +90,6 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 			result = NT_STATUS_NO_LOGON_SERVERS;
 		}
 
-		if (*cli) {
-			cli_shutdown(*cli);
-			*cli = NULL;
-		}
-
 		TALLOC_FREE(mutex);
 		return result;
 	}
@@ -115,18 +111,17 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 	if (lp_client_schannel()) {
 		/* We also setup the creds chain in the open_schannel call. */
 		result = cli_rpc_pipe_open_schannel(
-			*cli, &ndr_table_netlogon, NCACN_NP,
+			cli, &ndr_table_netlogon, NCACN_NP,
 			DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
 	} else {
 		result = cli_rpc_pipe_open_noauth(
-			*cli, &ndr_table_netlogon, &netlogon_pipe);
+			cli, &ndr_table_netlogon, &netlogon_pipe);
 	}
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
 machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
-		cli_shutdown(*cli);
-		*cli = NULL;
+		cli_shutdown(cli);
 		TALLOC_FREE(mutex);
 		return result;
 	}
@@ -145,8 +140,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 			DEBUG(0, ("connect_to_domain_password_server: could not fetch "
 			"trust account password for domain '%s'\n",
 				domain));
-			cli_shutdown(*cli);
-			*cli = NULL;
+			cli_shutdown(cli);
 			TALLOC_FREE(mutex);
 			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		}
@@ -161,8 +155,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 					&neg_flags);
 
 		if (!NT_STATUS_IS_OK(result)) {
-			cli_shutdown(*cli);
-			*cli = NULL;
+			cli_shutdown(cli);
 			TALLOC_FREE(mutex);
 			return result;
 		}
@@ -172,14 +165,14 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 		DEBUG(0, ("connect_to_domain_password_server: unable to open "
 			  "the domain client session to machine %s. Error "
 			  "was : %s.\n", dc_name, nt_errstr(result)));
-		cli_shutdown(*cli);
-		*cli = NULL;
+		cli_shutdown(cli);
 		TALLOC_FREE(mutex);
 		return NT_STATUS_NO_LOGON_SERVERS;
 	}
 
 	/* We exit here with the mutex *locked*. JRA */
 
+	*cli_ret = cli;
 	*pipe_ret = netlogon_pipe;
 
 	return NT_STATUS_OK;
-- 
1.9.3


From 8fc2ffafd545dbc4af4c1ebab5fb631da18cade4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 15:01:10 +0200
Subject: [PATCH 184/249] s3:auth_domain: make use of
 rpccli_{create,setup}_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 34e66780e573bebf4b971fb96e1ed8680c1488a9)
---
 source3/auth/auth_domain.c | 136 ++++++++++++++++++++++++++++-----------------
 1 file changed, 85 insertions(+), 51 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index ae27bf0..bf2671c 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -27,6 +27,7 @@
 #include "secrets.h"
 #include "passdb.h"
 #include "libsmb/libsmb.h"
+#include "libcli/auth/netlogon_creds_cli.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -53,9 +54,20 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 						const struct sockaddr_storage *dc_ss,
 						struct rpc_pipe_client **pipe_ret)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct messaging_context *msg_ctx = server_messaging_context();
 	NTSTATUS result;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
+	struct netlogon_creds_cli_context *netlogon_creds = NULL;
+	struct netlogon_creds_CredentialState *creds = NULL;
+	uint32_t netlogon_flags = 0;
+	enum netr_SchannelType sec_chan_type = 0;
+	const char *_account_name = NULL;
+	const char *account_name = NULL;
+	struct samr_Password current_nt_hash;
+	struct samr_Password *previous_nt_hash = NULL;
+	bool ok;
 
 	*cli_ret = NULL;
 
@@ -77,6 +89,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 
 	mutex = grab_named_mutex(NULL, dc_name, 10);
 	if (mutex == NULL) {
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_LOGON_SERVERS;
 	}
 
@@ -91,6 +104,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 		}
 
 		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
 		return result;
 	}
 
@@ -98,67 +112,85 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 	 * We now have an anonymous connection to IPC$ on the domain password server.
 	 */
 
-	/*
-	 * Even if the connect succeeds we need to setup the netlogon
-	 * pipe here. We do this as we may just have changed the domain
-	 * account password on the PDC and yet we may be talking to
-	 * a BDC that doesn't have this replicated yet. In this case
-	 * a successful connect to a DC needs to take the netlogon connect
-	 * into account also. This patch from "Bjart Kvarme" <bjart.kvarme@usit.uio.no>.
-	 */
+	ok = get_trust_pw_hash(domain,
+			       current_nt_hash.hash,
+			       &_account_name,
+			       &sec_chan_type);
+	if (!ok) {
+		cli_shutdown(cli);
+		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
 
-	/* open the netlogon pipe. */
-	if (lp_client_schannel()) {
-		/* We also setup the creds chain in the open_schannel call. */
-		result = cli_rpc_pipe_open_schannel(
-			cli, &ndr_table_netlogon, NCACN_NP,
-			DCERPC_AUTH_LEVEL_PRIVACY, domain, &netlogon_pipe);
-	} else {
-		result = cli_rpc_pipe_open_noauth(
-			cli, &ndr_table_netlogon, &netlogon_pipe);
+	account_name = talloc_asprintf(talloc_tos(), "%s$", _account_name);
+	if (account_name == NULL) {
+		cli_shutdown(cli);
+		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
 	}
 
+	result = rpccli_create_netlogon_creds(dc_name,
+					      domain,
+					      account_name,
+					      sec_chan_type,
+					      msg_ctx,
+					      talloc_tos(),
+					      &netlogon_creds);
 	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0,("connect_to_domain_password_server: unable to open the domain client session to \
-machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 		cli_shutdown(cli);
 		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
+		SAFE_FREE(previous_nt_hash);
 		return result;
 	}
 
-	if (!lp_client_schannel()) {
-		/* We need to set up a creds chain on an unauthenticated netlogon pipe. */
-		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-					NETLOGON_NEG_SUPPORTS_AES;
-		enum netr_SchannelType sec_chan_type = 0;
-		unsigned char machine_pwd[16];
-		const char *account_name;
-
-		if (!get_trust_pw_hash(domain, machine_pwd, &account_name,
-				       &sec_chan_type))
-		{
-			DEBUG(0, ("connect_to_domain_password_server: could not fetch "
-			"trust account password for domain '%s'\n",
-				domain));
-			cli_shutdown(cli);
-			TALLOC_FREE(mutex);
-			return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-		}
+	result = rpccli_setup_netlogon_creds(cli,
+					     netlogon_creds,
+					     false, /* force_reauth */
+					     current_nt_hash,
+					     previous_nt_hash);
+	SAFE_FREE(previous_nt_hash);
+	if (!NT_STATUS_IS_OK(result)) {
+		cli_shutdown(cli);
+		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
+		return result;
+	}
 
-		result = rpccli_netlogon_setup_creds(netlogon_pipe,
-					dc_name, /* server name */
-					domain, /* domain */
-					lp_netbios_name(), /* client name */
-					account_name, /* machine account name */
-					machine_pwd,
-					sec_chan_type,
-					&neg_flags);
-
-		if (!NT_STATUS_IS_OK(result)) {
-			cli_shutdown(cli);
-			TALLOC_FREE(mutex);
-			return result;
-		}
+	result = netlogon_creds_cli_get(netlogon_creds,
+					talloc_tos(),
+					&creds);
+	if (!NT_STATUS_IS_OK(result)) {
+		cli_shutdown(cli);
+		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
+		return result;
+	}
+	netlogon_flags = creds->negotiate_flags;
+	TALLOC_FREE(creds);
+
+	if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
+		result = cli_rpc_pipe_open_schannel_with_key(
+			cli, &ndr_table_netlogon, NCACN_NP,
+			domain, netlogon_creds, &netlogon_pipe);
+	} else {
+		result = cli_rpc_pipe_open_noauth(cli,
+					&ndr_table_netlogon,
+					&netlogon_pipe);
+	}
+
+	if (!NT_STATUS_IS_OK(result)) {
+		DEBUG(0,("connect_to_domain_password_server: "
+			 "unable to open the domain client session to "
+			 "machine %s. Flags[0x%08X] Error was : %s.\n",
+			 dc_name, (unsigned)netlogon_flags,
+			 nt_errstr(result)));
+		cli_shutdown(cli);
+		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
+		return result;
 	}
 
 	if(!netlogon_pipe) {
@@ -167,6 +199,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 			  "was : %s.\n", dc_name, nt_errstr(result)));
 		cli_shutdown(cli);
 		TALLOC_FREE(mutex);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_LOGON_SERVERS;
 	}
 
@@ -175,6 +208,7 @@ machine %s. Error was : %s.\n", dc_name, nt_errstr(result)));
 	*cli_ret = cli;
 	*pipe_ret = netlogon_pipe;
 
+	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
 
-- 
1.9.3


From 5cc57e577bc7d144176ffe6f21ed24a95661a861 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 27 Aug 2013 15:02:26 +0200
Subject: [PATCH 185/249] s3:auth_domain: make use of
 rpccli_netlogon_network_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 531bbf3aff3fb08aaf112b21038f20544db60b69)
---
 source3/auth/auth_domain.c | 36 ++++++++++++++++++++++--------------
 1 file changed, 22 insertions(+), 14 deletions(-)

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index bf2671c..937841c 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -52,7 +52,8 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 						const char *domain,
 						const char *dc_name,
 						const struct sockaddr_storage *dc_ss,
-						struct rpc_pipe_client **pipe_ret)
+						struct rpc_pipe_client **pipe_ret,
+						struct netlogon_creds_cli_context **creds_ret)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	struct messaging_context *msg_ctx = server_messaging_context();
@@ -72,6 +73,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 	*cli_ret = NULL;
 
 	*pipe_ret = NULL;
+	*creds_ret = NULL;
 
 	/* TODO: Send a SAMLOGON request to determine whether this is a valid
 	   logonserver.  We can avoid a 30-second timeout if the DC is down
@@ -207,6 +209,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli_ret,
 
 	*cli_ret = cli;
 	*pipe_ret = netlogon_pipe;
+	*creds_ret = netlogon_creds;
 
 	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
@@ -230,8 +233,11 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 	struct netr_SamInfo3 *info3 = NULL;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
+	struct netlogon_creds_cli_context *netlogon_creds = NULL;
 	NTSTATUS nt_status = NT_STATUS_NO_LOGON_SERVERS;
 	int i;
+	uint8_t authoritative = 0;
+	uint32_t flags = 0;
 
 	/*
 	 * At this point, smb_apasswd points to the lanman response to
@@ -248,7 +254,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 							domain,
 							dc_name,
 							dc_ss,
-							&netlogon_pipe);
+							&netlogon_pipe,
+							&netlogon_creds);
 	}
 
 	if ( !NT_STATUS_IS_OK(nt_status) ) {
@@ -268,18 +275,19 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
          * in the info3 structure.  
          */
 
-	nt_status = rpccli_netlogon_sam_network_logon(netlogon_pipe,
-						      mem_ctx,
-						      user_info->logon_parameters,         /* flags such as 'allow workstation logon' */
-						      dc_name,                             /* server name */
-						      user_info->client.account_name,      /* user name logging on. */
-						      user_info->client.domain_name,       /* domain name */
-						      user_info->workstation_name,         /* workstation name */
-						      chal,                                /* 8 byte challenge. */
-						      3,				   /* validation level */
-						      user_info->password.response.lanman, /* lanman 24 byte response */
-						      user_info->password.response.nt,     /* nt 24 byte response */
-						      &info3);                             /* info3 out */
+	nt_status = rpccli_netlogon_network_logon(netlogon_creds,
+						  netlogon_pipe->binding_handle,
+						  mem_ctx,
+						  user_info->logon_parameters,         /* flags such as 'allow workstation logon' */
+						  user_info->client.account_name,      /* user name logging on. */
+						  user_info->client.domain_name,       /* domain name */
+						  user_info->workstation_name,         /* workstation name */
+						  chal,                                /* 8 byte challenge. */
+						  user_info->password.response.lanman, /* lanman 24 byte response */
+						  user_info->password.response.nt,     /* nt 24 byte response */
+						  &authoritative,
+						  &flags,
+						  &info3);                             /* info3 out */
 
 	/* Let go as soon as possible so we avoid any potential deadlocks
 	   with winbind lookup up users or groups. */
-- 
1.9.3


From 5da4eca4d30b3894426a4f7cb0512ae61c097cbc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 2 Sep 2013 19:32:23 +0200
Subject: [PATCH 186/249] s3:libnet_join: make use of
 rpccli_{create,setup}_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 963800539cea7487fc6258f8ac8f7cacc3426b83)
---
 source3/libnet/libnet_join.c | 110 +++++++++++++++++++++++++++++++------------
 source3/libnet/libnet_join.h |   5 +-
 source3/utils/net_rpc.c      |   4 +-
 3 files changed, 86 insertions(+), 33 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index b2805ee..6e653c3 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -40,6 +40,8 @@
 #include "libsmb/libsmb.h"
 #include "../libcli/smb/smbXcli_base.h"
 #include "lib/param/loadparm.h"
+#include "libcli/auth/netlogon_creds_cli.h"
+#include "auth/credentials/credentials.h"
 
 /****************************************************************
 ****************************************************************/
@@ -1189,38 +1191,52 @@ static NTSTATUS libnet_join_joindomain_rpc(TALLOC_CTX *mem_ctx,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS libnet_join_ok(const char *netbios_domain_name,
-			const char *machine_name,
+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
+			const char *netbios_domain_name,
 			const char *dc_name,
 			const bool use_kerberos)
 {
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-				NETLOGON_NEG_SUPPORTS_AES;
+	TALLOC_CTX *frame = talloc_stackframe();
 	struct cli_state *cli = NULL;
-	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
+	struct netlogon_creds_cli_context *netlogon_creds = NULL;
+	struct netlogon_creds_CredentialState *creds = NULL;
+	uint32_t netlogon_flags = 0;
+	enum netr_SchannelType sec_chan_type = 0;
 	NTSTATUS status;
 	char *machine_password = NULL;
-	char *machine_account = NULL;
+	const char *machine_name = NULL;
+	const char *machine_account = NULL;
 	int flags = 0;
+	struct samr_Password current_nt_hash;
+	struct samr_Password *previous_nt_hash = NULL;
+	bool ok;
 
 	if (!dc_name) {
+		TALLOC_FREE(frame);
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
 	if (!secrets_init()) {
+		TALLOC_FREE(frame);
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	machine_password = secrets_fetch_machine_password(netbios_domain_name,
-							  NULL, NULL);
-	if (!machine_password) {
-		return NT_STATUS_NO_TRUST_LSA_SECRET;
+	ok = get_trust_pw_clear(netbios_domain_name,
+				&machine_password,
+				&machine_name,
+				&sec_chan_type);
+	if (!ok) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	if (asprintf(&machine_account, "%s$", machine_name) == -1) {
+	machine_account = talloc_asprintf(frame, "%s$", machine_name);
+	if (machine_account == NULL) {
 		SAFE_FREE(machine_password);
-		return NT_STATUS_NO_MEMORY;
+		SAFE_FREE(previous_nt_hash);
+		TALLOC_FREE(frame);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
 	if (use_kerberos) {
@@ -1232,12 +1248,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 				     NULL, 0,
 				     "IPC$", "IPC",
 				     machine_account,
-				     NULL,
+				     netbios_domain_name,
 				     machine_password,
 				     flags,
 				     SMB_SIGNING_DEFAULT);
-	free(machine_account);
-	free(machine_password);
+
+	E_md4hash(machine_password, current_nt_hash.hash);
+	SAFE_FREE(machine_password);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		status = cli_full_connection(&cli, NULL,
@@ -1252,36 +1269,65 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 	}
 
 	if (!NT_STATUS_IS_OK(status)) {
+		SAFE_FREE(previous_nt_hash);
+		TALLOC_FREE(frame);
 		return status;
 	}
 
-	status = get_schannel_session_key(cli, netbios_domain_name,
-					  &neg_flags, &netlogon_pipe);
+	status = rpccli_create_netlogon_creds(dc_name,
+					      netbios_domain_name,
+					      machine_account,
+					      sec_chan_type,
+					      msg_ctx,
+					      frame,
+					      &netlogon_creds);
 	if (!NT_STATUS_IS_OK(status)) {
-		if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
-			cli_shutdown(cli);
-			return NT_STATUS_OK;
-		}
+		SAFE_FREE(previous_nt_hash);
+		cli_shutdown(cli);
+		TALLOC_FREE(frame);
+		return status;
+	}
 
-		DEBUG(0,("libnet_join_ok: failed to get schannel session "
-			"key from server %s for domain %s. Error was %s\n",
-			smbXcli_conn_remote_name(cli->conn),
-			netbios_domain_name, nt_errstr(status)));
+	status = rpccli_setup_netlogon_creds(cli,
+					     netlogon_creds,
+					     true, /* force_reauth */
+					     current_nt_hash,
+					     previous_nt_hash);
+	SAFE_FREE(previous_nt_hash);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0,("connect_to_domain_password_server: "
+			 "unable to open the domain client session to "
+			 "machine %s. Flags[0x%08X] Error was : %s.\n",
+			 dc_name, (unsigned)netlogon_flags,
+			 nt_errstr(status)));
+		cli_shutdown(cli);
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	status = netlogon_creds_cli_get(netlogon_creds,
+					talloc_tos(),
+					&creds);
+	if (!NT_STATUS_IS_OK(status)) {
 		cli_shutdown(cli);
+		TALLOC_FREE(frame);
 		return status;
 	}
+	netlogon_flags = creds->negotiate_flags;
+	TALLOC_FREE(creds);
 
-	if (!lp_client_schannel()) {
+	if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
 		cli_shutdown(cli);
+		TALLOC_FREE(frame);
 		return NT_STATUS_OK;
 	}
 
 	status = cli_rpc_pipe_open_schannel_with_key(
 		cli, &ndr_table_netlogon, NCACN_NP,
 		netbios_domain_name,
-		netlogon_pipe->netlogon_creds, &pipe_hnd);
+		netlogon_creds, &netlogon_pipe);
 
-	cli_shutdown(cli);
+	TALLOC_FREE(netlogon_pipe);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("libnet_join_ok: failed to open schannel session "
@@ -1289,9 +1335,13 @@ NTSTATUS libnet_join_ok(const char *netbios_domain_name,
 			"Error was %s\n",
 			smbXcli_conn_remote_name(cli->conn),
 			netbios_domain_name, nt_errstr(status)));
+		cli_shutdown(cli);
+		TALLOC_FREE(frame);
 		return status;
 	}
 
+	cli_shutdown(cli);
+	TALLOC_FREE(frame);
 	return NT_STATUS_OK;
 }
 
@@ -1303,8 +1353,8 @@ static WERROR libnet_join_post_verify(TALLOC_CTX *mem_ctx,
 {
 	NTSTATUS status;
 
-	status = libnet_join_ok(r->out.netbios_domain_name,
-				r->in.machine_name,
+	status = libnet_join_ok(r->in.msg_ctx,
+				r->out.netbios_domain_name,
 				r->in.dc_name,
 				r->in.use_kerberos);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/libnet/libnet_join.h b/source3/libnet/libnet_join.h
index 58c33b2..b7e2f0b 100644
--- a/source3/libnet/libnet_join.h
+++ b/source3/libnet/libnet_join.h
@@ -23,8 +23,9 @@
 
 /* The following definitions come from libnet/libnet_join.c  */
 
-NTSTATUS libnet_join_ok(const char *netbios_domain_name,
-			const char *machine_name,
+struct messaging_context;
+NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
+			const char *netbios_domain_name,
 			const char *dc_name,
 			const bool use_kerberos);
 WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index dff8801..9de74c0 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -493,7 +493,9 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
 	}
 
 	/* Display success or failure */
-	status = libnet_join_ok(c->opt_workgroup, lp_netbios_name(), dc,
+	status = libnet_join_ok(c->msg_ctx,
+				c->opt_workgroup,
+				dc,
 				c->opt_kerberos);
 	if (!NT_STATUS_IS_OK(status)) {
 		fprintf(stderr,"Join to domain '%s' is not valid: %s\n",
-- 
1.9.3


From 0da8c0a71d08de50b614e5df69a61e00d0a9cd99 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 5 Sep 2013 20:57:02 +0200
Subject: [PATCH 187/249] s3:libnet: use rpccli_{create,setup}_netlogon_creds()
 in libnet_join_joindomain_rpc_unsecure

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3a89eee03a95d4b142bf0830f40debc75bfa2e26)
---
 source3/libnet/libnet_join.c | 66 ++++++++++++++++++++++++++++++++++----------
 1 file changed, 51 insertions(+), 15 deletions(-)

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 6e653c3..a87eb38 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -817,14 +817,17 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
 						    struct libnet_JoinCtx *r,
 						    struct cli_state *cli)
 {
-	struct rpc_pipe_client *pipe_hnd = NULL;
-	unsigned char orig_trust_passwd_hash[16];
-	unsigned char new_trust_passwd_hash[16];
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct rpc_pipe_client *netlogon_pipe = NULL;
+	struct netlogon_creds_cli_context *netlogon_creds = NULL;
+	struct samr_Password current_nt_hash;
+	const char *account_name = NULL;
 	NTSTATUS status;
 
 	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-					  &pipe_hnd);
+					  &netlogon_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
 		return status;
 	}
 
@@ -832,22 +835,55 @@ static NTSTATUS libnet_join_joindomain_rpc_unsecure(TALLOC_CTX *mem_ctx,
 		r->in.machine_password = generate_random_password(mem_ctx,
 				DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
 				DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-		NT_STATUS_HAVE_NO_MEMORY(r->in.machine_password);
+		if (r->in.machine_password == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
 	}
 
-	E_md4hash(r->in.machine_password, new_trust_passwd_hash);
-
 	/* according to WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED */
-	E_md4hash(r->in.admin_password, orig_trust_passwd_hash);
+	E_md4hash(r->in.admin_password, current_nt_hash.hash);
 
-	status = rpccli_netlogon_set_trust_password(pipe_hnd, mem_ctx,
-						    r->in.machine_name,
-						    orig_trust_passwd_hash,
-						    r->in.machine_password,
-						    new_trust_passwd_hash,
-						    r->in.secure_channel_type);
+	account_name = talloc_asprintf(frame, "%s$",
+				       r->in.machine_name);
+	if (account_name == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
 
-	return status;
+	status = rpccli_create_netlogon_creds(netlogon_pipe->desthost,
+					      r->in.domain_name,
+					      account_name,
+					      r->in.secure_channel_type,
+					      r->in.msg_ctx,
+					      frame,
+					      &netlogon_creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	status = rpccli_setup_netlogon_creds(cli,
+					     netlogon_creds,
+					     true, /* force_reauth */
+					     current_nt_hash,
+					     NULL); /* previous_nt_hash */
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	status = netlogon_creds_cli_ServerPasswordSet(netlogon_creds,
+						      netlogon_pipe->binding_handle,
+						      r->in.machine_password,
+						      NULL); /* new_version */
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	TALLOC_FREE(frame);
+	return NT_STATUS_OK;
 }
 
 /****************************************************************
-- 
1.9.3


From 9d192bc1d2dd06efada55792203aaed58b349ab9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 11 Sep 2013 10:06:41 +0200
Subject: [PATCH 188/249] s3:rpc_client: use
 rpccli_{create,setup}_netlogon_creds() in cli_rpc_pipe_open_schannel()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 94caf7e190563423914b653d0c2fc4a4abf1f899)
---
 source3/rpc_client/cli_pipe.h          |   7 --
 source3/rpc_client/cli_pipe_schannel.c | 162 ++++++++++++++-------------------
 2 files changed, 66 insertions(+), 103 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index c21c55d..2a76130 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -109,13 +109,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
 			     struct rpc_pipe_client *cli,
 			     DATA_BLOB *session_key);
 
-/* The following definitions come from rpc_client/cli_pipe_schannel.c  */
-
-NTSTATUS get_schannel_session_key(struct cli_state *cli,
-				  const char *domain,
-				  uint32 *pneg_flags,
-				  struct rpc_pipe_client **presult);
-
 #endif /* _CLI_PIPE_H */
 
 /* vim: set ts=8 sw=8 noet cindent ft=c.doxygen: */
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index 8f9161f..1fcf62e 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -23,67 +23,15 @@
 #include "../libcli/auth/schannel.h"
 #include "rpc_client/cli_netlogon.h"
 #include "rpc_client/cli_pipe.h"
-#include "librpc/gen_ndr/ndr_dcerpc.h"
 #include "librpc/rpc/dcerpc.h"
 #include "passdb.h"
 #include "libsmb/libsmb.h"
-#include "auth/gensec/gensec.h"
 #include "../libcli/smb/smbXcli_base.h"
+#include "libcli/auth/netlogon_creds_cli.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_CLI
 
-
-/****************************************************************************
-  Get a the schannel session key out of an already opened netlogon pipe.
- ****************************************************************************/
-static NTSTATUS get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
-						struct cli_state *cli,
-						const char *domain,
-						uint32 *pneg_flags)
-{
-	enum netr_SchannelType sec_chan_type = 0;
-	unsigned char machine_pwd[16];
-	const char *machine_account;
-	NTSTATUS status;
-
-	/* Get the machine account credentials from secrets.tdb. */
-	if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
-			       &sec_chan_type))
-	{
-		DEBUG(0, ("get_schannel_session_key: could not fetch "
-			"trust account password for domain '%s'\n",
-			domain));
-		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-	}
-
-	status = rpccli_netlogon_setup_creds(netlogon_pipe,
-					smbXcli_conn_remote_name(cli->conn), /* server name */
-					domain,	       /* domain */
-					lp_netbios_name(), /* client name */
-					machine_account, /* machine account name */
-					machine_pwd,
-					sec_chan_type,
-					pneg_flags);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(3, ("get_schannel_session_key_common: "
-			  "rpccli_netlogon_setup_creds failed with result %s "
-			  "to server %s, domain %s, machine account %s.\n",
-			  nt_errstr(status), smbXcli_conn_remote_name(cli->conn), domain,
-			  machine_account ));
-		return status;
-	}
-
-	if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
-		DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
-			smbXcli_conn_remote_name(cli->conn)));
-		return NT_STATUS_INVALID_NETWORK_RESPONSE;
-	}
-
-	return NT_STATUS_OK;
-}
-
 /****************************************************************************
  Open a named pipe to an SMB server and bind using schannel (bind type 68).
  Fetch the session key ourselves using a temporary netlogon pipe.
@@ -96,63 +44,85 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 				    const char *domain,
 				    struct rpc_pipe_client **presult)
 {
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-				NETLOGON_NEG_SUPPORTS_AES;
-	struct rpc_pipe_client *netlogon_pipe = NULL;
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct messaging_context *msg_ctx = NULL;
+	const char *dc_name = smbXcli_conn_remote_name(cli->conn);
 	struct rpc_pipe_client *result = NULL;
 	NTSTATUS status;
+	struct netlogon_creds_cli_context *netlogon_creds = NULL;
+	struct netlogon_creds_CredentialState *creds = NULL;
+	uint32_t netlogon_flags = 0;
+	enum netr_SchannelType sec_chan_type = 0;
+	const char *_account_name = NULL;
+	const char *account_name = NULL;
+	struct samr_Password current_nt_hash;
+	struct samr_Password *previous_nt_hash = NULL;
+	bool ok;
+
+	ok = get_trust_pw_hash(domain,
+			       current_nt_hash.hash,
+			       &_account_name,
+			       &sec_chan_type);
+	if (!ok) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+	}
+
+	account_name = talloc_asprintf(frame, "%s$", _account_name);
+	if (account_name == NULL) {
+		SAFE_FREE(previous_nt_hash);
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = rpccli_create_netlogon_creds(dc_name,
+					      domain,
+					      account_name,
+					      sec_chan_type,
+					      msg_ctx,
+					      frame,
+					      &netlogon_creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		SAFE_FREE(previous_nt_hash);
+		TALLOC_FREE(frame);
+		return status;
+	}
 
-	status = get_schannel_session_key(cli, domain, &neg_flags,
-					  &netlogon_pipe);
+	status = rpccli_setup_netlogon_creds(cli,
+					     netlogon_creds,
+					     false, /* force_reauth */
+					     current_nt_hash,
+					     previous_nt_hash);
+	SAFE_FREE(previous_nt_hash);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
-			"key from server %s for domain %s.\n",
-			smbXcli_conn_remote_name(cli->conn), domain ));
+		TALLOC_FREE(frame);
 		return status;
 	}
 
+	status = netlogon_creds_cli_get(netlogon_creds,
+					frame,
+					&creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+	netlogon_flags = creds->negotiate_flags;
+	TALLOC_FREE(creds);
+
+	if (!(netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_DOWNGRADE_DETECTED;
+	}
+
 	status = cli_rpc_pipe_open_schannel_with_key(
 		cli, table, transport, domain,
-		netlogon_pipe->netlogon_creds,
+		netlogon_creds,
 		&result);
 
-	/* Now we've bound using the session key we can close the netlog pipe. */
-	TALLOC_FREE(netlogon_pipe);
-
 	if (NT_STATUS_IS_OK(status)) {
 		*presult = result;
 	}
 
+	TALLOC_FREE(frame);
 	return status;
 }
-
-/****************************************************************************
- Open a netlogon pipe and get the schannel session key.
- Now exposed to external callers.
- ****************************************************************************/
-
-
-NTSTATUS get_schannel_session_key(struct cli_state *cli,
-				  const char *domain,
-				  uint32 *pneg_flags,
-				  struct rpc_pipe_client **presult)
-{
-	struct rpc_pipe_client *netlogon_pipe = NULL;
-	NTSTATUS status;
-
-	status = cli_rpc_pipe_open_noauth(cli, &ndr_table_netlogon,
-					  &netlogon_pipe);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	status = get_schannel_session_key_common(netlogon_pipe, cli, domain,
-						 pneg_flags);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(netlogon_pipe);
-		return status;
-	}
-
-	*presult = netlogon_pipe;
-	return NT_STATUS_OK;
-}
-- 
1.9.3


From 5fba6641f79a14c208c5947886c005a87b9f3256 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:24:44 +0200
Subject: [PATCH 189/249] s3:rpcclient: add rpcclient_msg_ctx

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a1c468e1d75d490f0e531feb08188ddc3f0d77b5)
---
 source3/rpcclient/rpcclient.c | 5 +++++
 source3/rpcclient/rpcclient.h | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 0cbec20..39bf613 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -33,6 +33,7 @@
 #include "libsmb/libsmb.h"
 #include "auth/gensec/gensec.h"
 #include "../libcli/smb/smbXcli_base.h"
+#include "messages.h"
 
 enum pipe_auth_type_spnego {
 	PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
@@ -48,6 +49,7 @@ static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
 static unsigned int timeout = 0;
 static enum dcerpc_transport_t default_transport = NCACN_NP;
 
+struct messaging_context *rpcclient_msg_ctx;
 struct user_auth_info *rpcclient_auth_info;
 
 /* List to hold groups of commands.
@@ -985,6 +987,9 @@ out_free:
 	/* We must load interfaces after we load the smb.conf */
 	load_interfaces();
 
+	rpcclient_msg_ctx = messaging_init(talloc_autofree_context(),
+			samba_tevent_context_init(talloc_autofree_context()));
+
 	/*
 	 * Get password
 	 * from stdin if necessary
diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
index 762c54a..219da2a 100644
--- a/source3/rpcclient/rpcclient.h
+++ b/source3/rpcclient/rpcclient.h
@@ -41,4 +41,6 @@ struct cmd_set {
 	const char *usage;
 };
 
+extern struct messaging_context *rpcclient_msg_ctx;
+
 #endif /* RPCCLIENT_H */
-- 
1.9.3


From c6e02d60ef12431cd1a5615fcf514548e86d6dc8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:29:30 +0200
Subject: [PATCH 190/249] s3:rpcclient: add rpcclient_netlogon_creds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1696b127c61fea76fce3d992632a822ed78de07c)
---
 source3/rpcclient/rpcclient.c | 3 +++
 source3/rpcclient/rpcclient.h | 1 +
 2 files changed, 4 insertions(+)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 39bf613..a875ff5 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -51,6 +51,7 @@ static enum dcerpc_transport_t default_transport = NCACN_NP;
 
 struct messaging_context *rpcclient_msg_ctx;
 struct user_auth_info *rpcclient_auth_info;
+struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
 
 /* List to hold groups of commands.
  *
@@ -797,6 +798,8 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 		}
 	}
 
+	rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
+
 	/* Run command */
 
 	if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
index 219da2a..9288249 100644
--- a/source3/rpcclient/rpcclient.h
+++ b/source3/rpcclient/rpcclient.h
@@ -42,5 +42,6 @@ struct cmd_set {
 };
 
 extern struct messaging_context *rpcclient_msg_ctx;
+extern struct netlogon_creds_cli_context *rpcclient_netlogon_creds;
 
 #endif /* RPCCLIENT_H */
-- 
1.9.3


From 849cb578d3aa38e7d6508353914d39501cd6b2c8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:57:09 +0200
Subject: [PATCH 191/249] s3:rpcclient: remove unused
 rpccli_netlogon_setup_creds() from cmd_netlogon_database_redo()

rpccli_netlogon_setup_creds() is already called in the main do_cmd()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fb13b002d599049f229d2014e1b94f82952b7150)
---
 source3/rpcclient/cmd_netlogon.c | 21 +--------------------
 1 file changed, 1 insertion(+), 20 deletions(-)

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 2e0b5e5..8a865a9 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -1141,12 +1141,8 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
 	NTSTATUS result;
 	const char *server_name = cli->desthost;
-	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-				NETLOGON_NEG_SUPPORTS_AES;
 	struct netr_Authenticator clnt_creds, srv_cred;
 	struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
-	unsigned char trust_passwd_hash[16];
-	enum netr_SchannelType sec_channel_type = 0;
 	struct netr_ChangeLogEntry e;
 	uint32_t rid = 500;
 	struct dcerpc_binding_handle *b = cli->binding_handle;
@@ -1161,25 +1157,10 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 		sscanf(argv[1], "%d", &rid);
 	}
 
-	if (!secrets_fetch_trust_account_password(lp_workgroup(),
-						  trust_passwd_hash,
-						  NULL, &sec_channel_type)) {
+	if (cli->netlogon_creds == NULL) {
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	status = rpccli_netlogon_setup_creds(cli,
-					     server_name, /* server name */
-					     lp_workgroup(), /* domain */
-					     lp_netbios_name(), /* client name */
-					     lp_netbios_name(), /* machine account name */
-					     trust_passwd_hash,
-					     sec_channel_type,
-					     &neg_flags);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
 	status = netlogon_creds_cli_lock(cli->netlogon_creds,
 					 mem_ctx, &creds);
 	if (!NT_STATUS_IS_OK(status)) {
-- 
1.9.3


From df5ce2ceb4c41e2a952cd9f011626028f8d230ff Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 19:00:22 +0200
Subject: [PATCH 192/249] s3:rpcclient: make use of rpcclient_netlogon_creds
 instead of cli->netlogon_creds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3bf77812e80b50f254af64e4935301719f78987e)
---
 source3/rpcclient/cmd_netlogon.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 8a865a9..59e1e4e 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -633,7 +633,11 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli,
 		struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
 		struct netlogon_creds_CredentialState *creds = NULL;
 
-		status = netlogon_creds_cli_lock(cli->netlogon_creds,
+		if (rpcclient_netlogon_creds == NULL) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
 						 mem_ctx, &creds);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
@@ -712,7 +716,11 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli,
 		struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
 		struct netlogon_creds_CredentialState *creds = NULL;
 
-		status = netlogon_creds_cli_lock(cli->netlogon_creds,
+		if (rpcclient_netlogon_creds == NULL) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
 						 mem_ctx, &creds);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
@@ -1157,11 +1165,11 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli,
 		sscanf(argv[1], "%d", &rid);
 	}
 
-	if (cli->netlogon_creds == NULL) {
+	if (rpcclient_netlogon_creds == NULL) {
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	status = netlogon_creds_cli_lock(cli->netlogon_creds,
+	status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
 					 mem_ctx, &creds);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -1223,7 +1231,11 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli,
 
 	ZERO_STRUCT(return_authenticator);
 
-	status = netlogon_creds_cli_lock(cli->netlogon_creds,
+	if (rpcclient_netlogon_creds == NULL) {
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	status = netlogon_creds_cli_lock(rpcclient_netlogon_creds,
 					 mem_ctx, &creds);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
-- 
1.9.3


From 4e9d9abc0bae5ca08c3a91cc5d1b2bacffc6cbfc Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 19:59:11 +0200
Subject: [PATCH 193/249] s3:net_rpc: add net_context->netlogon_creds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d1340c20b0900f54e2c73c4a363f45988b1ba097)
---
 source3/utils/net.h     | 1 +
 source3/utils/net_rpc.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/source3/utils/net.h b/source3/utils/net.h
index e97734a..ce19c57 100644
--- a/source3/utils/net.h
+++ b/source3/utils/net.h
@@ -90,6 +90,7 @@ struct net_context {
 	bool smb_encrypt;
 	struct libnetapi_ctx *netapi_ctx;
 	struct messaging_context *msg_ctx;
+	struct netlogon_creds_cli_context *netlogon_creds;
 
 	bool display_usage;
 	void *private_data;
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 9de74c0..3bf3f30 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -201,6 +201,7 @@ int run_rpc_command(struct net_context *c,
 					nt_errstr(nt_status) ));
 				goto fail;
 			}
+			c->netlogon_creds = pipe_hnd->netlogon_creds;
 		} else {
 			if (conn_flags & NET_FLAGS_SEAL) {
 				nt_status = cli_rpc_pipe_open_generic_auth(
-- 
1.9.3


From 7a4535c1e61de498230abd1f99bfe875ae59c2e0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 15 Sep 2013 13:19:52 +0200
Subject: [PATCH 194/249] s3:libsmb: add trust_pw_change()

This protects the password change using a domain specific g_lock,
so multiple parts 'net rpc', 'rpcclient', 'winbindd', 'wbinfo --change-secret'
even on multiple cluster nodes doesn't race anymore.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 16c6e4992fa882207eeaff0a1c4d9fe217be48b7)
---
 source3/include/proto.h      |   8 ++
 source3/libsmb/trusts_util.c | 179 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 187 insertions(+)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 216a377..edda119 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -984,6 +984,14 @@ void update_trustdom_cache( void );
 NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
 					   TALLOC_CTX *mem_ctx, 
 					   const char *domain) ;
+struct netlogon_creds_cli_context;
+struct messaging_context;
+struct dcerpc_binding_handle;
+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
+			 struct messaging_context *msg_ctx,
+			 struct dcerpc_binding_handle *b,
+			 const char *domain,
+			 bool force);
 
 /* The following definitions come from param/loadparm.c  */
 
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index 52fb481..b1bc006 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -20,12 +20,15 @@
 
 #include "includes.h"
 #include "../libcli/auth/libcli_auth.h"
+#include "../libcli/auth/netlogon_creds_cli.h"
 #include "rpc_client/cli_netlogon.h"
 #include "rpc_client/cli_pipe.h"
 #include "../librpc/gen_ndr/ndr_netlogon.h"
 #include "secrets.h"
 #include "passdb.h"
 #include "libsmb/libsmb.h"
+#include "source3/include/messages.h"
+#include "source3/include/g_lock.h"
 
 /*********************************************************
  Change the domain password on the PDC.
@@ -113,3 +116,179 @@ NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
 
 	return nt_status;
 }
+
+struct trust_pw_change_state {
+	struct g_lock_ctx *g_ctx;
+	char *g_lock_key;
+};
+
+static int trust_pw_change_state_destructor(struct trust_pw_change_state *state)
+{
+	g_lock_unlock(state->g_ctx, state->g_lock_key);
+	return 0;
+}
+
+NTSTATUS trust_pw_change(struct netlogon_creds_cli_context *context,
+			 struct messaging_context *msg_ctx,
+			 struct dcerpc_binding_handle *b,
+			 const char *domain,
+			 bool force)
+{
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct trust_pw_change_state *state;
+	struct samr_Password current_nt_hash;
+	const struct samr_Password *previous_nt_hash = NULL;
+	enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
+	const char *account_name;
+	char *new_trust_passwd;
+	char *pwd;
+	struct dom_sid sid;
+	time_t pass_last_set_time;
+	struct timeval g_timeout = { 0, };
+	int timeout = 0;
+	struct timeval tv = { 0, };
+	NTSTATUS status;
+
+	state = talloc_zero(frame, struct trust_pw_change_state);
+	if (state == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	state->g_ctx = g_lock_ctx_init(state, msg_ctx);
+	if (state->g_ctx == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	state->g_lock_key = talloc_asprintf(state,
+				"trust_password_change_%s",
+				domain);
+	if (state->g_lock_key == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	g_timeout = timeval_current_ofs(10, 0);
+	status = g_lock_lock(state->g_ctx,
+			     state->g_lock_key,
+			     G_LOCK_WRITE, g_timeout);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("could not get g_lock on [%s]!\n",
+			  state->g_lock_key));
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	talloc_set_destructor(state, trust_pw_change_state_destructor);
+
+	if (!get_trust_pw_hash(domain, current_nt_hash.hash,
+			       &account_name,
+			       &sec_channel_type)) {
+		DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
+		TALLOC_FREE(frame);
+		return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+	}
+
+	switch (sec_channel_type) {
+	case SEC_CHAN_WKSTA:
+		pwd = secrets_fetch_machine_password(domain,
+						     &pass_last_set_time,
+						     NULL);
+		if (pwd == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+		}
+		break;
+	case SEC_CHAN_DOMAIN:
+		if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
+		}
+		break;
+	default:
+		TALLOC_FREE(frame);
+		return NT_STATUS_NOT_SUPPORTED;
+	}
+
+	timeout = lp_machine_password_timeout();
+	if (timeout == 0) {
+		if (!force) {
+			DEBUG(10,("machine password never expires\n"));
+			TALLOC_FREE(frame);
+			return NT_STATUS_OK;
+		}
+	}
+
+	tv.tv_sec = pass_last_set_time;
+	DEBUG(10, ("password last changed %s\n",
+		   timeval_string(talloc_tos(), &tv, false)));
+	tv.tv_sec += timeout;
+	DEBUGADD(10, ("password valid until %s\n",
+		      timeval_string(talloc_tos(), &tv, false)));
+
+	if (!force && !timeval_expired(&tv)) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_OK;
+	}
+
+	/* Create a random machine account password */
+	new_trust_passwd = generate_random_password(frame,
+				DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
+				DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
+	if (new_trust_passwd == NULL) {
+		DEBUG(0, ("generate_random_password failed\n"));
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = netlogon_creds_cli_auth(context, b,
+					 current_nt_hash,
+					 previous_nt_hash);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	status = netlogon_creds_cli_ServerPasswordSet(context, b,
+						      new_trust_passwd, NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n",
+		 current_timestring(talloc_tos(), False)));
+
+	/*
+	 * Return the result of trying to write the new password
+	 * back into the trust account file.
+	 */
+
+	switch (sec_channel_type) {
+
+	case SEC_CHAN_WKSTA:
+		if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		break;
+
+	case SEC_CHAN_DOMAIN:
+		/*
+		 * we need to get the sid first for the
+		 * pdb_set_trusteddom_pw call
+		 */
+		if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_INTERNAL_DB_CORRUPTION;
+		}
+		break;
+
+	default:
+		break;
+	}
+
+	TALLOC_FREE(frame);
+	return NT_STATUS_OK;
+}
-- 
1.9.3


From 09dae290b1d49a30eef5b93f5260dc44fb628437 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:33:51 +0200
Subject: [PATCH 195/249] s3:rpcclient: make use of trust_pw_change()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a9281e6570fcc5ff5abe3149615bed7029d1cf71)
---
 source3/rpcclient/cmd_netlogon.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 59e1e4e..000d65c 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -829,11 +829,11 @@ static NTSTATUS cmd_netlogon_change_trust_pw(struct rpc_pipe_client *cli,
                 return NT_STATUS_OK;
         }
 
-        /* Perform the sam logon */
-
-	result = trust_pw_find_change_and_store_it(cli, mem_ctx,
-						   lp_workgroup());
-
+	result = trust_pw_change(rpcclient_netlogon_creds,
+				 rpcclient_msg_ctx,
+				 cli->binding_handle,
+				 lp_workgroup(),
+				 true); /* force */
 	if (!NT_STATUS_IS_OK(result))
 		goto done;
 
-- 
1.9.3


From 3731b2163f6bb88922a9fa84e60fa48afbbbda9a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:34:48 +0200
Subject: [PATCH 196/249] s3:net_rpc: make use of trust_pw_change()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cfd139347c21f4f4ddd16026c2c8c221feabd6c5)
---
 source3/utils/net_rpc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 3bf3f30..ba49f3e 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -279,7 +279,11 @@ static NTSTATUS rpc_changetrustpw_internals(struct net_context *c,
 {
 	NTSTATUS status;
 
-	status = trust_pw_find_change_and_store_it(pipe_hnd, mem_ctx, c->opt_target_workgroup);
+	status = trust_pw_change(c->netlogon_creds,
+				 c->msg_ctx,
+				 pipe_hnd->binding_handle,
+				 c->opt_target_workgroup,
+				 true); /* force */
 	if (!NT_STATUS_IS_OK(status)) {
 		d_fprintf(stderr, _("Failed to change machine account password: %s\n"),
 			nt_errstr(status));
-- 
1.9.3


From cd8fdfc923adcc5b6c700ec52d1bba4643079247 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:35:39 +0200
Subject: [PATCH 197/249] s3:winbindd: use invalidate_cm_connection() to kill
 the netlogon connection

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit dbd49d90bbf175525557eaa983ad57ca5076d710)
---
 source3/winbindd/winbindd_dual.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index 64af571..b26cdca 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -1056,7 +1056,7 @@ static void machine_password_change_handler(struct tevent_context *ctx,
 			 "password was changed and we didn't know it. "
 			 "Killing connections to domain %s\n",
 			 child->domain->name));
-		TALLOC_FREE(child->domain->conn.netlogon_pipe);
+		invalidate_cm_connection(&child->domain->conn);
 	}
 
 	if (!calculate_next_machine_pwd_change(child->domain->name,
-- 
1.9.3


From 6369757af75412746c0d9950971a77be72826b92 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:36:43 +0200
Subject: [PATCH 198/249] s3:winbindd: make use of trust_pw_change() for
 periodic password changes

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 57741dd4ba5a9ed3abf7aad35a2a69fd66b49b4b)
---
 source3/winbindd/winbindd_dual.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/source3/winbindd/winbindd_dual.c b/source3/winbindd/winbindd_dual.c
index b26cdca..1d6a5ba 100644
--- a/source3/winbindd/winbindd_dual.c
+++ b/source3/winbindd/winbindd_dual.c
@@ -29,6 +29,7 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "rpc_client/rpc_client.h"
 #include "nsswitch/wb_reqtrans.h"
 #include "secrets.h"
 #include "../lib/util/select.h"
@@ -999,10 +1000,10 @@ static void machine_password_change_handler(struct tevent_context *ctx,
 					    struct timeval now,
 					    void *private_data)
 {
+	struct messaging_context *msg_ctx = winbind_messaging_context();
 	struct winbindd_child *child =
 		(struct winbindd_child *)private_data;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
-	TALLOC_CTX *frame;
 	NTSTATUS result;
 	struct timeval next_change;
 
@@ -1039,15 +1040,14 @@ static void machine_password_change_handler(struct tevent_context *ctx,
 		return;
 	}
 
-	frame = talloc_stackframe();
-
-	result = trust_pw_find_change_and_store_it(netlogon_pipe,
-						   frame,
-						   child->domain->name);
-	TALLOC_FREE(frame);
+	result = trust_pw_change(child->domain->conn.netlogon_creds,
+				 msg_ctx,
+				 netlogon_pipe->binding_handle,
+				 child->domain->name,
+				 false); /* force */
 
 	DEBUG(10, ("machine_password_change_handler: "
-		   "trust_pw_find_change_and_store_it returned %s\n",
+		   "trust_pw_change returned %s\n",
 		   nt_errstr(result)));
 
 	if (NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
-- 
1.9.3


From 5fe11c760d853dff63ad9b3505f3d3721b7e14f6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:37:34 +0200
Subject: [PATCH 199/249] s3:winbindd: make use of trust_pw_change() in
 _wbint_ChangeMachineAccount()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3c30e19c4a0e60e355b2f1d35edbb0a3b7688089)
---
 source3/winbindd/winbindd_dual_srv.c | 35 +++++++----------------------------
 1 file changed, 7 insertions(+), 28 deletions(-)

diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index 001591a..f064467 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -622,48 +622,27 @@ again:
 NTSTATUS _wbint_ChangeMachineAccount(struct pipes_struct *p,
 				     struct wbint_ChangeMachineAccount *r)
 {
+	struct messaging_context *msg_ctx = winbind_messaging_context();
 	struct winbindd_domain *domain;
-	int num_retries = 0;
 	NTSTATUS status;
 	struct rpc_pipe_client *netlogon_pipe;
-	TALLOC_CTX *tmp_ctx;
 
-again:
 	domain = wb_child_domain();
 	if (domain == NULL) {
 		return NT_STATUS_REQUEST_NOT_ACCEPTED;
 	}
 
-	invalidate_cm_connection(&domain->conn);
-
-	{
-		status = cm_connect_netlogon(domain, &netlogon_pipe);
-	}
-
-	/* There is a race condition between fetching the trust account
-	   password and the periodic machine password change.  So it's
-	   possible that the trust account password has been changed on us.
-	   We are returned NT_STATUS_ACCESS_DENIED if this happens. */
-
-#define MAX_RETRIES 3
-
-	if ((num_retries < MAX_RETRIES)
-	     && NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
-		num_retries++;
-		goto again;
-	}
-
+	status = cm_connect_netlogon(domain, &netlogon_pipe);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
 		goto done;
 	}
 
-	tmp_ctx = talloc_new(p->mem_ctx);
-
-	status = trust_pw_find_change_and_store_it(netlogon_pipe,
-						   tmp_ctx,
-						   domain->name);
-	talloc_destroy(tmp_ctx);
+	status = trust_pw_change(domain->conn.netlogon_creds,
+				 msg_ctx,
+				 netlogon_pipe->binding_handle,
+				 domain->name,
+				 true); /* force */
 
 	/* Pass back result code - zero for success, other values for
 	   specific failures. */
-- 
1.9.3


From 9956ea8b561da89fb79739dd8a8552116c7867f7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 18:39:52 +0200
Subject: [PATCH 200/249] s3:libsmb: remove unused
 trust_pw_find_change_and_store_it()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a8ecebe3e840005c81df043cb07773972aaa2371)
---
 source3/include/proto.h      |  3 --
 source3/libsmb/trusts_util.c | 81 --------------------------------------------
 2 files changed, 84 deletions(-)

diff --git a/source3/include/proto.h b/source3/include/proto.h
index edda119..18348e5 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -981,9 +981,6 @@ void update_trustdom_cache( void );
 
 /* The following definitions come from libsmb/trusts_util.c  */
 
-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli, 
-					   TALLOC_CTX *mem_ctx, 
-					   const char *domain) ;
 struct netlogon_creds_cli_context;
 struct messaging_context;
 struct dcerpc_binding_handle;
diff --git a/source3/libsmb/trusts_util.c b/source3/libsmb/trusts_util.c
index b1bc006..b38aec6 100644
--- a/source3/libsmb/trusts_util.c
+++ b/source3/libsmb/trusts_util.c
@@ -36,87 +36,6 @@
  already setup the connection to the NETLOGON pipe
 **********************************************************/
 
-NTSTATUS trust_pw_find_change_and_store_it(struct rpc_pipe_client *cli,
-					   TALLOC_CTX *mem_ctx,
-					   const char *domain)
-{
-	unsigned char old_trust_passwd_hash[16];
-	unsigned char new_trust_passwd_hash[16];
-	enum netr_SchannelType sec_channel_type = SEC_CHAN_NULL;
-	const char *account_name;
-	char *new_trust_passwd;
-	NTSTATUS nt_status;
-
-	if (!get_trust_pw_hash(domain, old_trust_passwd_hash, &account_name,
-			       &sec_channel_type)) {
-		DEBUG(0, ("could not fetch domain secrets for domain %s!\n", domain));
-		return NT_STATUS_UNSUCCESSFUL;
-	}
-
-	switch (sec_channel_type) {
-	case SEC_CHAN_WKSTA:
-	case SEC_CHAN_DOMAIN:
-		break;
-	default:
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
-	/* Create a random machine account password */
-	new_trust_passwd = generate_random_password(mem_ctx,
-				DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH,
-				DEFAULT_TRUST_ACCOUNT_PASSWORD_LENGTH);
-	if (new_trust_passwd == NULL) {
-		DEBUG(0, ("generate_random_password failed\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	E_md4hash(new_trust_passwd, new_trust_passwd_hash);
-
-	nt_status = rpccli_netlogon_set_trust_password(cli, mem_ctx,
-						       account_name,
-						       old_trust_passwd_hash,
-						       new_trust_passwd,
-						       new_trust_passwd_hash,
-						       sec_channel_type);
-
-	if (NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(3,("%s : trust_pw_change_and_store_it: Changed password.\n", 
-			 current_timestring(talloc_tos(), False)));
-		/*
-		 * Return the result of trying to write the new password
-		 * back into the trust account file.
-		 */
-
-		switch (sec_channel_type) {
-
-		case SEC_CHAN_WKSTA:
-			if (!secrets_store_machine_password(new_trust_passwd, domain, sec_channel_type)) {
-				nt_status = NT_STATUS_UNSUCCESSFUL;
-			}
-			break;
-
-		case SEC_CHAN_DOMAIN: {
-			char *pwd;
-			struct dom_sid sid;
-			time_t pass_last_set_time;
-
-			/* we need to get the sid first for the
-			 * pdb_set_trusteddom_pw call */
-
-			if (!pdb_get_trusteddom_pw(domain, &pwd, &sid, &pass_last_set_time)) {
-				nt_status = NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE;
-			}
-			if (!pdb_set_trusteddom_pw(domain, new_trust_passwd, &sid)) {
-				nt_status = NT_STATUS_INTERNAL_DB_CORRUPTION;
-			}
-			break;
-		}
-		}
-	}
-
-	return nt_status;
-}
-
 struct trust_pw_change_state {
 	struct g_lock_ctx *g_ctx;
 	char *g_lock_key;
-- 
1.9.3


From f71cb73d7f034165802aad97e9be6f45ba32d519 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 19:19:39 +0200
Subject: [PATCH 201/249] s3:libnet: pass in struct netlogon_creds_cli_context
 from the caller.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 77defb175e3ffd1b096485ac7de38ad161594b72)
---
 source3/libnet/libnet_samsync.c | 2 +-
 source3/libnet/libnet_samsync.h | 1 +
 source3/utils/net_rpc_samsync.c | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/libnet/libnet_samsync.c b/source3/libnet/libnet_samsync.c
index 02d3fc6..e7e1393 100644
--- a/source3/libnet/libnet_samsync.c
+++ b/source3/libnet/libnet_samsync.c
@@ -216,7 +216,7 @@ static NTSTATUS libnet_samsync_delta(TALLOC_CTX *mem_ctx,
 		struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL;
 		struct netlogon_creds_CredentialState *creds = NULL;
 
-		status = netlogon_creds_cli_lock(ctx->cli->netlogon_creds,
+		status = netlogon_creds_cli_lock(ctx->netlogon_creds,
 						 mem_ctx, &creds);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
diff --git a/source3/libnet/libnet_samsync.h b/source3/libnet/libnet_samsync.h
index efdbb37..e1d66ec 100644
--- a/source3/libnet/libnet_samsync.h
+++ b/source3/libnet/libnet_samsync.h
@@ -75,6 +75,7 @@ struct samsync_context {
 	struct samsync_object *objects;
 
 	struct rpc_pipe_client *cli;
+	struct netlogon_creds_cli_context *netlogon_creds;
 	struct messaging_context *msg_ctx;
 
 	const struct samsync_ops *ops;
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 772651f..6377ad4 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -129,6 +129,7 @@ NTSTATUS rpc_samdump_internals(struct net_context *c,
 
 	ctx->mode		= NET_SAMSYNC_MODE_DUMP;
 	ctx->cli		= pipe_hnd;
+	ctx->netlogon_creds	= c->netlogon_creds;
 	ctx->ops		= &libnet_samsync_display_ops;
 	ctx->domain_name	= domain_name;
 
-- 
1.9.3


From acb678ce415403e1442116b32eb8b8b32b677f4a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 20:51:25 +0200
Subject: [PATCH 202/249] s3:rpcclient: make use of
 rpccli_{create,setup}_netlogon_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5107ca02a41673739a1fc4a1c2a0fbe8465f211a)
---
 source3/rpcclient/rpcclient.c | 59 ++++++++++++++++++++++++++++++-------------
 1 file changed, 41 insertions(+), 18 deletions(-)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index a875ff5..490f8df 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -676,6 +676,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 {
 	NTSTATUS ntresult;
 	WERROR wresult;
+	bool ok;
 
 	TALLOC_CTX *mem_ctx;
 
@@ -759,17 +760,20 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 			return ntresult;
 		}
 
-		if (ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
-					&ndr_table_netlogon.syntax_id)) {
-			uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-						NETLOGON_NEG_SUPPORTS_AES;
-			enum netr_SchannelType sec_channel_type;
-			uchar trust_password[16];
-			const char *machine_account;
+		ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
+					 &ndr_table_netlogon.syntax_id);
+		if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
+			const char *dc_name = cmd_entry->rpc_pipe->desthost;
+			const char *domain = get_cmdline_auth_info_domain(auth_info);
+			enum netr_SchannelType sec_chan_type = 0;
+			const char *_account_name = NULL;
+			const char *account_name = NULL;
+			struct samr_Password current_nt_hash;
+			struct samr_Password *previous_nt_hash = NULL;
 
 			if (!get_trust_pw_hash(get_cmdline_auth_info_domain(auth_info),
-					       trust_password, &machine_account,
-					       &sec_channel_type))
+					       current_nt_hash.hash, &_account_name,
+					       &sec_chan_type))
 			{
 				DEBUG(0, ("Failed to fetch trust password for %s to connect to %s.\n",
 					  get_cmdline_auth_info_domain(auth_info),
@@ -779,22 +783,41 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 			}
 
-			ntresult = rpccli_netlogon_setup_creds(cmd_entry->rpc_pipe,
-						cmd_entry->rpc_pipe->desthost,   /* server name */
-						get_cmdline_auth_info_domain(auth_info),  /* domain */
-						lp_netbios_name(), /* client name */
-						machine_account, /* machine account name */
-						trust_password,
-						sec_channel_type,
-						&neg_flags);
+			account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
+			if (account_name == NULL) {
+				SAFE_FREE(previous_nt_hash);
+				TALLOC_FREE(mem_ctx);
+				return NT_STATUS_NO_MEMORY;
+			}
+
+			ntresult = rpccli_create_netlogon_creds(dc_name,
+						domain,
+						account_name,
+						sec_chan_type,
+						rpcclient_msg_ctx,
+						talloc_autofree_context(),
+						&rpcclient_netlogon_creds);
+			if (!NT_STATUS_IS_OK(ntresult)) {
+				SAFE_FREE(previous_nt_hash);
+				TALLOC_FREE(mem_ctx);
+				return ntresult;
+			}
 
+			ntresult = rpccli_setup_netlogon_creds(cli,
+							rpcclient_netlogon_creds,
+							false, /* force_reauth */
+							current_nt_hash,
+							previous_nt_hash);
+			SAFE_FREE(previous_nt_hash);
 			if (!NT_STATUS_IS_OK(ntresult)) {
 				DEBUG(0, ("Could not initialise credentials for %s.\n",
 					  cmd_entry->table->name));
 				TALLOC_FREE(cmd_entry->rpc_pipe);
-				talloc_free(mem_ctx);
+				TALLOC_FREE(rpcclient_netlogon_creds);
+				TALLOC_FREE(mem_ctx);
 				return ntresult;
 			}
+			cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
 		}
 	}
 
-- 
1.9.3


From b04744971aa9cc696aa4a3c56dd46d58db8dda75 Mon Sep 17 00:00:00 2001
From: Garming Sam <garming@catalyst.net.nz>
Date: Fri, 29 Nov 2013 14:45:20 +1300
Subject: [PATCH 203/249] s3:rpcclient: give errors and clean up correctly
 after failing to obtain secret

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a012e2fdd6733e871ddeb68874a2df8413ad91ed)
---
 source3/rpcclient/rpcclient.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index 490f8df..fd3ebdf 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -785,6 +785,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 
 			account_name = talloc_asprintf(mem_ctx, "%s$", _account_name);
 			if (account_name == NULL) {
+				DEBUG(0, ("Out of memory creating account name to connect to %s.\n",
+					  cmd_entry->table->name));
+				TALLOC_FREE(cmd_entry->rpc_pipe);
 				SAFE_FREE(previous_nt_hash);
 				TALLOC_FREE(mem_ctx);
 				return NT_STATUS_NO_MEMORY;
@@ -798,6 +801,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 						talloc_autofree_context(),
 						&rpcclient_netlogon_creds);
 			if (!NT_STATUS_IS_OK(ntresult)) {
+				DEBUG(0, ("Could not initialise credentials for %s.\n",
+					  cmd_entry->table->name));
+				TALLOC_FREE(cmd_entry->rpc_pipe);
 				SAFE_FREE(previous_nt_hash);
 				TALLOC_FREE(mem_ctx);
 				return ntresult;
-- 
1.9.3


From 564e6df9361025ff7da6fa92d83491cfd9e60b2b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Sep 2013 00:46:09 +0200
Subject: [PATCH 204/249] s3:rpcclient: remove optional auth_level parameter of
 the 'samlogon' cmd

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4c99e49898151a514e334a07f38eed83fe608c05)
---
 source3/rpcclient/cmd_netlogon.c | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 000d65c..97b79cb 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -782,9 +782,9 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
 	/* Check arguments */
 
-	if (argc < 3 || argc > 7) {
+	if (argc < 3 || argc > 6) {
 		fprintf(stderr, "Usage: samlogon <username> <password> [workstation]"
-			"[logon_type (1 or 2)] [auth level (2 or 3)] [logon_parameter]\n");
+			"[logon_type (1 or 2)] [logon_parameter]\n");
 		return NT_STATUS_OK;
 	}
 
@@ -797,11 +797,8 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 	if (argc >= 5)
 		sscanf(argv[4], "%i", &logon_type);
 
-	if (argc >= 6)
-		validation_level = atoi(argv[5]);
-
-	if (argc == 7)
-		sscanf(argv[6], "%x", &logon_param);
+	if (argc == 6)
+		sscanf(argv[5], "%x", &logon_param);
 
 	/* Perform the sam logon */
 
-- 
1.9.3


From a61d399c13c9f46e283f85f3d076b0607c2729f3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Sep 2013 00:48:31 +0200
Subject: [PATCH 205/249] s3:rpcclient: make use of
 rpccli_netlogon_password_logon() in the 'samlogon' cmd

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c6bb47f2f199cc13101dccf656ac36e9eb879201)
---
 source3/rpcclient/cmd_netlogon.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 97b79cb..b637b3e 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -776,7 +776,6 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	int logon_type = NetlogonNetworkInformation;
 	const char *username, *password;
-	uint16_t validation_level = 3;
 	uint32 logon_param = 0;
 	const char *workstation = NULL;
 
@@ -802,8 +801,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
 	/* Perform the sam logon */
 
-	result = rpccli_netlogon_sam_logon(cli, mem_ctx, logon_param, lp_workgroup(), username, password, workstation, validation_level, logon_type);
-
+	result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
+						cli->binding_handle,
+						logon_param,
+						lp_workgroup(),
+						username,
+						password,
+						workstation,
+						logon_type);
 	if (!NT_STATUS_IS_OK(result))
 		goto done;
 
-- 
1.9.3


From fbe0154a63d401acd47c5190be37b8d69d3d64ba Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 17 Sep 2013 00:56:15 +0200
Subject: [PATCH 206/249] s3:winbindd: make use of
 rpccli_netlogon_network_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a34c837fdb59df1e66be9b5f23a07990e34fea1c)
---
 source3/winbindd/winbindd_pam.c | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 39483a5..3f3ec70 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1228,6 +1228,8 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 
 	do {
 		struct rpc_pipe_client *netlogon_pipe;
+		uint8_t authoritative = 0;
+		uint32_t flags = 0;
 
 		ZERO_STRUCTP(info3);
 		retry = false;
@@ -1276,19 +1278,19 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 		}
 		netr_attempts = 0;
 
-		result = rpccli_netlogon_sam_network_logon(
-					netlogon_pipe,
-					mem_ctx,
-					logon_parameters,
-					server,		/* server name */
-					username,	/* user name */
-					domainname,	/* target domain */
-					workstation,	/* workstation */
-					chal,
-					-1, /* ignored */
-					lm_response,
-					nt_response,
-					info3);
+		result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
+						netlogon_pipe->binding_handle,
+						mem_ctx,
+						logon_parameters,
+						username,
+						domainname,
+						workstation,
+						chal,
+						lm_response,
+						nt_response,
+						&authoritative,
+						&flags,
+						info3);
 
 		/*
 		 * we increment this after the "feature negotiation"
-- 
1.9.3


From cfcb681d6f80253b6f2db769f5c5be1ffb54cc0e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 20:53:51 +0200
Subject: [PATCH 207/249] s3:rpc_client: make cli_rpc_pipe_open_schannel() more
 flexible

It expects a messaging_context now
and returns a netlogon_creds_cli_context.

This way we can finally avoid having a rpc_pipe_client->netlogon_creds.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 660150b12a637da7f9ebb820e687f27ac22fb93a)
---
 source3/rpc_client/cli_pipe.h          |  5 ++++-
 source3/rpc_client/cli_pipe_schannel.c |  9 +++++++--
 source3/rpcclient/rpcclient.c          | 13 +++++++------
 source3/utils/net_rpc.c                |  6 +++---
 4 files changed, 21 insertions(+), 12 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 2a76130..b704d8a 100644
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -99,11 +99,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 					     struct rpc_pipe_client **presult);
 
 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+				    struct messaging_context *msg_ctx,
 				    const struct ndr_interface_table *table,
 				    enum dcerpc_transport_t transport,
 				    enum dcerpc_AuthLevel auth_level,
 				    const char *domain,
-				    struct rpc_pipe_client **presult);
+				    struct rpc_pipe_client **presult,
+				    TALLOC_CTX *mem_ctx,
+				    struct netlogon_creds_cli_context **pcreds);
 
 NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
 			     struct rpc_pipe_client *cli,
diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index 1fcf62e..a842333 100644
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -38,14 +38,16 @@
  ****************************************************************************/
 
 NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
+				    struct messaging_context *msg_ctx,
 				    const struct ndr_interface_table *table,
 				    enum dcerpc_transport_t transport,
 				    enum dcerpc_AuthLevel auth_level,
 				    const char *domain,
-				    struct rpc_pipe_client **presult)
+				    struct rpc_pipe_client **presult,
+				    TALLOC_CTX *mem_ctx,
+				    struct netlogon_creds_cli_context **pcreds)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
-	struct messaging_context *msg_ctx = NULL;
 	const char *dc_name = smbXcli_conn_remote_name(cli->conn);
 	struct rpc_pipe_client *result = NULL;
 	NTSTATUS status;
@@ -121,6 +123,9 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
 
 	if (NT_STATUS_IS_OK(status)) {
 		*presult = result;
+		if (pcreds != NULL) {
+			*pcreds = talloc_move(mem_ctx, &netlogon_creds);
+		}
 	}
 
 	TALLOC_FREE(frame);
diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index fd3ebdf..43343e8 100644
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -737,12 +737,16 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 				&cmd_entry->rpc_pipe);
 			break;
 		case DCERPC_AUTH_TYPE_SCHANNEL:
+			TALLOC_FREE(rpcclient_netlogon_creds);
 			ntresult = cli_rpc_pipe_open_schannel(
-				cli, cmd_entry->table,
+				cli, rpcclient_msg_ctx,
+				cmd_entry->table,
 				default_transport,
 				pipe_default_auth_level,
 				get_cmdline_auth_info_domain(auth_info),
-				&cmd_entry->rpc_pipe);
+				&cmd_entry->rpc_pipe,
+				talloc_autofree_context(),
+				&rpcclient_netlogon_creds);
 			break;
 		default:
 			DEBUG(0, ("Could not initialise %s. Invalid "
@@ -762,7 +766,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 
 		ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
 					 &ndr_table_netlogon.syntax_id);
-		if (cmd_entry->rpc_pipe->netlogon_creds == NULL && ok) {
+		if (rpcclient_netlogon_creds == NULL && ok) {
 			const char *dc_name = cmd_entry->rpc_pipe->desthost;
 			const char *domain = get_cmdline_auth_info_domain(auth_info);
 			enum netr_SchannelType sec_chan_type = 0;
@@ -823,12 +827,9 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 				TALLOC_FREE(mem_ctx);
 				return ntresult;
 			}
-			cmd_entry->rpc_pipe->netlogon_creds = rpcclient_netlogon_creds;
 		}
 	}
 
-	rpcclient_netlogon_creds = cmd_entry->rpc_pipe->netlogon_creds;
-
 	/* Run command */
 
 	if ( cmd_entry->returntype == RPC_RTYPE_NTSTATUS ) {
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index ba49f3e..d0f699a 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -192,16 +192,16 @@ int run_rpc_command(struct net_context *c,
 		    && (ndr_syntax_id_equal(&table->syntax_id,
 					    &ndr_table_netlogon.syntax_id))) {
 			/* Always try and create an schannel netlogon pipe. */
+			TALLOC_FREE(c->netlogon_creds);
 			nt_status = cli_rpc_pipe_open_schannel(
-				cli, table, NCACN_NP,
+				cli, c->msg_ctx, table, NCACN_NP,
 				DCERPC_AUTH_LEVEL_PRIVACY, domain_name,
-				&pipe_hnd);
+				&pipe_hnd, c, &c->netlogon_creds);
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				DEBUG(0, ("Could not initialise schannel netlogon pipe. Error was %s\n",
 					nt_errstr(nt_status) ));
 				goto fail;
 			}
-			c->netlogon_creds = pipe_hnd->netlogon_creds;
 		} else {
 			if (conn_flags & NET_FLAGS_SEAL) {
 				nt_status = cli_rpc_pipe_open_generic_auth(
-- 
1.9.3


From 603b40eeee3cf21de94f11471889d0443713ba4f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Sep 2013 13:54:30 +0200
Subject: [PATCH 208/249] s3:rpc_client: remove unused
 rpccli_netlogon_set_trust_password()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6d457ad9c156cf86d99e58dea21dba170defad1b)
---
 source3/rpc_client/cli_netlogon.c | 51 ---------------------------------------
 source3/rpc_client/cli_netlogon.h |  7 ------
 2 files changed, 58 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index a9f8604..2f23d1b 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -759,54 +759,3 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
 
 	return NT_STATUS_OK;
 }
-
-/*********************************************************
- Change the domain password on the PDC.
-
- Just changes the password betwen the two values specified.
-
- Caller must have the cli connected to the netlogon pipe
- already.
-**********************************************************/
-
-NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
-					    TALLOC_CTX *mem_ctx,
-					    const char *account_name,
-					    const unsigned char orig_trust_passwd_hash[16],
-					    const char *new_trust_pwd_cleartext,
-					    const unsigned char new_trust_passwd_hash[16],
-					    enum netr_SchannelType sec_channel_type)
-{
-	NTSTATUS result;
-
-	if (cli->netlogon_creds == NULL) {
-		uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS |
-					NETLOGON_NEG_SUPPORTS_AES;
-		result = rpccli_netlogon_setup_creds(cli,
-						     cli->desthost, /* server name */
-						     lp_workgroup(), /* domain */
-						     lp_netbios_name(), /* client name */
-						     account_name, /* machine account name */
-						     orig_trust_passwd_hash,
-						     sec_channel_type,
-						     &neg_flags);
-		if (!NT_STATUS_IS_OK(result)) {
-			DEBUG(3,("rpccli_netlogon_set_trust_password: unable to setup creds (%s)!\n",
-				 nt_errstr(result)));
-			return result;
-		}
-	}
-
-	result = netlogon_creds_cli_ServerPasswordSet(cli->netlogon_creds,
-						      cli->binding_handle,
-						      new_trust_pwd_cleartext,
-						      NULL); /* new_version */
-	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0,("netlogon_creds_cli_ServerPasswordSet failed: %s\n",
-			nt_errstr(result)));
-		return result;
-	}
-
-	return NT_STATUS_OK;
-}
-
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index d4c6670..8547db6 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -93,12 +93,5 @@ NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
 				       uint8_t *authoritative,
 				       uint32_t *flags,
 				       struct netr_SamInfo3 **info3);
-NTSTATUS rpccli_netlogon_set_trust_password(struct rpc_pipe_client *cli,
-					    TALLOC_CTX *mem_ctx,
-					    const char *account_name,
-					    const unsigned char orig_trust_passwd_hash[16],
-					    const char *new_trust_pwd_cleartext,
-					    const unsigned char new_trust_passwd_hash[16],
-					    enum netr_SchannelType sec_channel_type);
 
 #endif /* _RPC_CLIENT_CLI_NETLOGON_H_ */
-- 
1.9.3


From c9dc23d434bc7015f400b1969a055b95faac6594 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Sep 2013 13:06:53 +0200
Subject: [PATCH 209/249] s3:rpc_client: remove unused
 rpccli_netlogon_setup_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a4faf57b47095bfc0f4370ac093c8c4cef17584f)
---
 source3/rpc_client/cli_netlogon.c | 92 ---------------------------------------
 source3/rpc_client/cli_netlogon.h |  8 ----
 2 files changed, 100 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 2f23d1b..687d0c2 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -35,98 +35,6 @@
 #include "lib/param/param.h"
 #include "libcli/smb/smbXcli_base.h"
 
-/****************************************************************************
- Wrapper function that uses the auth and auth2 calls to set up a NETLOGON
- credentials chain. Stores the credentials in the struct dcinfo in the
- netlogon pipe struct.
-****************************************************************************/
-
-NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
-				     const char *server_name,
-				     const char *domain,
-				     const char *clnt_name,
-				     const char *machine_account,
-				     const unsigned char machine_pwd[16],
-				     enum netr_SchannelType sec_chan_type,
-				     uint32_t *neg_flags_inout)
-{
-	TALLOC_CTX *frame = talloc_stackframe();
-	struct loadparm_context *lp_ctx;
-	NTSTATUS status;
-	struct samr_Password password;
-	fstring mach_acct;
-	struct dcerpc_binding_handle *b = cli->binding_handle;
-	struct netlogon_creds_CredentialState *creds = NULL;
-
-	if (!ndr_syntax_id_equal(&cli->abstract_syntax,
-				 &ndr_table_netlogon.syntax_id)) {
-		TALLOC_FREE(frame);
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	if (!strequal(lp_netbios_name(), clnt_name)) {
-		TALLOC_FREE(frame);
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	TALLOC_FREE(cli->netlogon_creds);
-
-	fstr_sprintf( mach_acct, "%s$", machine_account);
-
-	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
-	if (lp_ctx == NULL) {
-		TALLOC_FREE(frame);
-		return NT_STATUS_NO_MEMORY;
-	}
-	status = netlogon_creds_cli_context_global(lp_ctx,
-						   NULL, /* msg_ctx */
-						   mach_acct,
-						   sec_chan_type,
-						   server_name,
-						   domain,
-						   cli, &cli->netlogon_creds);
-	talloc_unlink(frame, lp_ctx);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(frame);
-		return status;
-	}
-
-	status = netlogon_creds_cli_get(cli->netlogon_creds,
-					frame, &creds);
-	if (NT_STATUS_IS_OK(status)) {
-		DEBUG(5,("rpccli_netlogon_setup_creds: server %s using "
-			 "cached credential\n",
-			 cli->desthost));
-		*neg_flags_inout = creds->negotiate_flags;
-		TALLOC_FREE(frame);
-		return NT_STATUS_OK;
-	}
-
-	/* Store the machine account password we're going to use. */
-	memcpy(password.hash, machine_pwd, 16);
-
-	DEBUG(5,("rpccli_netlogon_setup_creds: server %s credential "
-		"chain established.\n",
-		cli->desthost ));
-
-	status = netlogon_creds_cli_auth(cli->netlogon_creds, b,
-					 password, NULL);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(frame);
-		return status;
-	}
-
-	status = netlogon_creds_cli_get(cli->netlogon_creds,
-					frame, &creds);
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(frame);
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	*neg_flags_inout = creds->negotiate_flags;
-	TALLOC_FREE(frame);
-	return NT_STATUS_OK;
-}
 
 NTSTATUS rpccli_pre_open_netlogon_creds(void)
 {
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 8547db6..0de836a 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -30,14 +30,6 @@ struct dcerpc_binding_handle;
 
 /* The following definitions come from rpc_client/cli_netlogon.c  */
 
-NTSTATUS rpccli_netlogon_setup_creds(struct rpc_pipe_client *cli,
-				     const char *server_name,
-				     const char *domain,
-				     const char *clnt_name,
-				     const char *machine_account,
-				     const unsigned char machine_pwd[16],
-				     enum netr_SchannelType sec_chan_type,
-				     uint32_t *neg_flags_inout);
 NTSTATUS rpccli_pre_open_netlogon_creds(void);
 NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
 				      const char *server_netbios_domain,
-- 
1.9.3


From 2a072da1cc18acc7eb6d82769dc96b7e94ec57fe Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 19:23:18 +0200
Subject: [PATCH 210/249] s3:rpc_client: remove unused
 rpccli_netlogon_sam_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e4fea80693b49e79a96acdac09d5ea292756635c)
---
 source3/rpc_client/cli_netlogon.c | 124 --------------------------------------
 source3/rpc_client/cli_netlogon.h |   9 ---
 2 files changed, 133 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 687d0c2..171337a 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -160,130 +160,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 
 /* Logon domain user */
 
-NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-				   TALLOC_CTX *mem_ctx,
-				   uint32 logon_parameters,
-				   const char *domain,
-				   const char *username,
-				   const char *password,
-				   const char *workstation,
-				   uint16_t _ignored_validation_level,
-				   int logon_type)
-{
-	NTSTATUS status;
-	union netr_LogonLevel *logon;
-	uint16_t validation_level = 0;
-	union netr_Validation *validation = NULL;
-	uint8_t authoritative = 0;
-	uint32_t flags = 0;
-	fstring clnt_name_slash;
-
-	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-	if (!logon) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (workstation) {
-		fstr_sprintf( clnt_name_slash, "\\\\%s", workstation );
-	} else {
-		fstr_sprintf( clnt_name_slash, "\\\\%s", lp_netbios_name() );
-	}
-
-	/* Initialise input parameters */
-
-	switch (logon_type) {
-	case NetlogonInteractiveInformation: {
-
-		struct netr_PasswordInfo *password_info;
-
-		struct samr_Password lmpassword;
-		struct samr_Password ntpassword;
-
-		password_info = talloc_zero(mem_ctx, struct netr_PasswordInfo);
-		if (!password_info) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
-		nt_lm_owf_gen(password, ntpassword.hash, lmpassword.hash);
-
-		password_info->identity_info.domain_name.string		= domain;
-		password_info->identity_info.parameter_control		= logon_parameters;
-		password_info->identity_info.logon_id_low		= 0xdead;
-		password_info->identity_info.logon_id_high		= 0xbeef;
-		password_info->identity_info.account_name.string	= username;
-		password_info->identity_info.workstation.string		= clnt_name_slash;
-
-		password_info->lmpassword = lmpassword;
-		password_info->ntpassword = ntpassword;
-
-		logon->password = password_info;
-
-		break;
-	}
-	case NetlogonNetworkInformation: {
-		struct netr_NetworkInfo *network_info;
-		uint8 chal[8];
-		unsigned char local_lm_response[24];
-		unsigned char local_nt_response[24];
-		struct netr_ChallengeResponse lm;
-		struct netr_ChallengeResponse nt;
-
-		ZERO_STRUCT(lm);
-		ZERO_STRUCT(nt);
-
-		network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-		if (!network_info) {
-			return NT_STATUS_NO_MEMORY;
-		}
-
-		generate_random_buffer(chal, 8);
-
-		SMBencrypt(password, chal, local_lm_response);
-		SMBNTencrypt(password, chal, local_nt_response);
-
-		lm.length = 24;
-		lm.data = local_lm_response;
-
-		nt.length = 24;
-		nt.data = local_nt_response;
-
-		network_info->identity_info.domain_name.string		= domain;
-		network_info->identity_info.parameter_control		= logon_parameters;
-		network_info->identity_info.logon_id_low		= 0xdead;
-		network_info->identity_info.logon_id_high		= 0xbeef;
-		network_info->identity_info.account_name.string		= username;
-		network_info->identity_info.workstation.string		= clnt_name_slash;
-
-		memcpy(network_info->challenge, chal, 8);
-		network_info->nt = nt;
-		network_info->lm = lm;
-
-		logon->network = network_info;
-
-		break;
-	}
-	default:
-		DEBUG(0, ("switch value %d not supported\n",
-			logon_type));
-		return NT_STATUS_INVALID_INFO_CLASS;
-	}
-
-	status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
-						  cli->binding_handle,
-						  logon_type,
-						  logon,
-						  mem_ctx,
-						  &validation_level,
-						  &validation,
-						  &authoritative,
-						  &flags);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	return NT_STATUS_OK;
-}
-
 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
 					struct dcerpc_binding_handle *binding_handle,
 					uint32_t logon_parameters,
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 0de836a..eaa5b0c 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -43,15 +43,6 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 				     bool force_reauth,
 				     struct samr_Password current_nt_hash,
 				     const struct samr_Password *previous_nt_hash);
-NTSTATUS rpccli_netlogon_sam_logon(struct rpc_pipe_client *cli,
-				   TALLOC_CTX *mem_ctx,
-				   uint32 logon_parameters,
-				   const char *domain,
-				   const char *username,
-				   const char *password,
-				   const char *workstation,
-				   uint16_t validation_level,
-				   int logon_type);
 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
 					struct dcerpc_binding_handle *binding_handle,
 					uint32_t logon_parameters,
-- 
1.9.3


From 4092fca5daf42e1cd26af8069b09b97a7d01df9c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 19:23:54 +0200
Subject: [PATCH 211/249] s3:rpc_client: remove unused
 rpccli_netlogon_sam_network_logon()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3f41b583840ffa2220f61eea61833bf3c6bd33db)
---
 source3/rpc_client/cli_netlogon.c | 94 ---------------------------------------
 source3/rpc_client/cli_netlogon.h | 12 -----
 2 files changed, 106 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 171337a..ca2d9bf 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -346,100 +346,6 @@ static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
  * @param info3 Pointer to a NET_USER_INFO_3 already allocated by the caller.
  **/
 
-NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
-					   TALLOC_CTX *mem_ctx,
-					   uint32 logon_parameters,
-					   const char *server,
-					   const char *username,
-					   const char *domain,
-					   const char *workstation,
-					   const uint8 chal[8],
-					   uint16_t _ignored_validation_level,
-					   DATA_BLOB lm_response,
-					   DATA_BLOB nt_response,
-					   struct netr_SamInfo3 **info3)
-{
-	NTSTATUS status;
-	const char *workstation_name_slash;
-	union netr_LogonLevel *logon = NULL;
-	struct netr_NetworkInfo *network_info;
-	uint16_t validation_level = 0;
-	union netr_Validation *validation = NULL;
-	uint8_t authoritative = 0;
-	uint32_t flags = 0;
-	struct netr_ChallengeResponse lm;
-	struct netr_ChallengeResponse nt;
-
-	*info3 = NULL;
-
-	ZERO_STRUCT(lm);
-	ZERO_STRUCT(nt);
-
-	logon = talloc_zero(mem_ctx, union netr_LogonLevel);
-	if (!logon) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	network_info = talloc_zero(mem_ctx, struct netr_NetworkInfo);
-	if (!network_info) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (workstation[0] != '\\' && workstation[1] != '\\') {
-		workstation_name_slash = talloc_asprintf(mem_ctx, "\\\\%s", workstation);
-	} else {
-		workstation_name_slash = workstation;
-	}
-
-	if (!workstation_name_slash) {
-		DEBUG(0, ("talloc_asprintf failed!\n"));
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	/* Initialise input parameters */
-
-	lm.data = lm_response.data;
-	lm.length = lm_response.length;
-	nt.data = nt_response.data;
-	nt.length = nt_response.length;
-
-	network_info->identity_info.domain_name.string		= domain;
-	network_info->identity_info.parameter_control		= logon_parameters;
-	network_info->identity_info.logon_id_low		= 0xdead;
-	network_info->identity_info.logon_id_high		= 0xbeef;
-	network_info->identity_info.account_name.string		= username;
-	network_info->identity_info.workstation.string		= workstation_name_slash;
-
-	memcpy(network_info->challenge, chal, 8);
-	network_info->nt = nt;
-	network_info->lm = lm;
-
-	logon->network = network_info;
-
-	/* Marshall data and send request */
-
-	status = netlogon_creds_cli_LogonSamLogon(cli->netlogon_creds,
-						  cli->binding_handle,
-						  NetlogonNetworkInformation,
-						  logon,
-						  mem_ctx,
-						  &validation_level,
-						  &validation,
-						  &authoritative,
-						  &flags);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	status = map_validation_to_info3(mem_ctx,
-					 validation_level, validation,
-					 info3);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	return NT_STATUS_OK;
-}
 
 NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
 				       struct dcerpc_binding_handle *binding_handle,
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index eaa5b0c..61fed4a 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -51,18 +51,6 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
 					const char *password,
 					const char *workstation,
 					enum netr_LogonInfoClass logon_type);
-NTSTATUS rpccli_netlogon_sam_network_logon(struct rpc_pipe_client *cli,
-					   TALLOC_CTX *mem_ctx,
-					   uint32 logon_parameters,
-					   const char *server,
-					   const char *username,
-					   const char *domain,
-					   const char *workstation,
-					   const uint8 chal[8],
-					   uint16_t validation_level,
-					   DATA_BLOB lm_response,
-					   DATA_BLOB nt_response,
-					   struct netr_SamInfo3 **info3);
 NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
 				       struct dcerpc_binding_handle *binding_handle,
 				       TALLOC_CTX *mem_ctx,
-- 
1.9.3


From bdfc02fd5830ed6e2f14aaf90456e572028ada6a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 16 Sep 2013 19:25:27 +0200
Subject: [PATCH 212/249] s3:rpc_client: finally remove unused
 rpc_pipe_client->netlogon_creds

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c0761c3eae34175d772476006caf5caad68bd8c6)
---
 source3/rpc_client/cli_pipe.c   | 9 ---------
 source3/rpc_client/rpc_client.h | 3 ---
 2 files changed, 12 deletions(-)

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 31cd7f5..8613a21 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3097,15 +3097,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
 		return status;
 	}
 
-	status = netlogon_creds_cli_context_copy(netlogon_creds,
-						 rpccli,
-						 &rpccli->netlogon_creds);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("netlogon_creds_cli_context_copy failed with %s\n",
-			  nt_errstr(status)));
-		TALLOC_FREE(rpccli);
-		return status;
-	}
 
 done:
 	DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s "
diff --git a/source3/rpc_client/rpc_client.h b/source3/rpc_client/rpc_client.h
index 7c4cceb..7c5ff0e 100644
--- a/source3/rpc_client/rpc_client.h
+++ b/source3/rpc_client/rpc_client.h
@@ -48,9 +48,6 @@ struct rpc_pipe_client {
 	uint16 max_recv_frag;
 
 	struct pipe_auth_data *auth;
-
-	/* The following is only non-null on a netlogon client pipe. */
-	struct netlogon_creds_cli_context *netlogon_creds;
 };
 
 #endif /* _RPC_CLIENT_H */
-- 
1.9.3


From 710124dca6a97d9148d62bc9aa727568d5284e45 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 17 Oct 2013 19:17:12 +0200
Subject: [PATCH 213/249] libcli/auth: remove unused
 netlogon_creds_cli_context_copy()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3d45d4dc3c69557bf1d1fe6d4a880ad74a2a41f1)
---
 libcli/auth/netlogon_creds_cli.c | 47 ----------------------------------------
 libcli/auth/netlogon_creds_cli.h |  4 ----
 2 files changed, 51 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 6590b21..1724064 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -488,53 +488,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS netlogon_creds_cli_context_copy(
-				const struct netlogon_creds_cli_context *src,
-				TALLOC_CTX *mem_ctx,
-				struct netlogon_creds_cli_context **_dst)
-{
-	struct netlogon_creds_cli_context *dst;
-
-	dst = talloc_zero(mem_ctx, struct netlogon_creds_cli_context);
-	if (dst == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	*dst = *src;
-
-	dst->client.computer = talloc_strdup(dst, src->client.computer);
-	if (dst->client.computer == NULL) {
-		TALLOC_FREE(dst);
-		return NT_STATUS_NO_MEMORY;
-	}
-	dst->client.account = talloc_strdup(dst, src->client.account);
-	if (dst->client.account == NULL) {
-		TALLOC_FREE(dst);
-		return NT_STATUS_NO_MEMORY;
-	}
-	dst->server.computer = talloc_strdup(dst, src->server.computer);
-	if (dst->server.computer == NULL) {
-		TALLOC_FREE(dst);
-		return NT_STATUS_NO_MEMORY;
-	}
-	dst->server.netbios_domain = talloc_strdup(dst, src->server.netbios_domain);
-	if (dst->server.netbios_domain == NULL) {
-		TALLOC_FREE(dst);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	dst->db.key_name = talloc_strdup(dst, src->db.key_name);
-	if (dst->db.key_name == NULL) {
-		TALLOC_FREE(dst);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	dst->db.key_data = string_term_tdb_data(dst->db.key_name);
-
-	*_dst = dst;
-	return NT_STATUS_OK;
-}
-
 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
 		struct netlogon_creds_cli_context *context)
 {
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index f8f2bef..5bd8bd3 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -49,10 +49,6 @@ NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
 				const char *server_netbios_domain,
 				TALLOC_CTX *mem_ctx,
 				struct netlogon_creds_cli_context **_context);
-NTSTATUS netlogon_creds_cli_context_copy(
-				const struct netlogon_creds_cli_context *src,
-				TALLOC_CTX *mem_ctx,
-				struct netlogon_creds_cli_context **_dst);
 
 enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
 		struct netlogon_creds_cli_context *context);
-- 
1.9.3


From aa3a65e9770bb81e73b30e71b49855b18d012e68 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Dec 2013 11:38:21 +0100
Subject: [PATCH 214/249] lib/param: add "allow nt4 crypto" option, defaulting
 to false

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 87bdc88328568359e51af6615b378ba8dc67f647)
---
 docs-xml/smbdotconf/logon/allownt4crypto.xml | 26 ++++++++++++++++++++++++++
 lib/param/param_functions.c                  |  1 +
 lib/param/param_table.c                      |  9 +++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml

diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
new file mode 100644
index 0000000..4d417c7
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -0,0 +1,26 @@
+<samba:parameter name="allow nt4 crypto"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+	nor NETLOGON_NEG_SUPPORTS_AES.</para>
+
+	<para>This option was added with Samba 4.2.0. It may lock out clients
+	which worked fine with Samba versions up to 4.1.x. as the effective default
+	was "yes" there, while it is "no" now.</para>
+
+	<para>If you have clients without RequireStrongKey = 1 in the registry,
+	you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
+	</para>
+
+	<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
+
+	<para>This option yields precedence to the 'reject md5 clients' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index 41b137f..bf931c6 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
 FN_LOCAL_BOOL(durable_handles, bDurableHandles)
 
 FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
 FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
 FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
 FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 36e8554..5ef78de 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4324,6 +4324,15 @@ static struct parm_struct parm_table[] = {
 		.special	= NULL,
 		.enum_list	= NULL
 	},
+	{
+		.label		= "allow nt4 crypto",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(bAllowNT4Crypto),
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{N_("TLS options"), P_SEP, P_SEPARATOR},
 
-- 
1.9.3


From 51323c0574963065e2edf9346f310f08ce2b59e8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Dec 2013 11:39:15 +0100
Subject: [PATCH 215/249] lib/param: add "reject md5 client" option, defaulting
 to false

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 807bcb4981fb20a9b97e69f01c3545ea7e85666e)
---
 docs-xml/smbdotconf/logon/rejectmd5clients.xml | 18 ++++++++++++++++++
 lib/param/param_functions.c                    |  1 +
 lib/param/param_table.c                        |  9 +++++++++
 3 files changed, 28 insertions(+)
 create mode 100644 docs-xml/smbdotconf/logon/rejectmd5clients.xml

diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
new file mode 100644
index 0000000..04a5b4d
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -0,0 +1,18 @@
+<samba:parameter name="reject md5 clients"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
+
+	<para>You can set this to yes if all domain members support aes.
+	This will prevent downgrade attacks.</para>
+
+	<para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c
index bf931c6..99f0b7f 100644
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@@ -205,6 +205,7 @@ FN_GLOBAL_BOOL(pam_password_change, bPamPasswordChange)
 FN_GLOBAL_BOOL(passdb_expand_explicit, bPassdbExpandExplicit)
 FN_GLOBAL_BOOL(passwd_chat_debug, bPasswdChatDebug)
 FN_GLOBAL_BOOL(registry_shares, bRegistryShares)
+FN_GLOBAL_BOOL(reject_md5_clients, bRejectMD5Clients)
 FN_GLOBAL_BOOL(reject_md5_servers, bRejectMD5Servers)
 FN_GLOBAL_BOOL(require_strong_key, bRequireStrongKey)
 FN_GLOBAL_BOOL(reset_on_zero_vc, bResetOnZeroVC)
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 5ef78de..4850324 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4333,6 +4333,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "reject md5 clients",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(bRejectMD5Clients),
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{N_("TLS options"), P_SEP, P_SEPARATOR},
 
-- 
1.9.3


From 4f3cd17f89ddedaf6e34bc17b220f6ae6993d0c0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Dec 2013 13:41:43 +0100
Subject: [PATCH 216/249] selftest/Samba4: use "allow nt4 crypto = yes" for
 testing

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0d4806f9f056c3e37f5aed1ef19e2924aa8f4151)
---
 selftest/target/Samba4.pm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index ac2fdd9..ee6a365 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -776,6 +776,7 @@ sub provision($$$$$$$$$)
 	server max protocol = SMB2
 	host msdfs = $msdfs
 	lanman auth = yes
+	allow nt4 crypto = yes
 
 	$extra_smbconf_options
 
-- 
1.9.3


From 32f88ae5a3d254c6e1b94ea2aaa45febf475af9e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 23 Dec 2013 10:12:24 +0100
Subject: [PATCH 217/249] s4:netlogon: correctly calculate the negotiate_flags

We need to bit-wise AND the client and server flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 3b77b804cdc9e7621f026ef9bc8e7059f471348e)
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 59 +++++++++++++--------------
 1 file changed, 28 insertions(+), 31 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index c41cd02..b001cb5 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -120,6 +120,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 
 	const char *trust_dom_attrs[] = {"flatname", NULL};
 	const char *account_name;
+	uint32_t server_flags = 0;
 	uint32_t negotiate_flags = 0;
 
 	ZERO_STRUCTP(r->out.return_credentials);
@@ -176,37 +177,33 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	memcache_delete(global_challenge_table,
 			SINGLETON_CACHE, challenge_key);
 
-	negotiate_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
-			  NETLOGON_NEG_PERSISTENT_SAMREPL |
-			  NETLOGON_NEG_ARCFOUR |
-			  NETLOGON_NEG_PROMOTION_COUNT |
-			  NETLOGON_NEG_CHANGELOG_BDC |
-			  NETLOGON_NEG_FULL_SYNC_REPL |
-			  NETLOGON_NEG_MULTIPLE_SIDS |
-			  NETLOGON_NEG_REDO |
-			  NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
-			  NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
-			  NETLOGON_NEG_GENERIC_PASSTHROUGH |
-			  NETLOGON_NEG_CONCURRENT_RPC |
-			  NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
-			  NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
-			  NETLOGON_NEG_TRANSITIVE_TRUSTS |
-			  NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
-			  NETLOGON_NEG_PASSWORD_SET2 |
-			  NETLOGON_NEG_GETDOMAININFO |
-			  NETLOGON_NEG_CROSS_FOREST_TRUSTS |
-			  NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
-			  NETLOGON_NEG_RODC_PASSTHROUGH |
-			  NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
-			  NETLOGON_NEG_AUTHENTICATED_RPC;
-
-	if (*r->in.negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
-		negotiate_flags |= NETLOGON_NEG_STRONG_KEYS;
-	}
-
-	if (*r->in.negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
-		negotiate_flags |= NETLOGON_NEG_SUPPORTS_AES;
-	}
+	server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT |
+		       NETLOGON_NEG_PERSISTENT_SAMREPL |
+		       NETLOGON_NEG_ARCFOUR |
+		       NETLOGON_NEG_PROMOTION_COUNT |
+		       NETLOGON_NEG_CHANGELOG_BDC |
+		       NETLOGON_NEG_FULL_SYNC_REPL |
+		       NETLOGON_NEG_MULTIPLE_SIDS |
+		       NETLOGON_NEG_REDO |
+		       NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+		       NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
+		       NETLOGON_NEG_GENERIC_PASSTHROUGH |
+		       NETLOGON_NEG_CONCURRENT_RPC |
+		       NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
+		       NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
+		       NETLOGON_NEG_STRONG_KEYS |
+		       NETLOGON_NEG_TRANSITIVE_TRUSTS |
+		       NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+		       NETLOGON_NEG_PASSWORD_SET2 |
+		       NETLOGON_NEG_GETDOMAININFO |
+		       NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+		       NETLOGON_NEG_NEUTRALIZE_NT4_EMULATION |
+		       NETLOGON_NEG_RODC_PASSTHROUGH |
+		       NETLOGON_NEG_SUPPORTS_AES |
+		       NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
+		       NETLOGON_NEG_AUTHENTICATED_RPC;
+
+	negotiate_flags = *r->in.negotiate_flags & server_flags;
 
 	/*
 	 * According to Microsoft (see bugid #6099)
-- 
1.9.3


From ce8c9b651d9da88a13a8cd0fe02e5f3e2f1f6b51 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 23 Dec 2013 10:10:17 +0100
Subject: [PATCH 218/249] s4:netlogon: don't generate a debug message for
 SEC_CHAN_NULL.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2e36fbc77dc43f31ec78cdbef23b94bd00d6f565)
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index b001cb5..45a7262 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -220,6 +220,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	case SEC_CHAN_BDC:
 	case SEC_CHAN_RODC:
 		break;
+	case SEC_CHAN_NULL:
+		return NT_STATUS_INVALID_PARAMETER;
 	default:
 		DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
 			  r->in.secure_channel_type));
-- 
1.9.3


From b4d5ace784d207f8562a4c93b55de415a81cec42 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 6 Dec 2013 12:08:50 +0100
Subject: [PATCH 219/249] s4:netlogon: implement "allow nt4 crypto" and "reject
 md5 clients" features.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Jan  7 16:53:31 CET 2014 on sn-devel-104
(cherry picked from commit 7d2abf520df1ff46d79dfd8ff579c230f2bc3c2a)
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 45a7262..6b57cda 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -122,6 +122,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	const char *account_name;
 	uint32_t server_flags = 0;
 	uint32_t negotiate_flags = 0;
+	bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
+	bool reject_des_client = !allow_nt4_crypto;
+	bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
 
 	ZERO_STRUCTP(r->out.return_credentials);
 	*r->out.rid = 0;
@@ -205,6 +208,23 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 
 	negotiate_flags = *r->in.negotiate_flags & server_flags;
 
+	if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+		reject_des_client = false;
+	}
+
+	if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+		reject_des_client = false;
+		reject_md5_client = false;
+	}
+
+	if (reject_des_client || reject_md5_client) {
+		/*
+		 * Here we match Windows 2012 and return no flags.
+		 */
+		*r->out.negotiate_flags = 0;
+		return NT_STATUS_DOWNGRADE_DETECTED;
+	}
+
 	/*
 	 * According to Microsoft (see bugid #6099)
 	 * Windows 7 looks at the negotiate_flags
-- 
1.9.3


From ff28e17cdcbe8e1ec4a275d80b3e749da4920c6d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 8 Jan 2014 12:04:22 +0100
Subject: [PATCH 220/249] libcli/auth: fix usage of an uninitialized variable
 in netlogon_creds_cli_check_caps()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If status is RPC_PROCNUM_OUT_OF_RANGE, result might be uninitialized.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
(cherry picked from commit 0e62f3279525ea864590f713f334f4dc5f5d3a32)
---
 libcli/auth/netlogon_creds_cli.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 1724064..51b30a1 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1390,7 +1390,7 @@ struct netlogon_creds_cli_check_state {
 };
 
 static void netlogon_creds_cli_check_cleanup(struct tevent_req *req,
-						     NTSTATUS status);
+					     NTSTATUS status);
 static void netlogon_creds_cli_check_locked(struct tevent_req *subreq);
 
 struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
@@ -1582,7 +1582,7 @@ static void netlogon_creds_cli_check_caps(struct tevent_req *subreq)
 		 * with the next request as the sequence number processing
 		 * gets out of sync.
 		 */
-		netlogon_creds_cli_check_cleanup(req, result);
+		netlogon_creds_cli_check_cleanup(req, status);
 		tevent_req_done(req);
 		return;
 	}
-- 
1.9.3


From d4902881482eeecf5a219342b3862ac0fbb7b7a9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 17 Jan 2014 14:00:27 +0100
Subject: [PATCH 221/249] libcli/auth: add netlogon_creds_cli_set_global_db()

This can be used to inject a db_context from dbwrap_ctdb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit ece3ba10a16138a75b207a0cf9fe299759253d99)
---
 libcli/auth/netlogon_creds_cli.c | 10 ++++++++++
 libcli/auth/netlogon_creds_cli.h |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 51b30a1..37bdf74 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -199,6 +199,16 @@ static NTSTATUS netlogon_creds_cli_context_common(
 
 static struct db_context *netlogon_creds_cli_global_db;
 
+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
+{
+	if (netlogon_creds_cli_global_db != NULL) {
+		return NT_STATUS_INVALID_PARAMETER_MIX;
+	}
+
+	netlogon_creds_cli_global_db = talloc_move(talloc_autofree_context(), db);
+	return NT_STATUS_OK;
+}
+
 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
 {
 	char *fname;
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 5bd8bd3..90d0182 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -28,7 +28,9 @@
 struct netlogon_creds_cli_context;
 struct messaging_context;
 struct dcerpc_binding_handle;
+struct db_context;
 
+NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
 
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
-- 
1.9.3


From 80407a74da35cac64bef252698a2477787f0997d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 17 Jan 2014 14:07:37 +0100
Subject: [PATCH 222/249] s3:rpc_client: use db_open() to open
 "netlogon_creds_cli.tdb"

This uses dbwrap_ctdb if running in a cluster.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8cf4eff201aa9e1ba8127311bcfc2a357fb4ef03)
---
 source3/rpc_client/cli_netlogon.c | 38 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index ca2d9bf..b7b490f 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -21,6 +21,7 @@
 */
 
 #include "includes.h"
+#include "system/filesys.h"
 #include "libsmb/libsmb.h"
 #include "rpc_client/rpc_client.h"
 #include "rpc_client/cli_pipe.h"
@@ -34,26 +35,53 @@
 #include "../libcli/security/security.h"
 #include "lib/param/param.h"
 #include "libcli/smb/smbXcli_base.h"
+#include "dbwrap/dbwrap.h"
+#include "dbwrap/dbwrap_open.h"
+#include "util_tdb.h"
 
 
 NTSTATUS rpccli_pre_open_netlogon_creds(void)
 {
-	TALLOC_CTX *frame = talloc_stackframe();
+	static bool already_open = false;
+	TALLOC_CTX *frame;
 	struct loadparm_context *lp_ctx;
+	char *fname;
+	struct db_context *global_db;
 	NTSTATUS status;
 
+	if (already_open) {
+		return NT_STATUS_OK;
+	}
+
+	frame = talloc_stackframe();
+
 	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
 	if (lp_ctx == NULL) {
 		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = netlogon_creds_cli_open_global_db(lp_ctx);
+	fname = lpcfg_private_db_path(frame, lp_ctx, "netlogon_creds_cli");
+	if (fname == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	global_db = db_open(talloc_autofree_context(), fname,
+			    0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
+			    O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
+	if (global_db == NULL) {
+		TALLOC_FREE(frame);
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	status = netlogon_creds_cli_set_global_db(&global_db);
 	TALLOC_FREE(frame);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
 
+	already_open = true;
 	return NT_STATUS_OK;
 }
 
@@ -69,6 +97,12 @@ NTSTATUS rpccli_create_netlogon_creds(const char *server_computer,
 	struct loadparm_context *lp_ctx;
 	NTSTATUS status;
 
+	status = rpccli_pre_open_netlogon_creds();
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
+		return status;
+	}
+
 	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
 	if (lp_ctx == NULL) {
 		TALLOC_FREE(frame);
-- 
1.9.3


From 2ed3041405f5808031f2d5fd0e42f48246d22b7b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 17 Jan 2014 14:08:59 +0100
Subject: [PATCH 223/249] libcli/auth: don't alter the computer_name in cluster
 mode.

This breaks NTLMv2 authentication.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 387ed2e15df085274f72cebda341040a1e767a4b)
---
 libcli/auth/netlogon_creds_cli.c | 22 +++-------------------
 1 file changed, 3 insertions(+), 19 deletions(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 37bdf74..88893ad 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -261,28 +261,12 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	bool seal_secure_channel = true;
 	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
 	bool neutralize_nt4_emulation = false;
-	struct server_id self = {
-		.vnn = NONCLUSTER_VNN,
-		.unique_id = SERVERID_UNIQUE_ID_NOT_TO_VERIFY,
-	};
-
-	if (msg_ctx != NULL) {
-		self = messaging_server_id(msg_ctx);
-	}
 
 	*_context = NULL;
 
-	if (self.vnn != NONCLUSTER_VNN) {
-		client_computer = talloc_asprintf(frame,
-						  "%s_cluster_vnn_%u",
-						  lpcfg_netbios_name(lp_ctx),
-						  (unsigned)self.vnn);
-		if (client_computer == NULL) {
-			TALLOC_FREE(frame);
-			return NT_STATUS_NO_MEMORY;
-		}
-	} else {
-		client_computer = lpcfg_netbios_name(lp_ctx);
+	client_computer = lpcfg_netbios_name(lp_ctx);
+	if (strlen(client_computer) > 15) {
+		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
 
 	/*
-- 
1.9.3


From 8257c3a5d6e8319578d224e544242da81b043a54 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 10 Jan 2014 13:13:40 +0100
Subject: [PATCH 224/249] libcli/auth: reject computer_name longer than 15
 chars

This matches Windows, it seems they use a fixed size field to store
netlogon_creds_CredentialState.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b8fdeb8ca7ce362058bb86a4e58b34fb6340867e)
---
 libcli/auth/schannel_state_tdb.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 8f9c1f0..b91e242 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -78,6 +78,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
 	char *name_upper;
 	NTSTATUS status;
 
+	if (strlen(creds->computer_name) > 15) {
+		/*
+		 * We may want to check for a completely
+		 * valid netbios name.
+		 */
+		return STATUS_BUFFER_OVERFLOW;
+	}
+
 	name_upper = strupper_talloc(mem_ctx, creds->computer_name);
 	if (!name_upper) {
 		return NT_STATUS_NO_MEMORY;
-- 
1.9.3


From d6af8ed76f728621a8ba7515cf1180d6654c8d83 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 11 Jan 2014 17:13:04 +0100
Subject: [PATCH 225/249] s3:rpc_server/netlogon: return a zero
 return_authenticator on error

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit dcc2c8362df9af088613722ebd8a6261fb098a5c)
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 09857b6..7bb9dd6 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 	talloc_unlink(p->mem_ctx, lp_ctx);
 
 	if (!NT_STATUS_IS_OK(status)) {
+		ZERO_STRUCTP(r->out.return_credentials);
 		goto out;
 	}
 
-- 
1.9.3


From be06629b25f8340ac54a9e674e6a5da1eb01e733 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 11 Jan 2014 17:13:04 +0100
Subject: [PATCH 226/249] s4:rpc_server/netlogon: return a zero
 return_authenticator and rid on error

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 25fb73f2821821630dde4cc263794e754ca03d68)
---
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 6b57cda..afa15d8 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -348,9 +348,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 		return NT_STATUS_INTERNAL_ERROR;
 	}
 
-	*r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
-						"objectSid", 0);
-
 	mach_pwd = samdb_result_hash(mem_ctx, msgs[0], "unicodePwd");
 	if (mach_pwd == NULL) {
 		return NT_STATUS_ACCESS_DENIED;
@@ -383,8 +380,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	nt_status = schannel_save_creds_state(mem_ctx,
 					      dce_call->conn->dce_ctx->lp_ctx,
 					      creds);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		ZERO_STRUCTP(r->out.return_credentials);
+		return nt_status;
+	}
 
-	return nt_status;
+	*r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0],
+						"objectSid", 0);
+
+	return NT_STATUS_OK;
 }
 
 static NTSTATUS dcesrv_netr_ServerAuthenticate(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-- 
1.9.3


From f5fe58d49fc66867db743393a92e1cd8e4cb293b Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 29 Jan 2014 16:58:37 +0100
Subject: [PATCH 227/249] dbwrap_tool: remove the short form "-p" of
 "--persistent"

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6dd1008c4e8b0b798d589959021c9b578db74ff4)
---
 source3/utils/dbwrap_tool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
index 79b40d2..406e89e 100644
--- a/source3/utils/dbwrap_tool.c
+++ b/source3/utils/dbwrap_tool.c
@@ -420,7 +420,7 @@ int main(int argc, const char **argv)
 	struct poptOption popt_options[] = {
 		POPT_AUTOHELP
 		POPT_COMMON_SAMBA
-		{ "persistent", 'p', POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
+		{ "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
 		POPT_TABLEEND
 	};
 	int opt;
-- 
1.9.3


From 209b5ec86620f8caadcc714db0cbec4789db0377 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 30 Jan 2014 10:33:00 +0100
Subject: [PATCH 228/249] docs: remove short form "-p" of --persistent from
 dbwrap_tool manpage

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6f748fef652bbea3c8dbbbfb96b95270e6f1dcfc)
---
 docs-xml/manpages/dbwrap_tool.1.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
index 074d819..94ae281 100644
--- a/docs-xml/manpages/dbwrap_tool.1.xml
+++ b/docs-xml/manpages/dbwrap_tool.1.xml
@@ -19,7 +19,7 @@
 <refsynopsisdiv>
 	<cmdsynopsis>
 		<command>dbwrap_tool</command>
-		<arg choice="opt">-p|--persistent</arg>
+		<arg choice="opt">--persistent</arg>
 		<arg choice="opt">-d &lt;debug level&gt;</arg>
 		<arg choice="opt">-s &lt;config file&gt;</arg>
 		<arg choice="opt">-l &lt;log file base&gt;</arg>
@@ -70,7 +70,7 @@
 
 	<variablelist>
 		<varlistentry>
-			<term>-p|--persistent</term>
+			<term>--persistent</term>
 			<listitem><para>Open the database as a persistent database.
 			If this option is not specified, the database is opened as
 			non-persistent.
-- 
1.9.3


From f3b8b74ff6d74fe9a0047256074e21c3363b112f Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 30 Jan 2014 10:29:49 +0100
Subject: [PATCH 229/249] dbwrap_tool: add option "--non-persistent" and force
 excatly one of "--[non-]persistent"

We want to force users of dbwrap_tool to explicitly specify
persistent or non-persistent. Otherwise, one could easily
by accident wipe a whole database that is actually persistent
but not currently opened by a samba process, just by openeing
the DB with the default non-persistent mode...

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c3f93271ef447f9f16cd3002307c630c5f149f5a)
---
 source3/utils/dbwrap_tool.c | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
index 406e89e..ffca6b6 100644
--- a/source3/utils/dbwrap_tool.c
+++ b/source3/utils/dbwrap_tool.c
@@ -411,6 +411,7 @@ int main(int argc, const char **argv)
 	enum dbwrap_type type;
 	const char *valuestr = "0";
 	int persistent = 0;
+	int non_persistent = 0;
 	int tdb_flags = TDB_DEFAULT;
 
 	TALLOC_CTX *mem_ctx = talloc_stackframe();
@@ -420,7 +421,13 @@ int main(int argc, const char **argv)
 	struct poptOption popt_options[] = {
 		POPT_AUTOHELP
 		POPT_COMMON_SAMBA
-		{ "persistent", 0, POPT_ARG_NONE, &persistent, 0, "treat the database as persistent", NULL },
+		{ "non-persistent", 0, POPT_ARG_NONE, &non_persistent, 0,
+		  "treat the database as non-persistent "
+		  "(CAVEAT: This mode might wipe your database!)",
+		  NULL },
+		{ "persistent", 0, POPT_ARG_NONE, &persistent, 0,
+		  "treat the database as persistent",
+		  NULL },
 		POPT_TABLEEND
 	};
 	int opt;
@@ -463,6 +470,16 @@ int main(int argc, const char **argv)
 		goto done;
 	}
 
+	if ((persistent == 0 && non_persistent == 0) ||
+	    (persistent == 1 && non_persistent == 1))
+	{
+		d_fprintf(stderr, "ERROR: you must specify exactly one "
+			  "of --persistent and --non-persistent\n");
+		goto done;
+	} else if (non_persistent == 1) {
+		tdb_flags |= TDB_CLEAR_IF_FIRST;
+	}
+
 	dbname = extra_argv[0];
 	opname = extra_argv[1];
 
@@ -563,10 +580,6 @@ int main(int argc, const char **argv)
 		goto done;
 	}
 
-	if (persistent == 0) {
-		tdb_flags |= TDB_CLEAR_IF_FIRST;
-	}
-
 	switch (op) {
 	case OP_FETCH:
 	case OP_STORE:
-- 
1.9.3


From 7209e84e02c722365bec4e2a473c24217cbeb22b Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 30 Jan 2014 10:36:46 +0100
Subject: [PATCH 230/249] docs: document new --non-persistent option to
 dbwrap_tool

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 1e3b352f799038ec25437db53e051dadb9d97c95)
---
 docs-xml/manpages/dbwrap_tool.1.xml | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
index 94ae281..ff0e478 100644
--- a/docs-xml/manpages/dbwrap_tool.1.xml
+++ b/docs-xml/manpages/dbwrap_tool.1.xml
@@ -20,6 +20,7 @@
 	<cmdsynopsis>
 		<command>dbwrap_tool</command>
 		<arg choice="opt">--persistent</arg>
+		<arg choice="opt">--non-persistent</arg>
 		<arg choice="opt">-d &lt;debug level&gt;</arg>
 		<arg choice="opt">-s &lt;config file&gt;</arg>
 		<arg choice="opt">-l &lt;log file base&gt;</arg>
@@ -72,8 +73,23 @@
 		<varlistentry>
 			<term>--persistent</term>
 			<listitem><para>Open the database as a persistent database.
-			If this option is not specified, the database is opened as
-			non-persistent.
+			</para>
+			<para>
+			Exactly one of --persistent and --non-persistent must be
+			specified.
+			</para></listitem>
+		</varlistentry>
+		<varlistentry>
+			<term>--non-persistent</term>
+			<listitem><para>Open the database as a non-persistent database.
+			</para>
+			<para>
+			Caveat: opening a database as non-persistent when there
+			is currently no other opener will wipe the database.
+			</para>
+			<para>
+			Exactly one of --persistent and --non-persistent must be
+			specified.
 			</para></listitem>
 		</varlistentry>
 		&popt.common.samba.client;
-- 
1.9.3


From accf5a617055c161540384fdfe195ad9c43cd048 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 30 Jan 2014 10:47:15 +0100
Subject: [PATCH 231/249] docs: remove extra spaces in synopsis of dbwrap_tool

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e93f052e37e736e5776fe7f7c7d246f9ecc4b4c8)
---
 docs-xml/manpages/dbwrap_tool.1.xml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docs-xml/manpages/dbwrap_tool.1.xml b/docs-xml/manpages/dbwrap_tool.1.xml
index ff0e478..68a88df 100644
--- a/docs-xml/manpages/dbwrap_tool.1.xml
+++ b/docs-xml/manpages/dbwrap_tool.1.xml
@@ -30,9 +30,7 @@
 		<arg choice="req">&lt;operation&gt;</arg>
 		<arg choice="opt">&lt;key&gt;
 			<arg choice="opt">&lt;type&gt;
-				<arg choice="opt">&lt;value&gt;</arg>
-			</arg>
-		</arg>
+				<arg choice="opt">&lt;value&gt;</arg></arg></arg>
 	</cmdsynopsis>
 </refsynopsisdiv>
 
-- 
1.9.3


From 0e193981caa2ad9458e758a46076664d2efdb70e Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 24 Jan 2014 00:09:50 +0100
Subject: [PATCH 232/249] smbd:smb2: fix durable reconnect: set fsp->fnum from
 the smbXsrv_open->local_id

Originally, fsp->fnum was left at the INVALID fnum value.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6b2d67a345e90306f0d35402d0f4e3067a014057)
---
 source3/smbd/durable.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c
index c3d0a6f..471c5b9 100644
--- a/source3/smbd/durable.c
+++ b/source3/smbd/durable.c
@@ -703,6 +703,7 @@ NTSTATUS vfs_default_durable_reconnect(struct connection_struct *conn,
 	fsp->share_access = e->share_access;
 	fsp->can_read = ((fsp->access_mask & (FILE_READ_DATA)) != 0);
 	fsp->can_write = ((fsp->access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) != 0);
+	fsp->fnum = op->local_id;
 
 	/*
 	 * TODO:
-- 
1.9.3


From dbc1d6f8479cf84c714c4ed6b69df2a3673d0a46 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 24 Dec 2013 09:00:01 +0100
Subject: [PATCH 233/249] s3:smbd: skip empty records in smbXsrv_open_cleanup()

This should avoid scary ndr_pull errors, if there's
a cleanup race.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 30 18:49:37 CET 2014 on sn-devel-104
(cherry picked from commit 0b23345676c6f02d5bb1a327174d8456705ec0c7)
---
 source3/smbd/smbXsrv_open.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
index 27dd50c..29c172c 100644
--- a/source3/smbd/smbXsrv_open.c
+++ b/source3/smbd/smbXsrv_open.c
@@ -1380,6 +1380,7 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
 	struct smbXsrv_open_global0 *op = NULL;
 	uint8_t key_buf[SMBXSRV_OPEN_GLOBAL_TDB_KEY_SIZE];
 	TDB_DATA key;
+	TDB_DATA val;
 	struct db_record *rec;
 	bool delete_open = false;
 	uint32_t global_id = persistent_id & UINT32_MAX;
@@ -1395,6 +1396,14 @@ NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
 		goto done;
 	}
 
+	val = dbwrap_record_get_value(rec);
+	if (val.dsize == 0) {
+		DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
+			  "empty record in %s, skipping...\n",
+			   global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
+		goto done;
+	}
+
 	status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
-- 
1.9.3


From 838d9da4a7fe6c90ba7cae6563f0af5d8b6cf6d5 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 27 Jan 2014 13:38:51 +0100
Subject: [PATCH 234/249] dbwrap: add flags DBWRAP_FLAG_NONE

This is in preparation of adding a dbwrap_flags argument to db_open
and firends.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 229dcfd3501e4743d5d9aea5c9f7a97d7612a499)
---
 lib/dbwrap/dbwrap.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
index 8bf3286..4064ba2 100644
--- a/lib/dbwrap/dbwrap.h
+++ b/lib/dbwrap/dbwrap.h
@@ -32,6 +32,8 @@ enum dbwrap_lock_order {
 };
 #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
 
+#define DBWRAP_FLAG_NONE                     0x0000000000000000ULL
+
 /* The following definitions come from lib/dbwrap.c  */
 
 TDB_DATA dbwrap_record_get_key(const struct db_record *rec);
-- 
1.9.3


From 868d8e2fa389ab0c697e9a70a4373908aa7df80b Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 27 Jan 2014 14:49:12 +0100
Subject: [PATCH 235/249] dbwrap: add a dbwrap_flags argument to db_open()

This is in preparation to support handing flags to backends,
in particular activating read only record support for ctdb
databases. For a start, this does nothing but adding the
parameter, and all databases use DBWRAP_FLAG_NONE.

Signed-off-by: Michael Adam <obnox@samba.org>
(similar to commit cf0cb0add9ed47b8974272237fee0e1a4ba7bf68)
---
 source3/groupdb/mapping_tdb.c           | 2 +-
 source3/lib/dbwrap/dbwrap_open.c        | 3 ++-
 source3/lib/dbwrap/dbwrap_open.h        | 3 ++-
 source3/lib/dbwrap/dbwrap_watch.c       | 3 ++-
 source3/lib/g_lock.c                    | 3 ++-
 source3/lib/serverid.c                  | 3 ++-
 source3/lib/sharesec.c                  | 2 +-
 source3/locking/brlock.c                | 2 +-
 source3/locking/share_mode_lock.c       | 2 +-
 source3/modules/vfs_acl_tdb.c           | 2 +-
 source3/modules/vfs_xattr_tdb.c         | 2 +-
 source3/passdb/account_pol.c            | 4 ++--
 source3/passdb/pdb_tdb.c                | 6 +++---
 source3/passdb/secrets.c                | 2 +-
 source3/printing/printer_list.c         | 3 ++-
 source3/registry/reg_backend_db.c       | 6 +++---
 source3/rpc_client/cli_netlogon.c       | 3 ++-
 source3/smbd/notify_internal.c          | 2 +-
 source3/smbd/smbXsrv_open.c             | 3 ++-
 source3/smbd/smbXsrv_session.c          | 3 ++-
 source3/smbd/smbXsrv_tcon.c             | 3 ++-
 source3/smbd/smbXsrv_version.c          | 3 ++-
 source3/torture/test_dbwrap_watch.c     | 3 ++-
 source3/torture/test_idmap_tdb_common.c | 2 +-
 source3/torture/torture.c               | 3 ++-
 source3/utils/dbwrap_tool.c             | 2 +-
 source3/utils/dbwrap_torture.c          | 2 +-
 source3/utils/net_idmap.c               | 6 +++---
 source3/utils/net_idmap_check.c         | 2 +-
 source3/utils/net_registry_check.c      | 4 ++--
 source3/utils/status.c                  | 2 +-
 source3/winbindd/idmap_autorid.c        | 2 +-
 source3/winbindd/idmap_tdb.c            | 2 +-
 source3/winbindd/idmap_tdb2.c           | 2 +-
 34 files changed, 55 insertions(+), 42 deletions(-)

diff --git a/source3/groupdb/mapping_tdb.c b/source3/groupdb/mapping_tdb.c
index 088874f..0863187 100644
--- a/source3/groupdb/mapping_tdb.c
+++ b/source3/groupdb/mapping_tdb.c
@@ -54,7 +54,7 @@ static bool init_group_mapping(void)
 
 	db = db_open(NULL, state_path("group_mapping.tdb"), 0,
 		     TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-		     DBWRAP_LOCK_ORDER_1);
+		     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		DEBUG(0, ("Failed to open group mapping database: %s\n",
 			  strerror(errno)));
diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
index 515b4bf..6c9280c 100644
--- a/source3/lib/dbwrap/dbwrap_open.c
+++ b/source3/lib/dbwrap/dbwrap_open.c
@@ -60,7 +60,8 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
 			   const char *name,
 			   int hash_size, int tdb_flags,
 			   int open_flags, mode_t mode,
-			   enum dbwrap_lock_order lock_order)
+			   enum dbwrap_lock_order lock_order,
+			   uint64_t dbwrap_flags)
 {
 	struct db_context *result = NULL;
 #ifdef CLUSTER_SUPPORT
diff --git a/source3/lib/dbwrap/dbwrap_open.h b/source3/lib/dbwrap/dbwrap_open.h
index 51c7dfd..d14794e 100644
--- a/source3/lib/dbwrap/dbwrap_open.h
+++ b/source3/lib/dbwrap/dbwrap_open.h
@@ -39,6 +39,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
 			   const char *name,
 			   int hash_size, int tdb_flags,
 			   int open_flags, mode_t mode,
-			   enum dbwrap_lock_order lock_order);
+			   enum dbwrap_lock_order lock_order,
+			   uint64_t dbwrap_flags);
 
 #endif /* __DBWRAP_OPEN_H__ */
diff --git a/source3/lib/dbwrap/dbwrap_watch.c b/source3/lib/dbwrap/dbwrap_watch.c
index 7bdcd99..5f3d17d 100644
--- a/source3/lib/dbwrap/dbwrap_watch.c
+++ b/source3/lib/dbwrap/dbwrap_watch.c
@@ -34,7 +34,8 @@ static struct db_context *dbwrap_record_watchers_db(void)
 		watchers_db = db_open(
 			NULL, lock_path("dbwrap_watchers.tdb"),	0,
 			TDB_CLEAR_IF_FIRST | TDB_INCOMPATIBLE_HASH,
-			O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3);
+			O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_3,
+			DBWRAP_FLAG_NONE);
 	}
 	return watchers_db;
 }
diff --git a/source3/lib/g_lock.c b/source3/lib/g_lock.c
index 8c7a6c2..6813f06 100644
--- a/source3/lib/g_lock.c
+++ b/source3/lib/g_lock.c
@@ -61,7 +61,8 @@ struct g_lock_ctx *g_lock_ctx_init(TALLOC_CTX *mem_ctx,
 	result->db = db_open(result, lock_path("g_lock.tdb"), 0,
 			     TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
 			     O_RDWR|O_CREAT, 0600,
-			     DBWRAP_LOCK_ORDER_2);
+			     DBWRAP_LOCK_ORDER_2,
+			     DBWRAP_FLAG_NONE);
 	if (result->db == NULL) {
 		DEBUG(1, ("g_lock_init: Could not open g_lock.tdb\n"));
 		TALLOC_FREE(result);
diff --git a/source3/lib/serverid.c b/source3/lib/serverid.c
index cb49520..4259887 100644
--- a/source3/lib/serverid.c
+++ b/source3/lib/serverid.c
@@ -77,7 +77,8 @@ static struct db_context *serverid_db(void)
 	}
 	db = db_open(NULL, lock_path("serverid.tdb"), 0,
 		     TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-		     O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2);
+		     O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_2,
+		     DBWRAP_FLAG_NONE);
 	return db;
 }
 
diff --git a/source3/lib/sharesec.c b/source3/lib/sharesec.c
index c7a8e51..095c851 100644
--- a/source3/lib/sharesec.c
+++ b/source3/lib/sharesec.c
@@ -149,7 +149,7 @@ bool share_info_db_init(void)
 
 	share_db = db_open(NULL, state_path("share_info.tdb"), 0,
 			   TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-			   DBWRAP_LOCK_ORDER_1);
+			   DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (share_db == NULL) {
 		DEBUG(0,("Failed to open share info database %s (%s)\n",
 			state_path("share_info.tdb"), strerror(errno) ));
diff --git a/source3/locking/brlock.c b/source3/locking/brlock.c
index 5d683dd..d88aa2d 100644
--- a/source3/locking/brlock.c
+++ b/source3/locking/brlock.c
@@ -292,7 +292,7 @@ void brl_init(bool read_only)
 	brlock_db = db_open(NULL, lock_path("brlock.tdb"),
 			    lp_open_files_db_hash_size(), tdb_flags,
 			    read_only?O_RDONLY:(O_RDWR|O_CREAT), 0644,
-			    DBWRAP_LOCK_ORDER_2);
+			    DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
 	if (!brlock_db) {
 		DEBUG(0,("Failed to open byte range locking database %s\n",
 			lock_path("brlock.tdb")));
diff --git a/source3/locking/share_mode_lock.c b/source3/locking/share_mode_lock.c
index 4f049bd..22f8d9a 100644
--- a/source3/locking/share_mode_lock.c
+++ b/source3/locking/share_mode_lock.c
@@ -67,7 +67,7 @@ static bool locking_init_internal(bool read_only)
 			  lp_open_files_db_hash_size(),
 			  TDB_DEFAULT|TDB_VOLATILE|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
 			  read_only?O_RDONLY:O_RDWR|O_CREAT, 0644,
-			  DBWRAP_LOCK_ORDER_1);
+			  DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 	if (!lock_db) {
 		DEBUG(0,("ERROR: Failed to initialise locking database\n"));
diff --git a/source3/modules/vfs_acl_tdb.c b/source3/modules/vfs_acl_tdb.c
index 80839e3..8ee4bd5 100644
--- a/source3/modules/vfs_acl_tdb.c
+++ b/source3/modules/vfs_acl_tdb.c
@@ -60,7 +60,7 @@ static bool acl_tdb_init(void)
 
 	become_root();
 	acl_db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	unbecome_root();
 
 	if (acl_db == NULL) {
diff --git a/source3/modules/vfs_xattr_tdb.c b/source3/modules/vfs_xattr_tdb.c
index 43456cf..63a12fd 100644
--- a/source3/modules/vfs_xattr_tdb.c
+++ b/source3/modules/vfs_xattr_tdb.c
@@ -320,7 +320,7 @@ static bool xattr_tdb_init(int snum, TALLOC_CTX *mem_ctx, struct db_context **p_
 
 	become_root();
 	db = db_open(NULL, dbname, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-		     DBWRAP_LOCK_ORDER_2);
+		     DBWRAP_LOCK_ORDER_2, DBWRAP_FLAG_NONE);
 	unbecome_root();
 
 	if (db == NULL) {
diff --git a/source3/passdb/account_pol.c b/source3/passdb/account_pol.c
index c94df29..09a2d20 100644
--- a/source3/passdb/account_pol.c
+++ b/source3/passdb/account_pol.c
@@ -220,13 +220,13 @@ bool init_account_policy(void)
 	}
 
 	db = db_open(NULL, state_path("account_policy.tdb"), 0, TDB_DEFAULT,
-		     O_RDWR, 0600, DBWRAP_LOCK_ORDER_1);
+		     O_RDWR, 0600, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 	if (db == NULL) { /* the account policies files does not exist or open
 			   * failed, try to create a new one */
 		db = db_open(NULL, state_path("account_policy.tdb"), 0,
 			     TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-			     DBWRAP_LOCK_ORDER_1);
+			     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 		if (db == NULL) {
 			DEBUG(0,("Failed to open account policy database\n"));
 			return False;
diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index f256e6c..162083f 100644
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -226,7 +226,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
 
 	tmp_db = db_open(NULL, tmp_fname, 0,
 			 TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (tmp_db == NULL) {
 		DEBUG(0, ("tdbsam_convert_backup: Failed to create backup TDB passwd "
 			  "[%s]\n", tmp_fname));
@@ -293,7 +293,7 @@ static bool tdbsam_convert_backup(const char *dbname, struct db_context **pp_db)
 
 	orig_db = db_open(NULL, dbname, 0,
 			  TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
-			  DBWRAP_LOCK_ORDER_1);
+			  DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (orig_db == NULL) {
 		DEBUG(0, ("tdbsam_convert_backup: Failed to re-open "
 			  "converted passdb TDB [%s]\n", dbname));
@@ -444,7 +444,7 @@ static bool tdbsam_open( const char *name )
 	/* Try to open tdb passwd.  Create a new one if necessary */
 
 	db_sam = db_open(NULL, name, 0, TDB_DEFAULT, O_CREAT|O_RDWR, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (db_sam == NULL) {
 		DEBUG(0, ("tdbsam_open: Failed to open/create TDB passwd "
 			  "[%s]\n", name));
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 548b030..bff9a0d 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -79,7 +79,7 @@ bool secrets_init_path(const char *private_dir, bool use_ntdb)
 
 	db_ctx = db_open(NULL, fname, 0,
 			 TDB_DEFAULT, O_RDWR|O_CREAT, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 	if (db_ctx == NULL) {
 		DEBUG(0,("Failed to open %s\n", fname));
diff --git a/source3/printing/printer_list.c b/source3/printing/printer_list.c
index 815f89f..9a9fa0b 100644
--- a/source3/printing/printer_list.c
+++ b/source3/printing/printer_list.c
@@ -40,7 +40,8 @@ static struct db_context *get_printer_list_db(void)
 	}
 	db = db_open(NULL, PL_DB_NAME(), 0,
 		     TDB_DEFAULT|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-		     O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1);
+		     O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_1,
+		     DBWRAP_FLAG_NONE);
 	return db;
 }
 
diff --git a/source3/registry/reg_backend_db.c b/source3/registry/reg_backend_db.c
index 3e561eb..fdaf576 100644
--- a/source3/registry/reg_backend_db.c
+++ b/source3/registry/reg_backend_db.c
@@ -732,11 +732,11 @@ WERROR regdb_init(void)
 
 	regdb = db_open(NULL, state_path("registry.tdb"), 0,
 			REG_TDB_FLAGS, O_RDWR, 0600,
-			DBWRAP_LOCK_ORDER_1);
+			DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (!regdb) {
 		regdb = db_open(NULL, state_path("registry.tdb"), 0,
 				REG_TDB_FLAGS, O_RDWR|O_CREAT, 0600,
-				DBWRAP_LOCK_ORDER_1);
+				DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 		if (!regdb) {
 			werr = ntstatus_to_werror(map_nt_error_from_unix(errno));
 			DEBUG(1,("regdb_init: Failed to open registry %s (%s)\n",
@@ -852,7 +852,7 @@ WERROR regdb_open( void )
 
 	regdb = db_open(NULL, state_path("registry.tdb"), 0,
 			REG_TDB_FLAGS, O_RDWR, 0600,
-			DBWRAP_LOCK_ORDER_1);
+			DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if ( !regdb ) {
 		result = ntstatus_to_werror( map_nt_error_from_unix( errno ) );
 		DEBUG(0,("regdb_open: Failed to open %s! (%s)\n",
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index b7b490f..9e3c1bd 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -69,7 +69,8 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
 
 	global_db = db_open(talloc_autofree_context(), fname,
 			    0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-			    O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2);
+			    O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
+			    DBWRAP_FLAG_NONE);
 	if (global_db == NULL) {
 		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
diff --git a/source3/smbd/notify_internal.c b/source3/smbd/notify_internal.c
index 2dc8674..67d8774 100644
--- a/source3/smbd/notify_internal.c
+++ b/source3/smbd/notify_internal.c
@@ -145,7 +145,7 @@ struct notify_context *notify_init(TALLOC_CTX *mem_ctx,
 	notify->db_index = db_open(
 		notify, lock_path("notify_index.tdb"),
 		0, TDB_SEQNUM|TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
-		O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3);
+		O_RDWR|O_CREAT, 0644, DBWRAP_LOCK_ORDER_3, DBWRAP_FLAG_NONE);
 	if (notify->db_index == NULL) {
 		goto fail;
 	}
diff --git a/source3/smbd/smbXsrv_open.c b/source3/smbd/smbXsrv_open.c
index 29c172c..830c7aa 100644
--- a/source3/smbd/smbXsrv_open.c
+++ b/source3/smbd/smbXsrv_open.c
@@ -64,7 +64,8 @@ NTSTATUS smbXsrv_open_global_init(void)
 			 TDB_CLEAR_IF_FIRST |
 			 TDB_INCOMPATIBLE_HASH,
 			 O_RDWR | O_CREAT, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1,
+			 DBWRAP_FLAG_NONE);
 	if (db_ctx == NULL) {
 		NTSTATUS status;
 
diff --git a/source3/smbd/smbXsrv_session.c b/source3/smbd/smbXsrv_session.c
index 017880c..a1ba52d 100644
--- a/source3/smbd/smbXsrv_session.c
+++ b/source3/smbd/smbXsrv_session.c
@@ -75,7 +75,8 @@ NTSTATUS smbXsrv_session_global_init(void)
 			 TDB_CLEAR_IF_FIRST |
 			 TDB_INCOMPATIBLE_HASH,
 			 O_RDWR | O_CREAT, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1,
+			 DBWRAP_FLAG_NONE);
 	if (db_ctx == NULL) {
 		NTSTATUS status;
 
diff --git a/source3/smbd/smbXsrv_tcon.c b/source3/smbd/smbXsrv_tcon.c
index b6e2058..2cbd761 100644
--- a/source3/smbd/smbXsrv_tcon.c
+++ b/source3/smbd/smbXsrv_tcon.c
@@ -62,7 +62,8 @@ NTSTATUS smbXsrv_tcon_global_init(void)
 			 TDB_CLEAR_IF_FIRST |
 			 TDB_INCOMPATIBLE_HASH,
 			 O_RDWR | O_CREAT, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1,
+			 DBWRAP_FLAG_NONE);
 	if (db_ctx == NULL) {
 		NTSTATUS status;
 
diff --git a/source3/smbd/smbXsrv_version.c b/source3/smbd/smbXsrv_version.c
index 8ba5e1f..b24dae9 100644
--- a/source3/smbd/smbXsrv_version.c
+++ b/source3/smbd/smbXsrv_version.c
@@ -80,7 +80,8 @@ NTSTATUS smbXsrv_version_global_init(const struct server_id *server_id)
 			 TDB_CLEAR_IF_FIRST |
 			 TDB_INCOMPATIBLE_HASH,
 			 O_RDWR | O_CREAT, 0600,
-			 DBWRAP_LOCK_ORDER_1);
+			 DBWRAP_LOCK_ORDER_1,
+			 DBWRAP_FLAG_NONE);
 	if (db_ctx == NULL) {
 		status = map_nt_error_from_unix_common(errno);
 		DEBUG(0,("smbXsrv_version_global_init: "
diff --git a/source3/torture/test_dbwrap_watch.c b/source3/torture/test_dbwrap_watch.c
index 9c2a679..4e699fe 100644
--- a/source3/torture/test_dbwrap_watch.c
+++ b/source3/torture/test_dbwrap_watch.c
@@ -48,7 +48,8 @@ bool run_dbwrap_watch1(int dummy)
 		goto fail;
 	}
 	db = db_open(msg, "test_watch.tdb", 0, TDB_DEFAULT,
-		     O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1);
+		     O_CREAT|O_RDWR, 0644, DBWRAP_LOCK_ORDER_1,
+		     DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		fprintf(stderr, "db_open failed: %s\n", strerror(errno));
 		goto fail;
diff --git a/source3/torture/test_idmap_tdb_common.c b/source3/torture/test_idmap_tdb_common.c
index 6f5f3c5..f7262a2 100644
--- a/source3/torture/test_idmap_tdb_common.c
+++ b/source3/torture/test_idmap_tdb_common.c
@@ -86,7 +86,7 @@ static bool open_db(struct idmap_tdb_common_context *ctx)
 
 	ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT,
 			  O_RDWR | O_CREAT, 0600,
-			  DBWRAP_LOCK_ORDER_1);
+			  DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 	if(!ctx->db) {
 		DEBUG(0, ("Failed to open database: %s\n", strerror(errno)));
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 2e66912..1dc3eaf 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -9011,7 +9011,8 @@ static bool run_local_dbtrans(int dummy)
 	TDB_DATA value;
 
 	db = db_open(talloc_tos(), "transtest.tdb", 0, TDB_DEFAULT,
-		     O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1);
+		     O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_1,
+		     DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		printf("Could not open transtest.db\n");
 		return false;
diff --git a/source3/utils/dbwrap_tool.c b/source3/utils/dbwrap_tool.c
index ffca6b6..b56e07a 100644
--- a/source3/utils/dbwrap_tool.c
+++ b/source3/utils/dbwrap_tool.c
@@ -588,7 +588,7 @@ int main(int argc, const char **argv)
 	case OP_LISTKEYS:
 	case OP_EXISTS:
 		db = db_open(mem_ctx, dbname, 0, tdb_flags, O_RDWR | O_CREAT,
-			     0644, DBWRAP_LOCK_ORDER_1);
+			     0644, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 		if (db == NULL) {
 			d_fprintf(stderr, "ERROR: could not open dbname\n");
 			goto done;
diff --git a/source3/utils/dbwrap_torture.c b/source3/utils/dbwrap_torture.c
index 2741820..f748ac2 100644
--- a/source3/utils/dbwrap_torture.c
+++ b/source3/utils/dbwrap_torture.c
@@ -309,7 +309,7 @@ int main(int argc, const char *argv[])
 	}
 
 	db = db_open(mem_ctx, db_name, 0, tdb_flags,  O_RDWR | O_CREAT, 0644,
-		     DBWRAP_LOCK_ORDER_1);
+		     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 	if (db == NULL) {
 		d_fprintf(stderr, "failed to open db '%s': %s\n", db_name,
diff --git a/source3/utils/net_idmap.c b/source3/utils/net_idmap.c
index fbeca3e..6fc07e7 100644
--- a/source3/utils/net_idmap.c
+++ b/source3/utils/net_idmap.c
@@ -210,7 +210,7 @@ static int net_idmap_dump(struct net_context *c, int argc, const char **argv)
 	d_fprintf(stderr, _("dumping id mapping from %s\n"), dbfile);
 
 	db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDONLY, 0,
-		     DBWRAP_LOCK_ORDER_1);
+		     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
 			  dbfile, strerror(errno));
@@ -336,7 +336,7 @@ static int net_idmap_restore(struct net_context *c, int argc, const char **argv)
 	}
 
 	db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
-		     DBWRAP_LOCK_ORDER_1);
+		     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
 			  dbfile, strerror(errno));
@@ -546,7 +546,7 @@ static int net_idmap_delete(struct net_context *c, int argc, const char **argv)
 	d_fprintf(stderr, _("deleting id mapping from %s\n"), dbfile);
 
 	db = db_open(mem_ctx, dbfile, 0, TDB_DEFAULT, O_RDWR, 0,
-		     DBWRAP_LOCK_ORDER_1);
+		     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		d_fprintf(stderr, _("Could not open idmap db (%s): %s\n"),
 			  dbfile, strerror(errno));
diff --git a/source3/utils/net_idmap_check.c b/source3/utils/net_idmap_check.c
index e75c890..4b82871 100644
--- a/source3/utils/net_idmap_check.c
+++ b/source3/utils/net_idmap_check.c
@@ -790,7 +790,7 @@ static bool check_open_db(struct check_ctx* ctx, const char* name, int oflags)
 	}
 
 	ctx->db = db_open(ctx, name, 0, TDB_DEFAULT, oflags, 0,
-			  DBWRAP_LOCK_ORDER_1);
+			  DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (ctx->db == NULL) {
 		d_fprintf(stderr,
 			  _("Could not open idmap db (%s) for writing: %s\n"),
diff --git a/source3/utils/net_registry_check.c b/source3/utils/net_registry_check.c
index 8cdb8fa..d57c2aa 100644
--- a/source3/utils/net_registry_check.c
+++ b/source3/utils/net_registry_check.c
@@ -338,7 +338,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
 	}
 
 	ctx->odb = db_open(ctx, ctx->opt.output, 0, TDB_DEFAULT, oflags, 0644,
-			   DBWRAP_LOCK_ORDER_1);
+			   DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (ctx->odb == NULL) {
 		d_fprintf(stderr,
 			  _("Could not open db (%s) for writing: %s\n"),
@@ -351,7 +351,7 @@ static bool check_ctx_open_output(struct check_ctx *ctx)
 
 static bool check_ctx_open_input(struct check_ctx *ctx) {
 	ctx->idb = db_open(ctx, ctx->fname, 0, TDB_DEFAULT, O_RDONLY, 0,
-			   DBWRAP_LOCK_ORDER_1);
+			   DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (ctx->idb == NULL) {
 		d_fprintf(stderr,
 			  _("Could not open db (%s) for reading: %s\n"),
diff --git a/source3/utils/status.c b/source3/utils/status.c
index be7c52f..1ff0e36 100644
--- a/source3/utils/status.c
+++ b/source3/utils/status.c
@@ -508,7 +508,7 @@ static void print_notify_recs(const char *path,
 		struct db_context *db;
 		db = db_open(NULL, lock_path("locking.tdb"), 0,
 			     TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH, O_RDONLY, 0,
-			     DBWRAP_LOCK_ORDER_1);
+			     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 		if (!db) {
 			d_printf("%s not initialised\n",
diff --git a/source3/winbindd/idmap_autorid.c b/source3/winbindd/idmap_autorid.c
index 57d952e..0bd2938 100644
--- a/source3/winbindd/idmap_autorid.c
+++ b/source3/winbindd/idmap_autorid.c
@@ -728,7 +728,7 @@ static NTSTATUS idmap_autorid_db_init(void)
 	/* Open idmap repository */
 	autorid_db = db_open(NULL, state_path("autorid.tdb"), 0,
 			     TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
-			     DBWRAP_LOCK_ORDER_1);
+			     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 
 	if (!autorid_db) {
 		DEBUG(0, ("Unable to open idmap_autorid database '%s'\n",
diff --git a/source3/winbindd/idmap_tdb.c b/source3/winbindd/idmap_tdb.c
index cc930ff..ebff347 100644
--- a/source3/winbindd/idmap_tdb.c
+++ b/source3/winbindd/idmap_tdb.c
@@ -321,7 +321,7 @@ static NTSTATUS idmap_tdb_open_db(struct idmap_domain *dom)
 
 	/* Open idmap repository */
 	db = db_open(mem_ctx, tdbfile, 0, TDB_DEFAULT, O_RDWR | O_CREAT, 0644,
-		     DBWRAP_LOCK_ORDER_1);
+		     DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (!db) {
 		DEBUG(0, ("Unable to open idmap database\n"));
 		ret = NT_STATUS_UNSUCCESSFUL;
diff --git a/source3/winbindd/idmap_tdb2.c b/source3/winbindd/idmap_tdb2.c
index 4a9c2fe..942490d 100644
--- a/source3/winbindd/idmap_tdb2.c
+++ b/source3/winbindd/idmap_tdb2.c
@@ -114,7 +114,7 @@ static NTSTATUS idmap_tdb2_open_db(struct idmap_domain *dom)
 
 	/* Open idmap repository */
 	ctx->db = db_open(ctx, db_path, 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0644,
-			  DBWRAP_LOCK_ORDER_1);
+			  DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	TALLOC_FREE(db_path);
 
 	if (ctx->db == NULL) {
-- 
1.9.3


From b904731a81df57b3d33fe0c35663bc47d061d744 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 28 Jan 2014 12:53:24 +0100
Subject: [PATCH 236/249] dbwrap: add a dbwrap_flags argument to db_open_ctdb()

This is in preparation of directly supporting ctdb read only
record copies when opening a ctdb database from samba.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 6def1c3f6e145abcc81ea69505133bbe128eacac)
---
 source3/lib/dbwrap/dbwrap_ctdb.c   | 6 ++++--
 source3/lib/dbwrap/dbwrap_ctdb.h   | 3 ++-
 source3/lib/dbwrap/dbwrap_open.c   | 2 +-
 source3/torture/test_dbwrap_ctdb.c | 2 +-
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
index 5a473f9..af7a72f 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
@@ -1498,7 +1498,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
 				const char *name,
 				int hash_size, int tdb_flags,
 				int open_flags, mode_t mode,
-				enum dbwrap_lock_order lock_order)
+				enum dbwrap_lock_order lock_order,
+				uint64_t dbwrap_flags)
 {
 	struct db_context *result;
 	struct db_ctdb_ctx *db_ctdb;
@@ -1624,7 +1625,8 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
 				const char *name,
 				int hash_size, int tdb_flags,
 				int open_flags, mode_t mode,
-				enum dbwrap_lock_order lock_order)
+				enum dbwrap_lock_order lock_order,
+				uint64_t dbwrap_flags)
 {
 	DEBUG(3, ("db_open_ctdb: no cluster support!\n"));
 	errno = ENOSYS;
diff --git a/source3/lib/dbwrap/dbwrap_ctdb.h b/source3/lib/dbwrap/dbwrap_ctdb.h
index bfbe3bd..3196b91 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.h
+++ b/source3/lib/dbwrap/dbwrap_ctdb.h
@@ -31,6 +31,7 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
 				const char *name,
 				int hash_size, int tdb_flags,
 				int open_flags, mode_t mode,
-				enum dbwrap_lock_order lock_order);
+				enum dbwrap_lock_order lock_order,
+				uint64_t dbwrap_flags);
 
 #endif /* __DBWRAP_CTDB_H__ */
diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
index 6c9280c..61324f7 100644
--- a/source3/lib/dbwrap/dbwrap_open.c
+++ b/source3/lib/dbwrap/dbwrap_open.c
@@ -104,7 +104,7 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
 		if (lp_parm_bool(-1, "ctdb", partname, True)) {
 			result = db_open_ctdb(mem_ctx, partname, hash_size,
 					      tdb_flags, open_flags, mode,
-					      lock_order);
+					      lock_order, dbwrap_flags);
 			if (result == NULL) {
 				DEBUG(0,("failed to attach to ctdb %s\n",
 					 partname));
diff --git a/source3/torture/test_dbwrap_ctdb.c b/source3/torture/test_dbwrap_ctdb.c
index f7672ba..d7380b1 100644
--- a/source3/torture/test_dbwrap_ctdb.c
+++ b/source3/torture/test_dbwrap_ctdb.c
@@ -32,7 +32,7 @@ bool run_local_dbwrap_ctdb(int dummy)
 	uint32_t val;
 
 	db = db_open_ctdb(talloc_tos(), "torture.tdb", 0, TDB_DEFAULT,
-			  O_RDWR, 0755, DBWRAP_LOCK_ORDER_1);
+			  O_RDWR, 0755, DBWRAP_LOCK_ORDER_1, DBWRAP_FLAG_NONE);
 	if (db == NULL) {
 		perror("db_open_ctdb failed");
 		goto fail;
-- 
1.9.3


From 4f2d14112981d03000b533458e2e60a032d052de Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Tue, 28 Jan 2014 11:31:44 +0100
Subject: [PATCH 237/249] dbwrap: add DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 56bd4040889dfe492ff820497b7a6d76624a6048)
---
 lib/dbwrap/dbwrap.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/dbwrap/dbwrap.h b/lib/dbwrap/dbwrap.h
index 4064ba2..02b4405 100644
--- a/lib/dbwrap/dbwrap.h
+++ b/lib/dbwrap/dbwrap.h
@@ -33,6 +33,7 @@ enum dbwrap_lock_order {
 #define DBWRAP_LOCK_ORDER_MAX DBWRAP_LOCK_ORDER_3
 
 #define DBWRAP_FLAG_NONE                     0x0000000000000000ULL
+#define DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS 0x0000000000000001ULL
 
 /* The following definitions come from lib/dbwrap.c  */
 
-- 
1.9.3


From a007f8f7f627c4347f48bd2446637aab137e0608 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 28 Jan 2014 21:24:22 +0100
Subject: [PATCH 238/249] dbwrap_ctdb: implement
 DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS

For non-persistent databases we try to use CTDB_CONTROL_SET_DB_READONLY
in order to make use of readonly records.

Pair-Programmed-With: Michael Adam <obnox@samba.org>

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit a97b588b63f437d25c4344c76014326dbf0cbdb0)
---
 source3/lib/dbwrap/dbwrap_ctdb.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/source3/lib/dbwrap/dbwrap_ctdb.c b/source3/lib/dbwrap/dbwrap_ctdb.c
index af7a72f..3dc86d1 100644
--- a/source3/lib/dbwrap/dbwrap_ctdb.c
+++ b/source3/lib/dbwrap/dbwrap_ctdb.c
@@ -1578,6 +1578,27 @@ struct db_context *db_open_ctdb(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
+#ifdef HAVE_CTDB_WANT_READONLY_DECL
+	if (!result->persistent &&
+	    (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS))
+	{
+		TDB_DATA indata;
+
+		indata = make_tdb_data((uint8_t *)&db_ctdb->db_id,
+				       sizeof(db_ctdb->db_id));
+
+		status = ctdbd_control_local(
+			conn, CTDB_CONTROL_SET_DB_READONLY, 0, 0, indata,
+			NULL, NULL, &cstatus);
+		if (!NT_STATUS_IS_OK(status) || (cstatus != 0)) {
+			DEBUG(1, ("CTDB_CONTROL_SET_DB_READONLY failed: "
+				  "%s, %d\n", nt_errstr(status), cstatus));
+			TALLOC_FREE(result);
+			return NULL;
+		}
+	}
+#endif
+
 	lp_ctx = loadparm_init_s3(db_path, loadparm_s3_helpers());
 
 	db_ctdb->wtdb = tdb_wrap_open(db_ctdb, db_path, hash_size, tdb_flags,
-- 
1.9.3


From d1ea222d46a594d45422eacccbd655d7e488792a Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 28 Jan 2014 21:31:17 +0100
Subject: [PATCH 239/249] dbwrap_open: add 'dbwrap_optimize_readonly:* = yes'
 option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
(cherry picked from commit a20c977c7a58a0c09d01bfa046c00fcd3f1462de)
---
 source3/lib/dbwrap/dbwrap_open.c | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/source3/lib/dbwrap/dbwrap_open.c b/source3/lib/dbwrap/dbwrap_open.c
index 61324f7..7f3cddf 100644
--- a/source3/lib/dbwrap/dbwrap_open.c
+++ b/source3/lib/dbwrap/dbwrap_open.c
@@ -81,6 +81,31 @@ struct db_context *db_open(TALLOC_CTX *mem_ctx,
 		return NULL;
 	}
 
+	if (tdb_flags & TDB_CLEAR_IF_FIRST) {
+		const char *base;
+		bool try_readonly = false;
+
+		base = strrchr_m(name, '/');
+		if (base != NULL) {
+			base += 1;
+		} else {
+			base = name;
+		}
+
+		if (dbwrap_flags & DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS) {
+			try_readonly = true;
+		}
+
+		try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", "*", try_readonly);
+		try_readonly = lp_parm_bool(-1, "dbwrap_optimize_readonly", base, try_readonly);
+
+		if (try_readonly) {
+			dbwrap_flags |= DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
+		} else {
+			dbwrap_flags &= ~DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS;
+		}
+	}
+
 #ifdef CLUSTER_SUPPORT
 	sockname = lp_ctdbd_socket();
 
-- 
1.9.3


From ce06399f9fab90623a2166d69f1bbfc46f124d73 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 27 Jan 2014 16:21:14 +0100
Subject: [PATCH 240/249] s3:rpc_client: optimize the netlogon_creds_cli.tdb
 for read-only access

Usually a record in this DB will be written once and then read
many times by winbindd processes on multiple nodes (when run in
a cluster). In order not to introduce a big performance penalty
with the increased correctness achieved by storing the netlogon
creds, in a cluster setup, we should activate ctdb's read only
record copies on this db.

Signed-off-by: Michael Adam <obnox@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 020fab300d2f4f19301eff19ad810c71f77bbb78)
---
 source3/rpc_client/cli_netlogon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 9e3c1bd..746c7b6 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -70,7 +70,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
 	global_db = db_open(talloc_autofree_context(), fname,
 			    0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
 			    O_RDWR|O_CREAT, 0600, DBWRAP_LOCK_ORDER_2,
-			    DBWRAP_FLAG_NONE);
+			    DBWRAP_FLAG_OPTIMIZE_READONLY_ACCESS);
 	if (global_db == NULL) {
 		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
-- 
1.9.3


From e39b8c0e22e609db117285d47cdbd1d854fe8d02 Mon Sep 17 00:00:00 2001
From: Ira Cooper <ira@samba.org>
Date: Thu, 13 Feb 2014 14:45:23 -0500
Subject: [PATCH 241/249] libcli: Overflow array index read possible, in auth
 code.

Changed the if condtion to detect when we'd improperly overflow.

Coverity-Id: 1167990
Signed-off-by: Ira Cooper <ira@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Ira Cooper <ira@samba.org>
Autobuild-Date(master): Mon Feb 24 11:56:38 CET 2014 on sn-devel-104

(cherry picked from commit 8cd8aa6686c21e8c43a6d14c0ae1a21954d6e8cd)
---
 libcli/auth/netlogon_creds_cli.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 88893ad..e3cf91c 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1769,7 +1769,7 @@ struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx
 		uint32_t ofs = 512 - len;
 		uint8_t *p;
 
-		if (ofs < 12) {
+		if (len > 500) {
 			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX);
 			return tevent_req_post(req, ev);
 		}
-- 
1.9.3


From 4e15aa86c44e906ca30cfa4589e4f45f23625953 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 15 Jul 2014 08:28:42 +0200
Subject: [PATCH 242/249] s3-rpc_client: return info3 in
 rpccli_netlogon_password_logon().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/rpc_client/cli_netlogon.c | 103 +++++++++++++++++++++-----------------
 source3/rpc_client/cli_netlogon.h |   4 +-
 source3/rpcclient/cmd_netlogon.c  |   5 +-
 3 files changed, 64 insertions(+), 48 deletions(-)

diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 746c7b6..7063351 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -193,16 +193,65 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 	return NT_STATUS_OK;
 }
 
+static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
+					uint16_t validation_level,
+					union netr_Validation *validation,
+					struct netr_SamInfo3 **info3_p)
+{
+	struct netr_SamInfo3 *info3;
+	NTSTATUS status;
+
+	if (validation == NULL) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	switch (validation_level) {
+	case 3:
+		if (validation->sam3 == NULL) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		info3 = talloc_move(mem_ctx, &validation->sam3);
+		break;
+	case 6:
+		if (validation->sam6 == NULL) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
+		if (info3 == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
+		if (!NT_STATUS_IS_OK(status)) {
+			TALLOC_FREE(info3);
+			return status;
+		}
+
+		info3->sidcount = validation->sam6->sidcount;
+		info3->sids = talloc_move(info3, &validation->sam6->sids);
+		break;
+	default:
+		return NT_STATUS_BAD_VALIDATION_CLASS;
+	}
+
+	*info3_p = info3;
+
+	return NT_STATUS_OK;
+}
+
 /* Logon domain user */
 
 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
 					struct dcerpc_binding_handle *binding_handle,
+					TALLOC_CTX *mem_ctx,
 					uint32_t logon_parameters,
 					const char *domain,
 					const char *username,
 					const char *password,
 					const char *workstation,
-					enum netr_LogonInfoClass logon_type)
+					enum netr_LogonInfoClass logon_type,
+					struct netr_SamInfo3 **info3)
 {
 	TALLOC_CTX *frame = talloc_stackframe();
 	NTSTATUS status;
@@ -320,57 +369,19 @@ NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds
 						  &validation,
 						  &authoritative,
 						  &flags);
-	TALLOC_FREE(frame);
 	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(frame);
 		return status;
 	}
 
-	return NT_STATUS_OK;
-}
-
-static NTSTATUS map_validation_to_info3(TALLOC_CTX *mem_ctx,
-					uint16_t validation_level,
-					union netr_Validation *validation,
-					struct netr_SamInfo3 **info3_p)
-{
-	struct netr_SamInfo3 *info3;
-	NTSTATUS status;
-
-	if (validation == NULL) {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	switch (validation_level) {
-	case 3:
-		if (validation->sam3 == NULL) {
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-
-		info3 = talloc_move(mem_ctx, &validation->sam3);
-		break;
-	case 6:
-		if (validation->sam6 == NULL) {
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-
-		info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
-		if (info3 == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		status = copy_netr_SamBaseInfo(info3, &validation->sam6->base, &info3->base);
-		if (!NT_STATUS_IS_OK(status)) {
-			TALLOC_FREE(info3);
-			return status;
-		}
-
-		info3->sidcount = validation->sam6->sidcount;
-		info3->sids = talloc_move(info3, &validation->sam6->sids);
-		break;
-	default:
-		return NT_STATUS_BAD_VALIDATION_CLASS;
+	status = map_validation_to_info3(mem_ctx,
+					 validation_level, validation,
+					 info3);
+	TALLOC_FREE(frame);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
-	*info3_p = info3;
 
 	return NT_STATUS_OK;
 }
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 61fed4a..fee0801 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -45,12 +45,14 @@ NTSTATUS rpccli_setup_netlogon_creds(struct cli_state *cli,
 				     const struct samr_Password *previous_nt_hash);
 NTSTATUS rpccli_netlogon_password_logon(struct netlogon_creds_cli_context *creds,
 					struct dcerpc_binding_handle *binding_handle,
+					TALLOC_CTX *mem_ctx,
 					uint32_t logon_parameters,
 					const char *domain,
 					const char *username,
 					const char *password,
 					const char *workstation,
-					enum netr_LogonInfoClass logon_type);
+					enum netr_LogonInfoClass logon_type,
+					struct netr_SamInfo3 **info3);
 NTSTATUS rpccli_netlogon_network_logon(struct netlogon_creds_cli_context *creds,
 				       struct dcerpc_binding_handle *binding_handle,
 				       TALLOC_CTX *mem_ctx,
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index b637b3e..2d1c351 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -778,6 +778,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 	const char *username, *password;
 	uint32 logon_param = 0;
 	const char *workstation = NULL;
+	struct netr_SamInfo3 *info3 = NULL;
 
 	/* Check arguments */
 
@@ -803,12 +804,14 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli,
 
 	result = rpccli_netlogon_password_logon(rpcclient_netlogon_creds,
 						cli->binding_handle,
+						mem_ctx,
 						logon_param,
 						lp_workgroup(),
 						username,
 						password,
 						workstation,
-						logon_type);
+						logon_type,
+						&info3);
 	if (!NT_STATUS_IS_OK(result))
 		goto done;
 
-- 
1.9.3


From 3459fada96951a57a787944aedc01caabe873c9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 15 Jul 2014 08:29:55 +0200
Subject: [PATCH 243/249] s3-winbindd: call interactive samlogon via
 rpccli_netlogon_password_logon.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Conflicts:
	source3/winbindd/winbindd_pam.c
---
 source3/winbindd/winbindd_pam.c | 45 +++++++++++++++++++++++++++++------------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3f3ec70..2a1b74a 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1214,11 +1214,13 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 					    uint32_t logon_parameters,
 					    const char *server,
 					    const char *username,
+					    const char *password,
 					    const char *domainname,
 					    const char *workstation,
 					    const uint8_t chal[8],
 					    DATA_BLOB lm_response,
 					    DATA_BLOB nt_response,
+					    bool interactive,
 					    struct netr_SamInfo3 **info3)
 {
 	int attempts = 0;
@@ -1278,19 +1280,32 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 		}
 		netr_attempts = 0;
 
-		result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
-						netlogon_pipe->binding_handle,
-						mem_ctx,
-						logon_parameters,
-						username,
-						domainname,
-						workstation,
-						chal,
-						lm_response,
-						nt_response,
-						&authoritative,
-						&flags,
-						info3);
+		if (interactive && username != NULL && password != NULL) {
+			result = rpccli_netlogon_password_logon(domain->conn.netlogon_creds,
+								netlogon_pipe->binding_handle,
+								mem_ctx,
+								logon_parameters,
+								domainname,
+								username,
+								password,
+								workstation,
+								NetlogonInteractiveInformation,
+								info3);
+		} else {
+			result = rpccli_netlogon_network_logon(domain->conn.netlogon_creds,
+							netlogon_pipe->binding_handle,
+							mem_ctx,
+							logon_parameters,
+							username,
+							domainname,
+							workstation,
+							chal,
+							lm_response,
+							nt_response,
+							&authoritative,
+							&flags,
+							info3);
+		}
 
 		/*
 		 * we increment this after the "feature negotiation"
@@ -1433,11 +1448,13 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(TALLOC_CTX *mem_ctx,
 					     0,
 					     domain->dcname,
 					     name_user,
+					     pass,
 					     name_domain,
 					     lp_netbios_name(),
 					     chal,
 					     lm_resp,
 					     nt_resp,
+					     true, /* interactive */
 					     &my_info3);
 	if (!NT_STATUS_IS_OK(result)) {
 		goto done;
@@ -1856,12 +1873,14 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 					     state->request->data.auth_crap.logon_parameters,
 					     domain->dcname,
 					     name_user,
+					     NULL, /* password */
 					     name_domain,
 					     /* Bug #3248 - found by Stefan Burkei. */
 					     workstation, /* We carefully set this above so use it... */
 					     state->request->data.auth_crap.chal,
 					     lm_resp,
 					     nt_resp,
+					     false, /* interactive */
 					     &info3);
 	if (!NT_STATUS_IS_OK(result)) {
 		goto done;
-- 
1.9.3


From ad27b750ea3766581e528a41c132bb57927cc64c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 7 Jul 2014 17:14:37 +0200
Subject: [PATCH 244/249] s3-winbindd: add wcache_query_user_fullname().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This helper function is used to query the full name of a cached user object (for
further gecos processing).

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/winbindd/winbindd_cache.c | 34 ++++++++++++++++++++++++++++++++++
 source3/winbindd/winbindd_proto.h |  4 ++++
 2 files changed, 38 insertions(+)

diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index 59ce515..d1e10e6c 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -2309,6 +2309,40 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
 	return status;
 }
 
+
+/**
+* @brief Query a fullname from the username cache (for further gecos processing)
+*
+* @param domain		A pointer to the winbindd_domain struct.
+* @param mem_ctx	The talloc context.
+* @param user_sid	The user sid.
+* @param full_name	A pointer to the full_name string.
+*
+* @return NTSTATUS code
+*/
+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
+				    TALLOC_CTX *mem_ctx,
+				    const struct dom_sid *user_sid,
+				    const char **full_name)
+{
+	NTSTATUS status;
+	struct wbint_userinfo info;
+
+	status = wcache_query_user(domain, mem_ctx, user_sid, &info);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	if (info.full_name != NULL) {
+		*full_name = talloc_strdup(mem_ctx, info.full_name);
+		if (*full_name == NULL) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
 /* Lookup user information from a rid */
 static NTSTATUS query_user(struct winbindd_domain *domain,
 			   TALLOC_CTX *mem_ctx,
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index cfc19d0..cfb7812 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -105,6 +105,10 @@ NTSTATUS wcache_query_user(struct winbindd_domain *domain,
 			   TALLOC_CTX *mem_ctx,
 			   const struct dom_sid *user_sid,
 			   struct wbint_userinfo *info);
+NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
+				    TALLOC_CTX *mem_ctx,
+				    const struct dom_sid *user_sid,
+				    const char **full_name);
 NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
 				   TALLOC_CTX *mem_ctx,
 				   uint32 num_sids, const struct dom_sid *sids,
-- 
1.9.3


From e89ca0b90887930a2f86dcaa4f6d3d05565f919c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 7 Jul 2014 17:16:32 +0200
Subject: [PATCH 245/249] s3-winbindd: use wcache_query_user_fullname after
 inspecting samlogon cache.

The reason for this followup query is that very often the samlogon cache only
contains a info3 netlogon user structure that has been retrieved during a
netlogon samlogon authentication using "network" logon level. With that logon
level only a few info3 fields are filled in; the user's fullname is never filled
in that case. This is problematic when the cache is used to fill in the user's
gecos field (for NSS queries). When we have retrieved the user's fullname during
other queries, reuse it from the other caches.

Thanks to Matt Rogers <mrogers@redhat.com>.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Guenther

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/winbindd/winbindd_ads.c   |  8 ++++++++
 source3/winbindd/winbindd_msrpc.c |  8 ++++++++
 source3/winbindd/winbindd_pam.c   | 20 ++++++++++++++++++++
 3 files changed, 36 insertions(+)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 4c26389..a20fba5 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -619,6 +619,14 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 
 		TALLOC_FREE(user);
 
+		if (info->full_name == NULL) {
+			/* this might fail so we dont check the return code */
+			wcache_query_user_fullname(domain,
+						   mem_ctx,
+						   sid,
+						   &info->full_name);
+		}
+
 		return NT_STATUS_OK;
 	}
 
diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c
index 426d64c..c097bf3 100644
--- a/source3/winbindd/winbindd_msrpc.c
+++ b/source3/winbindd/winbindd_msrpc.c
@@ -439,6 +439,14 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain,
 		user_info->full_name = talloc_strdup(user_info,
 						     user->base.full_name.string);
 
+		if (user_info->full_name == NULL) {
+			/* this might fail so we dont check the return code */
+			wcache_query_user_fullname(domain,
+						   mem_ctx,
+						   user_sid,
+						   &user_info->full_name);
+		}
+
 		status = NT_STATUS_OK;
 		goto done;
 	}
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 2a1b74a..bf71d97 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1720,6 +1720,26 @@ process_result:
 		sid_compose(&user_sid, info3->base.domain_sid,
 			    info3->base.rid);
 
+		if (info3->base.full_name.string == NULL) {
+			struct netr_SamInfo3 *cached_info3;
+
+			cached_info3 = netsamlogon_cache_get(state->mem_ctx,
+							     &user_sid);
+			if (cached_info3 != NULL &&
+			    cached_info3->base.full_name.string != NULL) {
+				info3->base.full_name.string =
+					talloc_strdup(info3,
+						      cached_info3->base.full_name.string);
+			} else {
+
+				/* this might fail so we dont check the return code */
+				wcache_query_user_fullname(domain,
+						info3,
+						&user_sid,
+						&info3->base.full_name.string);
+			}
+		}
+
 		wcache_invalidate_samlogon(find_domain_from_name(name_domain),
 					   &user_sid);
 		netsamlogon_cache_store(name_user, info3);
-- 
1.9.3


From aa042d490b2cccb7b6cc394e024004321a6c156c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Wed, 9 Jul 2014 13:36:06 +0200
Subject: [PATCH 246/249] samlogon_cache: use a talloc_stackframe inside
 netsamlogon_cache_store.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/libsmb/samlogon_cache.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
index b04cf0a..f7457ae 100644
--- a/source3/libsmb/samlogon_cache.c
+++ b/source3/libsmb/samlogon_cache.c
@@ -125,7 +125,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
 	bool result = false;
 	struct dom_sid	user_sid;
 	time_t t = time(NULL);
-	TALLOC_CTX *mem_ctx;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
 	DATA_BLOB blob;
 	enum ndr_err_code ndr_err;
 	struct netsamlogoncache_entry r;
@@ -149,11 +149,6 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
 
 	/* Prepare data */
 
-	if (!(mem_ctx = talloc( NULL, int))) {
-		DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
-		return false;
-	}
-
 	/* only Samba fills in the username, not sure why NT doesn't */
 	/* so we fill it in since winbindd_getpwnam() makes use of it */
 
@@ -168,11 +163,11 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
 		NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
 	}
 
-	ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
+	ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
 				       (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
-		TALLOC_FREE(mem_ctx);
+		TALLOC_FREE(tmp_ctx);
 		return false;
 	}
 
@@ -183,7 +178,7 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
 		result = true;
 	}
 
-	TALLOC_FREE(mem_ctx);
+	TALLOC_FREE(tmp_ctx);
 
 	return result;
 }
-- 
1.9.3


From 8283d1acec0c0afd17197339a4986975d05abf29 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Jul 2014 16:17:46 +0200
Subject: [PATCH 247/249] samlogon_cache: avoid overwriting
 info3->base.full_name.string.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This field servers as a source for the gecos field. We should not overwrite it
when a info3 struct from a samlogon network level gets saved in which case this
field is always NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Tue Jul 15 18:25:28 CEST 2014 on sn-devel-104
---
 source3/libsmb/samlogon_cache.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
index f7457ae..0a157d4 100644
--- a/source3/libsmb/samlogon_cache.c
+++ b/source3/libsmb/samlogon_cache.c
@@ -149,6 +149,20 @@ bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
 
 	/* Prepare data */
 
+	if (info3->base.full_name.string == NULL) {
+		struct netr_SamInfo3 *cached_info3;
+		const char *full_name = NULL;
+
+		cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
+		if (cached_info3 != NULL) {
+			full_name = cached_info3->base.full_name.string;
+		}
+
+		if (full_name != NULL) {
+			info3->base.full_name.string = talloc_strdup(info3, full_name);
+		}
+	}
+
 	/* only Samba fills in the username, not sure why NT doesn't */
 	/* so we fill it in since winbindd_getpwnam() makes use of it */
 
-- 
1.9.3


From fe9d7458001a952d1df23dcd584a1835df5d43d1 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 3 Jul 2014 16:19:42 +0200
Subject: [PATCH 248/249] s3-winbind: Don't set the gecos field to NULL.

The value is loaded from the cache anyway. So it will be set to NULL if
it is not available.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=10440

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---
 source3/winbindd/nss_info_template.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source3/winbindd/nss_info_template.c b/source3/winbindd/nss_info_template.c
index 5fdfd9b..de93803 100644
--- a/source3/winbindd/nss_info_template.c
+++ b/source3/winbindd/nss_info_template.c
@@ -48,7 +48,6 @@ static NTSTATUS nss_template_get_info( struct nss_domain_entry *e,
 	  username */
 	*homedir = talloc_strdup( ctx, lp_template_homedir() );
 	*shell   = talloc_strdup( ctx, lp_template_shell() );
-	*gecos   = NULL;
 
 	if ( !*homedir || !*shell ) {
 		return NT_STATUS_NO_MEMORY;
-- 
1.9.3


From d2f3347a264bb7b8b0335404348990f52320b672 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Mon, 14 Jul 2014 18:22:26 +0200
Subject: [PATCH 249/249] s3-winbindd: prefer "displayName" over "name" in ads
 user queries for the fullname.

This makes use more consistent with security=domain as well where the gecos
field is also filled using the displayName field.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/winbindd/winbindd_ads.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index a20fba5..4b5b2fa 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -327,7 +327,10 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
 		}
 
 		info->acct_name = ads_pull_username(ads, mem_ctx, msg);
-		info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+		info->full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
+		if (info->full_name == NULL) {
+			info->full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+		}
 		info->homedir = NULL;
 		info->shell = NULL;
 		info->primary_gid = (gid_t)-1;
@@ -592,7 +595,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	struct netr_SamInfo3 *user = NULL;
 	gid_t gid = -1;
 	int ret;
-	char *ads_name;
+	char *full_name;
 
 	DEBUG(3,("ads: query_user\n"));
 
@@ -704,7 +707,10 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	 * nss_get_info_cached call. nss_get_info_cached might destroy
 	 * the ads struct, potentially invalidating the ldap message.
 	 */
-	ads_name = ads_pull_string(ads, mem_ctx, msg, "name");
+	full_name = ads_pull_string(ads, mem_ctx, msg, "displayName");
+	if (full_name == NULL) {
+		full_name = ads_pull_string(ads, mem_ctx, msg, "name");
+	}
 
 	ads_msgfree(ads, msg);
 	msg = NULL;
@@ -720,9 +726,9 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	}
 
 	if (info->full_name == NULL) {
-		info->full_name = ads_name;
+		info->full_name = full_name;
 	} else {
-		TALLOC_FREE(ads_name);
+		TALLOC_FREE(full_name);
 	}
 
 	status = NT_STATUS_OK;
-- 
1.9.3